Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
itLDZwgFNE.exe

Overview

General Information

Sample name:itLDZwgFNE.exe
Analysis ID:1576729
MD5:8bb556dc8633bc4fe7bebc38bafcbf6a
SHA1:6f4893d171d01a13a3e8a96db7150fd1b7c963ce
SHA256:b385555834f9fbb1a2dab687cc7bcdfd760cbba033f69c04617b4506bb23b88c
Infos:

Detection

Flesh Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Flesh Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • itLDZwgFNE.exe (PID: 7676 cmdline: "C:\Users\user\Desktop\itLDZwgFNE.exe" MD5: 8BB556DC8633BC4FE7BEBC38BAFCBF6A)
    • cmd.exe (PID: 1520 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 1244 cmdline: chcp 65001 MD5: CA9A549C17932F9CAA154B5528EBD8D4)
      • netsh.exe (PID: 3320 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 5128 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: itLDZwgFNE.exe PID: 7676JoeSecurity_FleshStealerYara detected Flesh StealerJoe Security

    Sigma Signatures

    Stealing of Sensitive Information

    barindex
    Sigma detected: Capture Wi-Fi password
    Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\itLDZwgFNE.exe", ParentImage: C:\Users\user\Desktop\itLDZwgFNE.exe, ParentProcessId: 7676, ParentProcessName: itLDZwgFNE.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 1520, ProcessName: cmd.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: itLDZwgFNE.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: itLDZwgFNE.exeReversingLabs: Detection: 60%
    Machine Learning detection for sample
    Source: itLDZwgFNE.exeJoe Sandbox ML: detected
    Source: itLDZwgFNE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: itLDZwgFNE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: Could not find a part of the path 'C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062'.0 source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\User Data source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ur\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    Connects to many ports of the same IP (likely port scanning)
    Source: global trafficTCP traffic: 89.23.100.233 ports 0,2,3,32048,4,8
    Source: global trafficTCP traffic: 192.168.11.20:49757 -> 89.23.100.233:32048
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 89.23.100.233 89.23.100.233
    Source: Joe Sandbox ViewIP Address: 89.23.100.233 89.23.100.233
    Source: Joe Sandbox ViewIP Address: 104.16.184.241 104.16.184.241
    Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
    Source: unknownDNS query: name: icanhazip.com
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: icanhazip.com
    Source: global trafficDNS traffic detected: DNS query: 140.244.14.0.in-addr.arpa
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C6E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/X
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/p
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
    Source: itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA6BE000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101585163818.0000017DCA838000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D85000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1DAE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1DB8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D64000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1A2A000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101585163818.0000017DCA7F0000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D6E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA69C000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
    Source: itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA6BE000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101585163818.0000017DCA838000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1DB8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1A2A000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D6E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA69C000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1DB8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1A2A000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D6E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA69C000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
    Source: itLDZwgFNE.exe, 00000000.00000002.101585163818.0000017DCA838000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1DB8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1A2A000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D6E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA69C000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/FleshStealer
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/FleshStealert
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
    Source: tmp2CFD.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: itLDZwgFNE.exe, 00000000.00000000.100310932452.0000017DAFB56000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.exe" vs itLDZwgFNE.exe
    Source: itLDZwgFNE.exeBinary or memory string: OriginalFilenameSystem.exe" vs itLDZwgFNE.exe
    Source: itLDZwgFNE.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: itLDZwgFNE.exe, grIcMJRLeSLw.csBase64 encoded string: 'L2Mgc3RhcnQgL2IgcG93ZXJzaGVsbCDigJNFeGVjdXRpb25Qb2xpY3kgQnlwYXNzIFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICci', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xTaGVsbFxPcGVuXGNvbW1hbmQ=', 'QUNnYktLOG8veWpmS084b1Z5ajJLRElvUVNpQUtFQW9KQ2dzS0E4b0pTZ2tLQUFvUUNocEtKSW96aWk5S1A4byt5Z3ZLQjRvQVNnZ0FBPT0=', 'QUNnQUtBQW9BQ2lKS0Iwb0V5aTdLT1FvZUNnaktFQW9BQ2dBS0FBb0FDZ0FLQ0FvR2lqMEtING9YeWdKS0NNb1FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW80Q2p6S01Zb0ZDZ0pLQThvL3loRUtMRW81Q2lFS01Bb3BDajBLRWNvOENoZktLa29BU2dnS0hRb2Z5aEVLQUFvQUNnZ0FBPT0=', 'QUNnQUtLQW9BU2lBS0E0b0FDZ0FLQmdvL0NoL0tEc29HU2pOS01Bb1BDZzVLRjhvL3lqRUtNTW9BQ2dBS0Jnb1JDZ0lLRVFvQUNnZ0FBPT0=', 'QUNnQUtBY29nQ2pzS1BZbzdDaHJLSXNvZkNpM0tGY29nQ2lYS0Frb0p5aEFLTW9vdUNqbktORW85Q2p0S1BRbzlDaEVLRGdvQUNnZ0FBPT0=', 'QUNpNEtBQW9DQ2dKS0Jzb055aitLUDhveHlqdktPY295eWlKS0gwb0RTaVpLUDBvemlqL0tQOG9KeWdmS0Fzb0FTaEdLQUFvUkNnZ0FBPT0=', 'QUNpNEtJQW9RQ2dBS0lBb1lDZ1lLSWtvZnlqL0tQOG8veWhXS0FFb3NDai9LUDhvL3lqL0tFZ29FU2dpS01Bb0FDam5LRUFvUnlnZ0FBPT0=', 'QUNnWUtFNG9EeWdXS0JNb0VpZ1NLRG9vL3loSUtMY29neWdCS0FBb0RpZzhLSDRveVNqL0tBY29BQ2dBS0Fnb2dTZ0pLS3NvQUNnZ0FBPT0=', 'QUNnQUtLRW9BQ2dRS0VBb0FDZ0FLQUFvT1NqL0tPNG9JaWhIS0FBb3VDZ1FLUFVvdnlnTEtBQW9BQ2dBS0FBb0JpZ0FLRXdvQUNnZ0FBPT0=', 'QUNnQUtBQW9veWdBS0Fnb2hDZ0FLQUFvQUNnSUtCa29SeWhHS0JBb3VDaTRLQXNvQVNnQUtBQW9BQ2dBS0Fvb0FDaGNLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dSS01Rb0FDZ1JLSVFvUUNnQUtBQW8veWptS09RbzlDaitLQUFvQUNnQUtFQW9FQ2dCS09Bb0NpZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0Fnb0VpaWtLSDhvQ0NnUUtBQW9OQ2l0S1A4bzdTZ3VLQUFvRWlncEtQNG9aQ2dhS0FFb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQWdvRUNnQUtDUW9BQ2lJS1BZb1dDZ0FLQ1FvRkNnQ0tBRW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FBPT0=', 'QUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0Jrb0FDZ0FLQUFvQUNnQUtBQW9BQ2dBS0FBb0FDZ0FLQUFvQUNnZ0FDQUE=', 'Q1FBSkFEM1lzOXdnQUVNQWNnQmxBR1FBYVFCMEFFTUFZUUJ5QUdRQWN3QTZBQ0FB', 'Q1FBSkFEM1lGdDBnQUVJQWJ3QnZBR3NBYlFCaEFISUFhd0J6QURvQUlBQT0=', 'Q1FBSkFEM1k1dHdnQUVRQWJ3QjNBRzRBYkFCdkFHRUFaQUJ6QURvQUlBQT0=', 'Q1FBSkFEellxTjhnQUZJQVpRQnpBSFFBYndCeUFHVUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSkFEN1l5dDBnQUZjQVlRQnNBR3dBWlFCMEFITUFPZ0FnQUE9PQ==', 'Q1FCRUp3LytJQUJYQUdFQWJBQnNBR1VBZEFCekFDQUFRUUJ3QUhBQU9nQWdBQT09', 'Q1FBKzJLTGRJQUJRQUdrQVpBQm5BR2tBYmdBZ0FFRUFjQUJ3QURvQUlBQT0=', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFWQUJ2QUdzQVpRQnVBSE1BT2dBZ0FBPT0=', 'Q1FBSUp3LytJQUJVQUdVQWJBQmxBR2NBY2dCaEFHMEFJQUJ6QUdVQWN3QnpBR2tBYndCdUFITUE=', 'Q1FBQkpnLytJQUJUQUdzQWVRQndBR1VBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBOTJIN2NJQUJFQUdrQWN3QmpBRzhBY2dCa0FDQUFkQUJ2QUdzQVpRQnVBQT09', 'Q1FBOTJLM2NJQUJUQUdrQVp3QnVBR0VBYkFBZ0FITUFaUUJ6QUhNQWFRQnZBRzRB', 'Q1FBODJLN2ZJQUJUQUhRQVpRQmhBRzBBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FBODJLN2ZJQUJWQUhBQWJBQmhBSGtBSUFCekFHVUFjd0J6QUdrQWJ3QnVBQT09', 'Q1FDWkpnLytJQUJRQUhJQWJ3QmpBR1VBY3dCekFHVUFjd0E2QUNBQQ==', 'W1x3LV17MjQsMjZ9XC5bXHctXXs2fVwuW1x3LV17MjUsMTEwfXxtZmFcLlthLXpBLVowLTlfXC1dezg0fQ==', 'U29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNS4wXE91dGxvb2tcUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3Ng==', 'U29mdHdhcmVcTWljcm9
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/1@2/2
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:560:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:560:120:WilError_03
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile created: C:\Users\user\AppData\Local\Temp\downloadedFile.exeJump to behavior
    Source: itLDZwgFNE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: itLDZwgFNE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B45000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B66000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D04000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B03000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B87000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AE2000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C5E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D8F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA695000.00000004.00000020.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1D69000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1DB3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101585163818.0000017DCA834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8B000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199B000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE5000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
    Source: itLDZwgFNE.exeReversingLabs: Detection: 60%
    Source: unknownProcess created: C:\Users\user\Desktop\itLDZwgFNE.exe "C:\Users\user\Desktop\itLDZwgFNE.exe"
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr All
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\findstr.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: itLDZwgFNE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: itLDZwgFNE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: Could not find a part of the path 'C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062'.0 source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\User Data source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ur\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB21F2000.00000004.00000800.00020000.00000000.sdmp
    Source: itLDZwgFNE.exeStatic PE information: 0x9A13B17D [Thu Nov 30 18:31:25 2051 UTC]
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeCode function: 0_2_00007FFE605000BD pushad ; iretd 0_2_00007FFE605000C1
    Source: itLDZwgFNE.exe, JyXPYwFPsUXzoBXySOFA.csHigh entropy of concatenated method names: 'cRDxgMehNgx', 'IJJSKkqaHYtNHzq', 'eOgneCBoZJOrIcMWYxdXXCQoP', 'ckOjcQUrtQSKjaxwbFBOEo', 'CUiochHniXH', 'FMTKmwQbLnikunoKlV', 'xLGJWfxZhpodCFsJawu', 'zQGhyrydyyNiJXzMJP', 'BfUAubfEitKQjbvTANNmwRYv'
    Source: itLDZwgFNE.exe, yPKKzGBmWpkszYDBPvleBwIK.csHigh entropy of concatenated method names: 'merTkzNpseRJ', 'pVMtqNbFrWidEsOytBGA', 'NbKTmpWCGt', 'riFQRHGuiCuIIpfGzrzdL', 'ectCaEYEDlcw', 'VmyhlvLRzSSCdGiXLGPai', 'dWPhBWezJfL', 'JUBJNhzrfKb', 'xxqgreNWDRJbSEupmzImqZwOW', 'siaqYTvPjD'
    Source: itLDZwgFNE.exe, grIcMJRLeSLw.csHigh entropy of concatenated method names: 'iBjHlqDSCnkVvZFOL', 'UPwwAOQiwNbJvxMLc', 'RBrvFqdDYGRj', 'xStqhamBVqDup', 'srnJjwvwKhZJGSwqKRMCeqC', 'elqIwKoBPzlM', 'winPBIMRXUTEffmhnMBog', 'xGnAzsYtGhkFNiZmdiq', 'HRXDQeCTcmjXERkhcAJTtd', 'lUaRDIBjTyrXgi'
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_PnPEntity
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeMemory allocated: 17DAFF80000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeMemory allocated: 17DC9970000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWindow / User API: threadDelayed 1597Jump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWindow / User API: threadDelayed 980Jump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeLast function: Thread delayed
    Source: itLDZwgFNE.exe, 00000000.00000002.101582717376.0000017DCA51E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure DriverSystemEnableMicrosoft Hyper-V Virtualization Infrastructure Driver
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Managert
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Manager
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Manager2L
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ACTIVE WINDOW: Program Managerp^L
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeQueries volume information: C:\Users\user\Desktop\itLDZwgFNE.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

    Stealing of Sensitive Information

    barindex
    Yara detected Flesh Stealer
    Source: Yara matchFile source: Process Memory Space: itLDZwgFNE.exe PID: 7676, type: MEMORYSTR
    Found many strings related to Crypto-Wallets (likely being stolen)
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Application Data Electrum
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Application Data Jaxx
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2L
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore2L
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1FC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Application Data ExodusWeb3
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 5C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2L
    Source: itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore2L
    Tries to harvest and steal WLAN passwords
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.dbJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Mozilla\Firefox\Profiles\kzpbmws1.default\logins.jsonJump to behavior
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: C:\Users\user\Desktop\itLDZwgFNE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

    Remote Access Functionality

    barindex
    Yara detected Flesh Stealer
    Source: Yara matchFile source: Process Memory Space: itLDZwgFNE.exe PID: 7676, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts331
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		33
    Virtualization/Sandbox Evasion    		1
    OS Credential Dumping    		421
    Security Software Discovery    		Remote Services1
    Email Collection    		1
    Non-Standard Port    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		11
    Disable or Modify Tools    		LSASS Memory33
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol2
    Data from Local System    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture2
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Timestomp    		LSA Secrets1
    System Network Configuration Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials154
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    itLDZwgFNE.exe61%ReversingLabsByteCode-MSIL.Trojan.Zilla
    itLDZwgFNE.exe100%AviraTR/Spy.Agent.iagwx
    itLDZwgFNE.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    icanhazip.com
    		104.16.184.241
    		truefalse
      		high
      140.244.14.0.in-addr.arpa
      		unknown
      		unknownfalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://icanhazip.com/false
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://duckduckgo.com/chrome_newtabitLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchitLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://duckduckgo.com/ac/?q=itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoitLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://t.me/FleshStealeritLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.rootca1.amazontrust.com/rootca1.crl0itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.pki.goog/gtsr1/gtsr1.crl0WitLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ocsp.rootca1.amazontrust.com0:itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pki.goog/repository/0itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.ecosia.org/newtab/itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://icanhazip.com/pitLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pki.goog/repo/certs/gtsr1.der04itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://ac.ecosia.org/autocomplete?q=itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.comitLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.com/images/branding/product/ico/googleg_alldp.icoitLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B61000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1DBD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A9E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC199E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AC6000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C1E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BE7000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CBC000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1C58000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B1F000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1BA3000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D43000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B40000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1AFE000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1D8E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1ADD000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1B82000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CFB000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1CE8000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://x1.c.lencr.org/0itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/0itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://t.me/FleshStealertitLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.tmp2CFD.tmp.dat.0.drfalse
                                                    		high
                                                    http://icanhazip.com/XitLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://icanhazip.comitLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C2C000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C6E000.00000004.00000800.00020000.00000000.sdmp, itLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.mozilla.orgtmp2CFD.tmp.dat.0.drfalse
                                                          		high
                                                          https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firetmp2CFD.tmp.dat.0.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameitLDZwgFNE.exe, 00000000.00000002.101570783913.0000017DB1971000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://gemini.google.com/app?q=itLDZwgFNE.exe, 00000000.00000002.101575265421.0000017DC1A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  89.23.100.233
                                                                  		unknownRussian Federation
                                                                  		48687MAXITEL-ASRUtrue
                                                                  104.16.184.241
                                                                  		icanhazip.comUnited States
                                                                  		13335CLOUDFLARENETUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1576729
                                                                  Start date and time:2024-12-17 13:33:01 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 6m 20s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                  Run name:Suspected VM Detection
                                                                  Number of analysed new started processes analysed:7
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:itLDZwgFNE.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@10/1@2/2
                                                                  EGA Information:Failed
                                                                  HCA Information:Failed
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                                                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                  • Execution Graph export aborted for target itLDZwgFNE.exe, PID 7676 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • VT rate limit hit for: itLDZwgFNE.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  89.23.100.2333gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233:1490/upload
                                                                  7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233:1490/upload
                                                                  T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233:1488/upload
                                                                  3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233:1489/upload
                                                                  VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233:1488/upload
                                                                  104.16.184.2413gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                  • icanhazip.com/
                                                                  7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                  • icanhazip.com/
                                                                  T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                  • icanhazip.com/
                                                                  VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                  • icanhazip.com/
                                                                  Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                  • icanhazip.com/
                                                                  gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                                                  • icanhazip.com/
                                                                  uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                                                  • icanhazip.com/
                                                                  yv7QsAR49V.exeGet hashmaliciousStealeriumBrowse
                                                                  • icanhazip.com/
                                                                  5E3zWXveDN.exeGet hashmaliciousStealeriumBrowse
                                                                  • icanhazip.com/
                                                                  LKxcbzlwkz.exeGet hashmaliciousAveMaria, KeyLogger, StealeriumBrowse
                                                                  • icanhazip.com/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  icanhazip.com3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                  • 104.16.184.241
                                                                  CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                  • 104.16.185.241
                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRATBrowse
                                                                  • 104.16.185.241
                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                  • 104.16.185.241
                                                                  7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.16.184.241
                                                                  iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                                                  • 104.16.185.241
                                                                  T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.16.184.241
                                                                  3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.16.185.241
                                                                  VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.16.184.241
                                                                  Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                  • 104.16.184.241

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CLOUDFLARENETUS87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  https://sos-at-vie-1.exo.io/ilbuck/sato/process/continue-after-check-vr2.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                  • 104.17.25.14
                                                                  https://www.cadbury.com@nmlr.xyz/christmas-hamperGet hashmaliciousUnknownBrowse
                                                                  • 104.26.9.83
                                                                  Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                                  • 104.21.32.1
                                                                  Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                                  • 104.21.80.1
                                                                  c2.exeGet hashmaliciousXmrigBrowse
                                                                  • 104.20.4.235
                                                                  23d5f89e-2c54-ee19-3778-06a4bec842b9.emlGet hashmaliciousUnknownBrowse
                                                                  • 104.18.65.57
                                                                  https://protect.checkpoint.com/v2/r01/___https://link.edgepilot.com/xdg*~*fiaa57dVgx2DluRTp19jF8WMmYfWl?z=myyux:ddjrfnq.ynintwjuqD.htrdhdjOBhER6ylHFZFTGu9JoBlVNMIw79G-bMOgKn5Sf55EkuFm_s/LOKQ2pPEoswuEsuU2A7WKVctU0F0LxRir4fJPhZrPOzTgvHZltxJFSX/jFwCJW7F4BtO0gjUt6gM8NiU9g*~*uEaD_oE2wiDMlq2GDu8zhwYySQbzr0kVZGcn8s4Dk7cEDvSl6XRkaXaP7a5RqmSqgUx7-yk6g8/s-FxFFU__PNlcuV___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmRkMGI4MjA2MTNmMjg1YzMyNTM2YjE2YzI0MjAzMGU1Ojc6MzQ1NjphZDU1ODAwMDRlN2FjYWY0Nzk3ODJmN2U3MjI1MmNkMTUyZWIyNWZlZjgyYTY4N2M3ZWVjN2E0NjVmZjU3M2E4Omg6VDpUGet hashmaliciousUnknownBrowse
                                                                  • 104.16.123.96
                                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                  • 172.67.129.27
                                                                  122046760.batGet hashmaliciousRHADAMANTHYSBrowse
                                                                  • 162.159.61.3
                                                                  MAXITEL-ASRU3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233
                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                  • 89.23.100.42
                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                  • 89.23.100.42
                                                                  7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233
                                                                  iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                                                  • 89.23.100.233
                                                                  T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233
                                                                  3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233
                                                                  VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                  • 89.23.100.233
                                                                  Installer_setup32_64x.exeGet hashmaliciousLummaC, StealcBrowse
                                                                  • 89.23.96.109
                                                                  9fGsCDYKLV.exeGet hashmaliciousFlesh StealerBrowse
                                                                  • 89.23.100.233

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\tmp2CFD.tmp.dat

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\itLDZwgFNE.exe
                                                                  File Type:SQLite 3.x database, user version 57, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 2, database pages 41, cookie 0x21, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):5242880
                                                                  Entropy (8bit):0.035631294721445904
                                                                  Encrypted:false
                                                                  SSDEEP:192:bZjnkYjcoBMcygNDI7oslTYBIQg6Ism2Vspvp0:bZTVTBMcygNDuT1l62p
                                                                  MD5:59E4A8110FA2BCC012E341B93E96E93D
                                                                  SHA1:EE08810B0CE857F01170C08A24B9D438B64D577D
                                                                  SHA-256:3A85F2FC349A7E431EA6F1FC4568C99C1918D478AD6FE6445D560EF00395DB40
                                                                  SHA-512:2AD00B0FCBE4FC37ECAA68C16BE32A904D682A23ACF5B39BCECF5DC280E23933FDD5A0D2A92A45F2C77618CA7466334AFEB1EAA7EA07BF4E043282B31039E8FF
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:SQLite format 3......@ .......)...........!...................9..................................S`....(e......}$|.|N{.{sz.z{z.yAx.x!w.v.wZu7tNt.s.s\r.rJq.p.q.p.o.o.o.m.mal&k.k.g.g3f.f.e.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):5.589877734824581
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                  File name:itLDZwgFNE.exe
                                                                  File size:275'968 bytes
                                                                  MD5:8bb556dc8633bc4fe7bebc38bafcbf6a
                                                                  SHA1:6f4893d171d01a13a3e8a96db7150fd1b7c963ce
                                                                  SHA256:b385555834f9fbb1a2dab687cc7bcdfd760cbba033f69c04617b4506bb23b88c
                                                                  SHA512:36e01d1256fdf01697bd1ce8875fab906e9c3a983acd965ca82261ae48e0fc43bf1d3400264c0f71d406d0fcfebd1ad8c875db535e5eebc386c2be2e46d05a2f
                                                                  SSDEEP:6144:I/M4uCQW7bqrhB3uag7I8F0E7hewZbcZSdHE8:I/juXabqrhpCE6Z9Iy
                                                                  TLSH:7D44C72C2BED780CF9AE4B7D5C9E9D6BC66854522C03B753794335620F11A8CEE8B0E5
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}............."...0..,...........J... ...`....@.. ....................................`................................

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x444ace
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x9A13B17D [Thu Nov 30 18:31:25 2051 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x44a740x57.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x5b0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x42ad40x42c00c0d93f4ad2f5f9220bd269f77cb48894False0.4444054307116105data5.604321866775138IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x460000x5b00x60082b22d07923431b220994f8fe6e9e4dbFalse0.423828125data4.072930934952341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x480000xc0x200c1efac4e09d49e850418cb15d9c20967False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0x460a00x324data0.43407960199004975
                                                                  RT_MANIFEST0x463c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 17, 2024 13:35:21.018802881 CET4975680192.168.11.20104.16.184.241
                                                                  Dec 17, 2024 13:35:21.153712988 CET8049756104.16.184.241192.168.11.20
                                                                  Dec 17, 2024 13:35:21.154006004 CET4975680192.168.11.20104.16.184.241
                                                                  Dec 17, 2024 13:35:21.154238939 CET4975680192.168.11.20104.16.184.241
                                                                  Dec 17, 2024 13:35:21.289203882 CET8049756104.16.184.241192.168.11.20
                                                                  Dec 17, 2024 13:35:21.313793898 CET8049756104.16.184.241192.168.11.20
                                                                  Dec 17, 2024 13:35:21.366749048 CET4975680192.168.11.20104.16.184.241
                                                                  Dec 17, 2024 13:35:28.503832102 CET4975732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:28.775175095 CET320484975789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:29.286859035 CET4975732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:29.558310986 CET320484975789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:30.067974091 CET4975732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:30.344384909 CET320484975789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:30.849026918 CET4975732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:31.120723009 CET320484975789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:31.630090952 CET4975732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:31.901422977 CET320484975789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:32.411339998 CET4975832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:32.689842939 CET320484975889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:33.192255974 CET4975832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:33.471087933 CET320484975889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:33.973411083 CET4975832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:34.252229929 CET320484975889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:34.754467964 CET4975832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:35.032985926 CET320484975889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:35.535531998 CET4975832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:35.814042091 CET320484975889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:36.316754103 CET4975932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:36.590303898 CET320484975989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:37.097594976 CET4975932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:37.371217966 CET320484975989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:37.878727913 CET4975932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:38.152307034 CET320484975989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:38.659811020 CET4975932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:38.933578968 CET320484975989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:39.440934896 CET4975932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:39.715604067 CET320484975989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:40.222119093 CET4976032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:40.499809027 CET320484976089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:41.003108978 CET4976032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:41.281008959 CET320484976089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:41.784145117 CET4976032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:42.062129974 CET320484976089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:42.565264940 CET4976032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:42.842952013 CET320484976089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:43.346339941 CET4976032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:43.624193907 CET320484976089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:44.127603054 CET4976132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:44.399502039 CET320484976189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:44.908449888 CET4976132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:45.180248976 CET320484976189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:45.689532042 CET4976132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:45.961231947 CET320484976189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:46.470645905 CET4976132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:46.742486000 CET320484976189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:47.251708984 CET4976132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:47.523269892 CET320484976189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:48.032985926 CET4976232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:48.304872990 CET320484976289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:48.813882113 CET4976232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:49.085381031 CET320484976289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:49.595010996 CET4976232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:49.866904974 CET320484976289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:50.376013994 CET4976232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:50.648071051 CET320484976289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:51.157052040 CET4976232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:51.428772926 CET320484976289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:51.938426018 CET4976332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:52.216200113 CET320484976389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:52.719191074 CET4976332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:52.996777058 CET320484976389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:53.500325918 CET4976332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:53.777882099 CET320484976389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:54.281392097 CET4976332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:54.559442043 CET320484976389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:55.062473059 CET4976332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:55.340190887 CET320484976389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:55.843786001 CET4976532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:56.122361898 CET320484976589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:56.624665022 CET4976532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:56.905966997 CET320484976589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:57.421361923 CET4976532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:57.700038910 CET320484976589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:58.202435017 CET4976532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:58.481218100 CET320484976589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:58.983549118 CET4976532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:35:59.262128115 CET320484976589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:35:59.764785051 CET4976632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:00.036755085 CET320484976689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:00.545727968 CET4976632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:00.817433119 CET320484976689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:01.326720953 CET4976632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:01.598526955 CET320484976689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:02.107868910 CET4976632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:02.380311966 CET320484976689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:02.888936996 CET4976632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:03.162641048 CET320484976689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:03.670249939 CET4976732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:03.944114923 CET320484976789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:04.451153994 CET4976732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:04.725125074 CET320484976789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:05.232074976 CET4976732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:05.505954981 CET320484976789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:06.013181925 CET4976732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:06.287733078 CET320484976789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:06.794286013 CET4976732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:07.068125010 CET320484976789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:07.575496912 CET4976832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:07.846873999 CET320484976889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:08.356467009 CET4976832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:08.627720118 CET320484976889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:09.137537956 CET4976832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:09.408716917 CET320484976889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:09.918612003 CET4976832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:10.190192938 CET320484976889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:10.699671030 CET4976832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:10.971478939 CET320484976889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:11.481081963 CET4976932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:11.752902031 CET320484976989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:12.261820078 CET4976932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:12.534415007 CET320484976989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:13.043169975 CET4976932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:13.314945936 CET320484976989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:13.823951960 CET4976932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:14.095765114 CET320484976989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:14.605139971 CET4976932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:14.876756907 CET320484976989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:15.386358023 CET4977032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:15.657569885 CET320484977089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:16.167210102 CET4977032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:16.438414097 CET320484977089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:16.948249102 CET4977032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:17.219460964 CET320484977089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:17.729370117 CET4977032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:18.000597000 CET320484977089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:18.510449886 CET4977032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:18.781541109 CET320484977089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:19.291745901 CET4977132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:19.565701962 CET320484977189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:20.072582006 CET4977132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:20.346653938 CET320484977189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:20.853717089 CET4977132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:21.127707005 CET320484977189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:21.634927034 CET4977132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:21.909240007 CET320484977189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:22.415827990 CET4977132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:22.689805031 CET320484977189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:23.197125912 CET4977232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:23.468981028 CET320484977289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:23.978060961 CET4977232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:24.250243902 CET320484977289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:24.759114027 CET4977232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:25.033746004 CET320484977289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:25.540139914 CET4977232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:25.812247038 CET320484977289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:26.321260929 CET4977232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:26.593210936 CET320484977289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:27.102530956 CET4977332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:27.373953104 CET320484977389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:27.883404016 CET4977332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:28.154858112 CET320484977389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:28.664521933 CET4977332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:28.935950041 CET320484977389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:29.445538998 CET4977332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:29.716777086 CET320484977389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:30.226696968 CET4977332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:30.498162985 CET320484977389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:31.007950068 CET4977432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:31.281455040 CET320484977489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:31.788805962 CET4977432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:32.062516928 CET320484977489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:32.569859982 CET4977432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:32.843360901 CET320484977489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:33.351267099 CET4977432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:33.624761105 CET320484977489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:34.131982088 CET4977432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:34.406930923 CET320484977489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:34.913393021 CET4977532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:35.187001944 CET320484977589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:35.694175959 CET4977532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:35.967890024 CET320484977589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:36.475203991 CET4977532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:36.748820066 CET320484977589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:37.256335020 CET4977532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:37.530214071 CET320484977589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:38.037415028 CET4977532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:38.311096907 CET320484977589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:38.818717003 CET4977632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:39.090420008 CET320484977689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:39.599586010 CET4977632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:39.871144056 CET320484977689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:40.380651951 CET4977632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:40.652292967 CET320484977689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:41.161741972 CET4977632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:41.433090925 CET320484977689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:41.942780972 CET4977632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:42.214551926 CET320484977689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:42.724204063 CET4977732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:42.997884989 CET320484977789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:43.505017042 CET4977732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:43.778886080 CET320484977789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:44.286102057 CET4977732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:44.560134888 CET320484977789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:45.067187071 CET4977732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:45.341753960 CET320484977789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:45.848239899 CET4977732048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:46.122178078 CET320484977789.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:46.629518986 CET4977832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:46.907959938 CET320484977889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:47.410388947 CET4977832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:47.688992977 CET320484977889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:48.191457033 CET4977832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:48.469919920 CET320484977889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:48.972563028 CET4977832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:49.250943899 CET320484977889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:49.753640890 CET4977832048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:50.031927109 CET320484977889.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:50.535012007 CET4977932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:50.808543921 CET320484977989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:51.315831900 CET4977932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:51.591605902 CET320484977989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:52.096837044 CET4977932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:52.370769024 CET320484977989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:52.877948046 CET4977932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:53.151400089 CET320484977989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:53.659069061 CET4977932048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:53.932866096 CET320484977989.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:54.440341949 CET4978032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:54.711878061 CET320484978089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:55.221126080 CET4978032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:55.492705107 CET320484978089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:56.002167940 CET4978032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:56.274192095 CET320484978089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:56.783358097 CET4978032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:57.055073023 CET320484978089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:57.564433098 CET4978032048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:57.836285114 CET320484978089.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:58.345710039 CET4978132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:58.624326944 CET320484978189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:59.126549006 CET4978132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:36:59.405356884 CET320484978189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:36:59.907641888 CET4978132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:00.188472033 CET320484978189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:00.688771963 CET4978132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:00.967222929 CET320484978189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:01.330212116 CET4975680192.168.11.20104.16.184.241
                                                                  Dec 17, 2024 13:37:01.465923071 CET8049756104.16.184.241192.168.11.20
                                                                  Dec 17, 2024 13:37:01.466156006 CET4975680192.168.11.20104.16.184.241
                                                                  Dec 17, 2024 13:37:01.469839096 CET4978132048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:01.747850895 CET320484978189.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:02.251035929 CET4978232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:02.524334908 CET320484978289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:03.032032967 CET4978232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:03.305521011 CET320484978289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:03.813082933 CET4978232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:04.086643934 CET320484978289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:04.594090939 CET4978232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:04.867360115 CET320484978289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:05.375221014 CET4978232048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:05.648710966 CET320484978289.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:06.156414986 CET4978332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:06.427707911 CET320484978389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:06.937355995 CET4978332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:07.208724976 CET320484978389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:07.718534946 CET4978332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:07.990845919 CET320484978389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:08.499588013 CET4978332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:08.770790100 CET320484978389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:09.280536890 CET4978332048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:09.552073002 CET320484978389.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:10.061913967 CET4978432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:10.335161924 CET320484978489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:10.842897892 CET4978432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:11.116108894 CET320484978489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:11.623859882 CET4978432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:11.898390055 CET320484978489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:12.404855013 CET4978432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:12.678250074 CET320484978489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:13.185978889 CET4978432048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:13.460630894 CET320484978489.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:13.967384100 CET4978532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:14.238765001 CET320484978589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:14.748106003 CET4978532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:15.019666910 CET320484978589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:15.529243946 CET4978532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:15.800429106 CET320484978589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:16.310303926 CET4978532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:16.581650019 CET320484978589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:17.091321945 CET4978532048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:17.362507105 CET320484978589.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:18.950439930 CET4978632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:19.224471092 CET320484978689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:19.731815100 CET4978632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:20.005414963 CET320484978689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:20.513066053 CET4978632048192.168.11.2089.23.100.233
                                                                  Dec 17, 2024 13:37:20.786638021 CET320484978689.23.100.233192.168.11.20
                                                                  Dec 17, 2024 13:37:21.294246912 CET4978632048192.168.11.2089.23.100.233

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 17, 2024 13:35:20.872988939 CET5296653192.168.11.201.1.1.1
                                                                  Dec 17, 2024 13:35:21.014595985 CET53529661.1.1.1192.168.11.20
                                                                  Dec 17, 2024 13:35:21.320456982 CET6141753192.168.11.201.1.1.1
                                                                  Dec 17, 2024 13:35:21.456497908 CET53614171.1.1.1192.168.11.20

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 17, 2024 13:35:20.872988939 CET192.168.11.201.1.1.10x42ccStandard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                  Dec 17, 2024 13:35:21.320456982 CET192.168.11.201.1.1.10xb8ffStandard query (0)140.244.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 17, 2024 13:35:21.014595985 CET1.1.1.1192.168.11.200x42ccNo error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                  Dec 17, 2024 13:35:21.014595985 CET1.1.1.1192.168.11.200x42ccNo error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                  Dec 17, 2024 13:35:21.456497908 CET1.1.1.1192.168.11.200xb8ffName error (3)140.244.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • icanhazip.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.11.2049756104.16.184.241807676C:\Users\user\Desktop\itLDZwgFNE.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 17, 2024 13:35:21.154238939 CET63OUTGET / HTTP/1.1
                                                                  Host: icanhazip.com
                                                                  Connection: Keep-Alive
                                                                  Dec 17, 2024 13:35:21.313793898 CET538INHTTP/1.1 200 OK
                                                                  Date: Tue, 17 Dec 2024 12:35:21 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 16
                                                                  Connection: keep-alive
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET
                                                                  Set-Cookie: __cf_bm=uYBjwK44azWs0Pw2gmc1cEnR0fgbn_fOSsCVmANvzeI-1734438921-1.0.1.1-5BGHrQd6sg18ldGte1_F8im.XYG88nVlcTVlhTH7Zb85vMFhoLjeiFRDYzOV6f1bjEC0Nzr8r4lsi1fVViym6g; path=/; expires=Tue, 17-Dec-24 13:05:21 GMT; domain=.icanhazip.com; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f36f3d9a8dc32e0-JAX
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0a
                                                                  Data Ascii: 102.129.152.205


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:35:09
                                                                  Start date:17/12/2024
                                                                  Path:C:\Users\user\Desktop\itLDZwgFNE.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\itLDZwgFNE.exe"
                                                                  Imagebase:0x17dafb10000
                                                                  File size:275'968 bytes
                                                                  MD5 hash:8BB556DC8633BC4FE7BEBC38BAFCBF6A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:1
                                                                  Start time:07:35:09
                                                                  Start date:17/12/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                                                                  Imagebase:0x7ff76f1c0000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:07:35:09
                                                                  Start date:17/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff62eec0000
                                                                  File size:875'008 bytes
                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:07:35:09
                                                                  Start date:17/12/2024
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff62eec0000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:CA9A549C17932F9CAA154B5528EBD8D4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:07:35:09
                                                                  Start date:17/12/2024
                                                                  Path:C:\Windows\System32\netsh.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:netsh wlan show profiles
                                                                  Imagebase:0x7ff765910000
                                                                  File size:96'768 bytes
                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:07:35:09
                                                                  Start date:17/12/2024
                                                                  Path:C:\Windows\System32\findstr.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:findstr All
                                                                  Imagebase:0x7ff7ea1e0000
                                                                  File size:36'352 bytes
                                                                  MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FFE60505D68 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;L_^$SL_^
                                                                    • API String ID: 0-259380329
                                                                    • Opcode ID: 7a946809e38a9604260d73cbc6c2539f25042a8e82305cbc4265e36cb5fd25cd
                                                                    • Instruction ID: 46f60378a4ce8779bb83e44624f280c92ef1bfc9ab782a00a8035ca37fe8f2a7
                                                                    • Opcode Fuzzy Hash: 7a946809e38a9604260d73cbc6c2539f25042a8e82305cbc4265e36cb5fd25cd
                                                                    • Instruction Fuzzy Hash: 3E41B321A29A1E8FF7A9A76844192BD36D2EF49304F5401BAD64FD73F3DD1C6A018341
                                                                    Function 00007FFE60505EB8 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;L_^
                                                                    • API String ID: 0-130345473
                                                                    • Opcode ID: f5c8075eefc1a46a9c64f1594b62fb047d6c00024433fbd57af9362ab15ebcc9
                                                                    • Instruction ID: ab109db0bbe31098492ba70a9b391949c13bd424f75e3c9a9bd41cc7ee32ecda
                                                                    • Opcode Fuzzy Hash: f5c8075eefc1a46a9c64f1594b62fb047d6c00024433fbd57af9362ab15ebcc9
                                                                    • Instruction Fuzzy Hash: 4301FB31F29A2D8AEBA8B7B8041A2BD21C2AF482117540479E10EC33B3EC2969414241
                                                                    Function 00007FFE60505EF8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;L_^
                                                                    • API String ID: 0-130345473
                                                                    • Opcode ID: 73ee24e58da3ded3ed83d5ef886bd2efc62603ad5a416f9392a80f14aedc8d7a
                                                                    • Instruction ID: decf5436d7bdbae5b4fab439d2d5091fb1e4ec8f0096e8ab804778c19fe8bba7
                                                                    • Opcode Fuzzy Hash: 73ee24e58da3ded3ed83d5ef886bd2efc62603ad5a416f9392a80f14aedc8d7a
                                                                    • Instruction Fuzzy Hash: 2EF04F21B29A2D8BE678B7BC041E2BD21C2AF88211B980579D51EC33E3EC2DA9414242
                                                                    Function 00007FFE605055E8 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5350000fc9569401349d9e822a39798680bdee38c3fbc1e2d8dbe6e69009a49c
                                                                    • Instruction ID: 82275186553f9b63aafcc0ab7ec602e543d863796c3e250f3546ad0982876adb
                                                                    • Opcode Fuzzy Hash: 5350000fc9569401349d9e822a39798680bdee38c3fbc1e2d8dbe6e69009a49c
                                                                    • Instruction Fuzzy Hash: 7751F831E19A1D9FEB68EB7884197BD77E1EF69311B4000BED50DD73B2EE2958418780
                                                                    Function 00007FFE605059B0 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c08f327267c47f58b32591d93af575439c113d359db80b0beff6b2030644b16
                                                                    • Instruction ID: f9d28b2c23f85f3b507d7cec6c16d7c8a816807f8f6ef5c86c6cae4a02b09695
                                                                    • Opcode Fuzzy Hash: 6c08f327267c47f58b32591d93af575439c113d359db80b0beff6b2030644b16
                                                                    • Instruction Fuzzy Hash: A5411324E1DBCE8FEB42A77888156EE7FF0EF56211B0405FAC18ADB1F3D92818068351
                                                                    Function 00007FFE6050583F Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c9617b7d8419ae01b9ab16d020d7527b518a5c6451c21bedb0d4ada4c5e3c8d
                                                                    • Instruction ID: d0e495f55fbdb90889a02c40b8fdb5b0270f6baa86290faaea9b006af73cb675
                                                                    • Opcode Fuzzy Hash: 3c9617b7d8419ae01b9ab16d020d7527b518a5c6451c21bedb0d4ada4c5e3c8d
                                                                    • Instruction Fuzzy Hash: 11218611E2DA9F9FEB5673BC08265FD6AD0AF85210B5001F5D64FDB2F7DC1C69064241
                                                                    Function 00007FFE60505F84 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a76c1a47387aa55ee367361ff26ad737faf4ea7b285a710f76d5180a30259bf6
                                                                    • Instruction ID: 80fc8ce8d73547a98e1a855c2fcf5ffe9fe200c32f2ad75ae8c2dab42db48f46
                                                                    • Opcode Fuzzy Hash: a76c1a47387aa55ee367361ff26ad737faf4ea7b285a710f76d5180a30259bf6
                                                                    • Instruction Fuzzy Hash: 4421861471DA8A8FF746A3FC48267B9B6D2AF95300F6442BDD14ED72F7CC1869018712
                                                                    Function 00007FFE6050603C Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b403c8b024cf845d1d7b9733981ee39e9e57a34ee07394d09e0ba6dc33df69f1
                                                                    • Instruction ID: 37781981805cad4815ee6e9f2043be969e951622687f824dca1db7d38294fd54
                                                                    • Opcode Fuzzy Hash: b403c8b024cf845d1d7b9733981ee39e9e57a34ee07394d09e0ba6dc33df69f1
                                                                    • Instruction Fuzzy Hash: B321A120A1965A8FE36AAB3844257BE66D2EF46300F5006BDD24FCB3F7DE5D69858301
                                                                    Function 00007FFE60505B29 Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9bfeeed7051acf716762969c1cd946338a52268239c2850942876407cd859a26
                                                                    • Instruction ID: cbbdd3fabc2e2a141fab2fe87302a4a58a95a4105f079086247ecba5695e52f5
                                                                    • Opcode Fuzzy Hash: 9bfeeed7051acf716762969c1cd946338a52268239c2850942876407cd859a26
                                                                    • Instruction Fuzzy Hash: 0101C46191EB9C5FD35AA734082A6AA3EE1EF9625074504EED18FC72E3DD1869048711
                                                                    Function 00007FFE60505B9B Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.101587586032.00007FFE60500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE60500000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffe60500000_itLDZwgFNE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: edc740bdb4c4b345b4cbdac63c906fd6bf4e994b7f391ba818020dbdf54a55a5
                                                                    • Instruction ID: 6e83740749cb0ef7c0dc8d3d1c085d9739fcaf8b197fab63e63af32c158cd6a8
                                                                    • Opcode Fuzzy Hash: edc740bdb4c4b345b4cbdac63c906fd6bf4e994b7f391ba818020dbdf54a55a5
                                                                    • Instruction Fuzzy Hash: A6F08250B29E5D9FEB98E76C44956BD77D2EF98210B80047DE10FC73E3DD1968458740