Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1632496
MD5:	963bdcbb6ff1bc2e844c7717aa86f105
SHA1:	58251e0ffb2bf31e8b10daa8d5c6c95c260e1c01
SHA256:	313203cb71acd29e6cc542bf57f0e90ce9e9456e2483a20418c8f17b7afe0b57
Tags:	exeNOBISLLCuser-SquiblydooBlog
Infos:

Detection

Score:	42
Range:	0 - 100
Confidence:	100%

Compliance

Score:	34
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Adds / modifies Windows certificates

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

EXE planting / hijacking vulnerabilities found

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected AdvancedInstaller

Classification

Process Tree

System is w10x64

1.exe (PID: 6440 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 963BDCBB6FF1BC2E844C7717AA86F105)

1.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6440" CHAINERUIPROCESSID="6440Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399430 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1" MD5: 963BDCBB6FF1BC2E844C7717AA86F105)

msiexec.exe (PID: 6768 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6888 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 55B0A5D20DA80E669238FE583A968533 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4048 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 011399632BA1746BB11F93C0202EFCBC MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7088 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D090BCDC0FF5FA97C880D99DA0314E5E E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AdvancedInstaller	Yara detected AdvancedInstaller	Joe Security

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.80.136, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7088, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49690

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:05:58.630410+0100	2829202	1	A Network Trojan was detected	192.168.2.7	49690	104.21.80.136	443	TCP
2025-03-08T03:06:11.595185+0100	2829202	1	A Network Trojan was detected	192.168.2.7	49695	104.21.80.136	443	TCP
2025-03-08T03:06:57.397580+0100	2829202	1	A Network Trojan was detected	192.168.2.7	49696	104.21.80.136	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1.exe	Virustotal: Detection: 31%			Perma Link
Source: 1.exe	ReversingLabs: Detection: 23%

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\1.exe	EXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exe			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	EXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\1.exe	EXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exe			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	EXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exe			Jump to behavior

Uses 32bit PE files

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Creates install or setup log file

Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Atomix\How to uninstall.txt	Jump to behavior

PE / OLE file has a valid certificate

Source: 1.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.7:49690 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: #.Pdb source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: 1.exe, 00000000.00000003.947054348.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122205528.00000000078A4000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, MSI7C87.tmp.1.dr, Distributor Software.msi.0.dr, MSI7D74.tmp.1.dr, ShortcutFlags.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI5F39.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: 1.exe, 00000000.00000003.1189844239.000000000C8C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: 1.exe, 00000000.00000003.947054348.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122205528.00000000078A4000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI1B32.tmp.0.dr, MSI18CB.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbG source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, MSI7C87.tmp.1.dr, Distributor Software.msi.0.dr, MSI7D74.tmp.1.dr, ShortcutFlags.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, lzmaextractor.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI7C48.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbp source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI1B32.tmp.0.dr, MSI18CB.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, MSI18FB.tmp.0.dr, Distributor Software.msi.0.dr, MSI5E3C.tmp.1.dr, MSI1D38.tmp.0.dr, MSI5E9B.tmp.1.dr, MSI17DE.tmp.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: 1.exe, 00000000.00000003.1189844239.000000000C745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 1.exe

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\1.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: a:	Jump to behavior

Yara detected AdvancedInstaller

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00922360 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00922360
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008F5800 FindFirstFileW,GetLastError,FindClose,	0_2_008F5800
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00940500 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00940500
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008D6800 FindFirstFileW,FindNextFileW,FindClose,	0_2_008D6800
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0092CBC0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0092CBC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008F4ED0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_008F4ED0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00904E70 FindFirstFileW,FindClose,FindClose,	0_2_00904E70
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0092D040 FindFirstFileW,FindClose,	0_2_0092D040
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0091F400 FindFirstFileW,FindClose,DeleteFileW,GetLastError,	0_2_0091F400
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007B3CB0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_007B3CB0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_008F5800 FindFirstFileW,GetLastError,FindClose,	3_2_008F5800
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007B3CB0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	3_2_007B3CB0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_007D31C0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,

0_2_007D31C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.7:49695 -> 104.21.80.136:443
Source: Network traffic	Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.7:49690 -> 104.21.80.136:443
Source: Network traffic	Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.7:49696 -> 104.21.80.136:443

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.21.80.136 104.21.80.136

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe HTTP/1.1Accept: /Range: bytes=1097728-User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe HTTP/1.1Accept: /Range: bytes=3309568-User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: swiftvantage.online

Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr, SoftwareDistributor.exe.0.dr	String found in binary or memory: http://.css
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr, SoftwareDistributor.exe.0.dr	String found in binary or memory: http://.jpg
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: 1.exe, 00000003.00000003.1122097854.0000000008E40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globa
Source: 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsig
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.co0NQ
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.1200346527.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168379617.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1121781525.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 1.exe, 00000000.00000002.2168675607.000000000A680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4/_4J
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122097854.0000000008E40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168803534.0000000008E41000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 1.exe, 00000000.00000003.943929526.0000000008512000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.1200346527.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168379617.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1121781525.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 1.exe, 00000000.00000002.2168675607.000000000A680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6/_4J
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr, SoftwareDistributor.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign
Source: 1.exe, 00000000.00000002.2168675607.000000000A680000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.1200346527.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168379617.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1121781525.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122097854.0000000008E40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168803534.0000000008E41000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 1.exe, 00000000.00000002.2168675607.000000000A680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globa/_4J
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsig
Source: 1.exe, 00000000.00000003.943929526.0000000008512000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168675607.000000000A680000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.1200346527.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168379617.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122097854.0000000008E40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1121781525.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0?
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0P
Source: 1.exe, 00000000.00000003.1189844239.000000000CD72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: 1.exe, 00000000.00000003.1189844239.000000000CD72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122097854.0000000008E40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168803534.0000000008E41000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha3
Source: 1.exe, 00000000.00000002.2168675607.000000000A680000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.1200346527.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168379617.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1121781525.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: MSI7C48.tmp.1.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: 1.exe, 00000000.00000003.1189844239.000000000C8FA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/com)
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA08000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CD72000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C949000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/download
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/info
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: 1.exe, 00000000.00000003.1189844239.000000000C8BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/FantasticFiasco/serilog-sinks-http.git
Source: 1.exe, 00000000.00000003.1189844239.000000000CA08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dot
Source: 1.exe, 00000000.00000003.1189844239.000000000C901000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CD29000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C8ED000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA6C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CD8B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CD17000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA38000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C8E6000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C923000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA1D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C8D4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CD81000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C938000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C93D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C8FA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CD2F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CA87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C8CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000C745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: 1.exe, 00000000.00000003.1189844239.000000000C8A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/serilog/serilog
Source: 1.exe, 00000000.00000003.1189844239.000000000C8B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/serilog/serilog-formatting-compact
Source: MSI7C48.tmp.1.dr	String found in binary or memory: https://qb-hos.pages.dev/page-1/?source_id=6
Source: 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qb-hos.pages.dev/page-1/?source_id=6(
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qb-hos.pages.dev/page-1/?source_id=6z
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.942834843.00000000085A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943432752.00000000085AD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943400616.00000000085A0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122017271.0000000008E51000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1117866333.00000000050BA000.00000004.00000020.00020000.00000000.sdmp, MSI7C48.tmp.1.dr	String found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe
Source: 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, MSI7C48.tmp.1.dr	String found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg
Source: Distributor Software.msi.0.dr	String found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkgCtrlEvt
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.4MQ
Source: 1.exe, 00000000.00000003.943929526.0000000008512000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943929526.0000000008518000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000000.00000003.1200346527.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.2168379617.000000000859F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.944009626.00000000085AB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.943468629.00000000085CF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2167259810.0000000006EA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000003.1120104407.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1118468819.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1119817314.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2166677373.000000000506D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122097854.0000000008E40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120019719.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1120147562.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1121781525.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000002.2168803534.0000000008E41000.00000004.00000020.00020000.00000000.sdmp, Distributor Software.msi.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.7:49690 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_008D0590 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,

0_2_008D0590

System Summary

Contains functionality to call native functions

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00942730 NtdllDefWindowProc_W,	0_2_00942730
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0088E120 NtdllDefWindowProc_W,	0_2_0088E120
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007AA490 NtdllDefWindowProc_W,	0_2_007AA490
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A6610 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_007A6610
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00822730 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00822730
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A6DE0 SysFreeString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_007A6DE0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A7490 NtdllDefWindowProc_W,GetSysColor,	0_2_007A7490
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A9640 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_007A9640
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007BF730 NtdllDefWindowProc_W,	0_2_007BF730
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007B17B0 NtdllDefWindowProc_W,	0_2_007B17B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007B1920 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_007B1920
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007CDAD0 NtdllDefWindowProc_W,	0_2_007CDAD0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A9E30 NtdllDefWindowProc_W,	0_2_007A9E30
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007B9E00 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_007B9E00
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_0088E120 NtdllDefWindowProc_W,	3_2_0088E120
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007AA490 NtdllDefWindowProc_W,	3_2_007AA490
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007A7490 NtdllDefWindowProc_W,	3_2_007A7490
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007A9640 NtdllDefWindowProc_W,	3_2_007A9640
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007A6610 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	3_2_007A6610
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007BF730 NtdllDefWindowProc_W,	3_2_007BF730
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00822730 NtdllDefWindowProc_W,	3_2_00822730
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007B17B0 NtdllDefWindowProc_W,	3_2_007B17B0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007B1920 NtdllDefWindowProc_W,	3_2_007B1920
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007CDAD0 NtdllDefWindowProc_W,	3_2_007CDAD0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007A9E30 NtdllDefWindowProc_W,	3_2_007A9E30
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007B9E00 NtdllDefWindowProc_W,DeleteCriticalSection,	3_2_007B9E00

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4f5cb6.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E3C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E9B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5ECB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5F39.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{67AEF7BA-A109-4700-BE3F-0231069B1923}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C48.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C87.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CD6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7D74.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI89AA.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5E3C.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007C0350	0_2_007C0350
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0093A3D0	0_2_0093A3D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00922360	0_2_00922360
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009584F0	0_2_009584F0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0090CD30	0_2_0090CD30
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00910E70	0_2_00910E70
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008FD130	0_2_008FD130
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00791490	0_2_00791490
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00797950	0_2_00797950
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009D61E0	0_2_009D61E0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007D03D0	0_2_007D03D0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00944520	0_2_00944520
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00962560	0_2_00962560
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009E8969	0_2_009E8969
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00958A70	0_2_00958A70
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007C0BB0	0_2_007C0BB0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009E2C50	0_2_009E2C50
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007D8D50	0_2_007D8D50
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008D0DF0	0_2_008D0DF0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00958F80	0_2_00958F80
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007D6F60	0_2_007D6F60
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009E2FB0	0_2_009E2FB0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009AAF30	0_2_009AAF30
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009AB060	0_2_009AB060
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008271E0	0_2_008271E0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007C71F0	0_2_007C71F0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007CF1F0	0_2_007CF1F0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A1250	0_2_007A1250
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007C33B3	0_2_007C33B3
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00793420	0_2_00793420
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009CD41E	0_2_009CD41E
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00901520	0_2_00901520
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009A3AD0	0_2_009A3AD0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00959A50	0_2_00959A50
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007C5A80	0_2_007C5A80
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007DDC50	0_2_007DDC50
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008F9CE0	0_2_008F9CE0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007E5CD0	0_2_007E5CD0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007BBDE0	0_2_007BBDE0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007B1E60	0_2_007B1E60
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007A7E90	0_2_007A7E90
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0094FFB0	0_2_0094FFB0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007C0350	3_2_007C0350
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00797950	3_2_00797950
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_008271E0	3_2_008271E0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007C71F0	3_2_007C71F0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007CF1F0	3_2_007CF1F0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007D03D0	3_2_007D03D0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007C33B3	3_2_007C33B3
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00793420	3_2_00793420
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_009584F0	3_2_009584F0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00791490	3_2_00791490
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00962560	3_2_00962560
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00959A50	3_2_00959A50
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00958A70	3_2_00958A70
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007C5A80	3_2_007C5A80
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007DEB20	3_2_007DEB20
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007C0BB0	3_2_007C0BB0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007DDCD0	3_2_007DDCD0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_009E2C50	3_2_009E2C50
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007D8D50	3_2_007D8D50
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_008D0DF0	3_2_008D0DF0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007BBDE0	3_2_007BBDE0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007B1E60	3_2_007B1E60
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007A7E90	3_2_007A7E90
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_00958F80	3_2_00958F80
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007D6F60	3_2_007D6F60
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_0094FFB0	3_2_0094FFB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\1.exe	Code function: String function: 00798850 appears 60 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 009C05C7 appears 48 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 008E7500 appears 32 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 007987B0 appears 118 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 00798550 appears 52 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 0079B020 appears 72 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 009C4B73 appears 83 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 00799190 appears 252 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 009C5730 appears 40 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 007A3640 appears 45 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 0079A9E0 appears 63 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 008E7760 appears 64 times

PE file contains executable resources (Code or Archives)

Source: MainSoftware.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: SoftwareDistributor.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: SoftwareDistributor.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: MainSoftware.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

PE file does not import any functions

Source: Install.exe.part.6.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: Install.exe.part.6.dr

Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: 1.exe, 00000000.00000003.1189844239.000000000C901000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSerilog.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.947054348.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSIInstaller.dll: vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.Numerics.dll@ vs 1.exe
Source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CA38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C923000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CA1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Channels.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs 1.exe
Source: 1.exe, 00000000.00000002.2168230943.0000000008510000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsi.dllX vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C93D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CA8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CA87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs 1.exe
Source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs 1.exe
Source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs 1.exe
Source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs 1.exe
Source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs 1.exe
Source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameFileOperations.dllF vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSerilog.Formatting.Compact.dllV vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CA08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSIInstaller.dll: vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C956000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CCFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C9F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C96E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000CD8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C9FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C95F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Linq.dll@ vs 1.exe
Source: 1.exe, 00000000.00000003.1189844239.000000000C8BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSerilog.Sinks.Http.dllF vs 1.exe
Source: 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs 1.exe
Source: 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs 1.exe
Source: 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs 1.exe
Source: 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs 1.exe
Source: 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenameFileOperations.dllF vs 1.exe
Source: 1.exe, 00000003.00000003.1122205528.00000000078A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs 1.exe
Source: 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs 1.exe

Uses 32bit PE files

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: shi1760.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: mal42.evad.winEXE@10/66@1/1

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_008F8DA0 FormatMessageW,GetLastError,

0_2_008F8DA0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_007D3550 GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_007D3550

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00900890 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,

0_2_00900890

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00946E30 CoCreateInstance,

0_2_00946E30

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_0079A8A0 LoadResource,LockResource,SizeofResource,

0_2_0079A8A0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Atomix

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user\AppData\Roaming\Atomix

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user~1\AppData\Local\Temp\shi1760.tmp

Jump to behavior

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe	Virustotal: Detection: 31%
Source: 1.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55B0A5D20DA80E669238FE583A968533 C
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6440" CHAINERUIPROCESSID="6440Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399430 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 011399632BA1746BB11F93C0202EFCBC
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D090BCDC0FF5FA97C880D99DA0314E5E E Global\MSI0000
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6440" CHAINERUIPROCESSID="6440Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399430 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55B0A5D20DA80E669238FE583A968533 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 011399632BA1746BB11F93C0202EFCBC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D090BCDC0FF5FA97C880D99DA0314E5E E Global\MSI0000	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\1.exe	Automated click: Next >
Source: C:\Users\user\Desktop\1.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Users\user\Desktop\1.exe	Automated click: Next >
Source: C:\Users\user\Desktop\1.exe	Automated click: Next >
Source: C:\Users\user\Desktop\1.exe	Automated click: Install

PE / OLE file has a valid certificate

Source: 1.exe

Static PE information: certificate valid

PE file has a big code size

Source: 1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: 1.exe

Static file information: File size 34379192 > 1048576

PE file has a big raw section

Source: 1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c9200

PE file imports many functions

Source: 1.exe

Static PE information: More than 200 imports for KERNEL32.dll

PE file contains a mix of data directories often seen in goodware

Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: #.Pdb source: 1.exe, 00000000.00000003.1189844239.000000000D4D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: 1.exe, 00000000.00000003.947054348.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122205528.00000000078A4000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, MSI7C87.tmp.1.dr, Distributor Software.msi.0.dr, MSI7D74.tmp.1.dr, ShortcutFlags.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI5F39.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: 1.exe, 00000000.00000003.1189844239.000000000BF1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: 1.exe, 00000000.00000003.1189844239.000000000C8C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: 1.exe, 00000000.00000003.947054348.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000003.00000003.1122205528.00000000078A4000.00000004.00000020.00020000.00000000.sdmp, shi5BCB.tmp.3.dr, shi1760.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI1B32.tmp.0.dr, MSI18CB.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbG source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, MSI7C87.tmp.1.dr, Distributor Software.msi.0.dr, MSI7D74.tmp.1.dr, ShortcutFlags.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, lzmaextractor.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI7C48.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbp source: 1.exe, 00000000.00000002.2168845235.000000000B0A0000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.00000000088C0000.00000002.00000001.00040000.0000000D.sdmp, Distributor Software.msi.0.dr, MSI1B32.tmp.0.dr, MSI18CB.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1.exe, 00000000.00000002.2168845235.000000000B215000.00000002.00000001.00040000.0000000D.sdmp, 1.exe, 00000003.00000002.2168116011.0000000008A35000.00000002.00000001.00040000.0000000D.sdmp, MSI18FB.tmp.0.dr, Distributor Software.msi.0.dr, MSI5E3C.tmp.1.dr, MSI1D38.tmp.0.dr, MSI5E9B.tmp.1.dr, MSI17DE.tmp.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: 1.exe, 00000000.00000003.1189844239.000000000C745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 1.exe

PE file contains a valid data directory to section mapping

Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: shi1760.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_0090CD30 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,

0_2_0090CD30

PE file contains sections with non-standard names

Source: 1.exe	Static PE information: section name: .didat
Source: 1.exe	Static PE information: section name: .fptable
Source: MainSoftware.exe.0.dr	Static PE information: section name: .CLR_UEF
Source: MainSoftware.exe.0.dr	Static PE information: section name: .didat
Source: MainSoftware.exe.0.dr	Static PE information: section name: Section
Source: MainSoftware.exe.0.dr	Static PE information: section name: _RDATA
Source: SoftwareDistributor.exe.0.dr	Static PE information: section name: .CLR_UEF
Source: SoftwareDistributor.exe.0.dr	Static PE information: section name: .didat
Source: SoftwareDistributor.exe.0.dr	Static PE information: section name: Section
Source: SoftwareDistributor.exe.0.dr	Static PE information: section name: _RDATA
Source: ShortcutFlags.dll.0.dr	Static PE information: section name: .fptable
Source: MSI197B.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI19AB.tmp.0.dr	Static PE information: section name: .fptable
Source: shi1760.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi1760.tmp.0.dr	Static PE information: section name: .didat
Source: MSI17DE.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI184C.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI189B.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI18CB.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI18FB.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI191B.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI194B.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI1B32.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI1BFF.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI1D38.tmp.0.dr	Static PE information: section name: .fptable
Source: SoftwareDistributor.exe.1.dr	Static PE information: section name: .CLR_UEF
Source: SoftwareDistributor.exe.1.dr	Static PE information: section name: .didat
Source: SoftwareDistributor.exe.1.dr	Static PE information: section name: Section
Source: SoftwareDistributor.exe.1.dr	Static PE information: section name: _RDATA
Source: MainSoftware.exe.1.dr	Static PE information: section name: .CLR_UEF
Source: MainSoftware.exe.1.dr	Static PE information: section name: .didat
Source: MainSoftware.exe.1.dr	Static PE information: section name: Section
Source: MainSoftware.exe.1.dr	Static PE information: section name: _RDATA
Source: MSI5F39.tmp.1.dr	Static PE information: section name: .didat
Source: MSI5F39.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI7C87.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI7CD6.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI7D74.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI89AA.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI5E3C.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI5E9B.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI5ECB.tmp.1.dr	Static PE information: section name: .fptable
Source: shi5BCB.tmp.3.dr	Static PE information: section name: .wpp_sf
Source: shi5BCB.tmp.3.dr	Static PE information: section name: .didat
Source: Install.exe.part.6.dr	Static PE information: section name: .CLR_UEF
Source: Install.exe.part.6.dr	Static PE information: section name: .didat
Source: Install.exe.part.6.dr	Static PE information: section name: Section
Source: Install.exe.part.6.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007AE360 push ecx; mov dword ptr [esp], ecx	0_2_007AE361
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009C54E7 push ecx; ret	0_2_009C54FA
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007D157A push 8BFFFFFEh; iretd	0_2_007D158C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00A5B584 push eax; retf	0_2_00A5B871
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00A5B580 push eax; retf	0_2_00A5B871
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00A5B588 push eax; retf	0_2_00A5B871
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008D1750 push ecx; mov dword ptr [esp], 3F800000h	0_2_008D18AC
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007AE360 push ecx; mov dword ptr [esp], ecx	3_2_007AE361
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_009C54E7 push ecx; ret	3_2_009C54FA
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007D157A push 8BFFFFFEh; iretd	3_2_007D158C
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_008D1750 push ecx; mov dword ptr [esp], 3F800000h	3_2_008D18AC

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI197B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI1D38.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI194B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI89AA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\ShortcutFlags.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7D74.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI189B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI1BFF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI191B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5F39.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI19AB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI18CB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI18FB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Main\MainSoftware.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C87.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CD6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.part	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E9B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI184C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI17DE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\MSI1B32.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5ECB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\shi5BCB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\shi1760.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI89AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C87.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7D74.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E9B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5ECB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5F39.tmp	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.part

Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Atomix\How to uninstall.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\1.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\1.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1D38.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI197B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI194B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\lzmaextractor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI89AA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\ShortcutFlags.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7D74.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI189B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1BFF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI191B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5F39.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI19AB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI18CB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI18FB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Main\MainSoftware.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5E3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7C87.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7CD6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.part	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5E9B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI17DE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI184C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI1B32.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi5BCB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5ECB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1760.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-64718

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\1.exe	API coverage: 9.9 %
Source: C:\Users\user\Desktop\1.exe	API coverage: 7.3 %

Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00922360 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00922360
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008F5800 FindFirstFileW,GetLastError,FindClose,	0_2_008F5800
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00940500 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00940500
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008D6800 FindFirstFileW,FindNextFileW,FindClose,	0_2_008D6800
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0092CBC0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0092CBC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_008F4ED0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_008F4ED0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00904E70 FindFirstFileW,FindClose,FindClose,	0_2_00904E70
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0092D040 FindFirstFileW,FindClose,	0_2_0092D040
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_0091F400 FindFirstFileW,FindClose,DeleteFileW,GetLastError,	0_2_0091F400
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007B3CB0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_007B3CB0
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_008F5800 FindFirstFileW,GetLastError,FindClose,	3_2_008F5800
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007B3CB0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	3_2_007B3CB0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_007D31C0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,

0_2_007D31C0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_009BFE52 VirtualQuery,GetSystemInfo,

0_2_009BFE52

Source: MSI18CB.tmp.0.dr

Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\*.*Failed to delete directory: LastError= Failed to delete file: shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_009C9823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009C9823

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_008EEA70 GetLocalTime,CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_008EEA70

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1.exe

0_2_0090CD30

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009C420E mov esi, dword ptr fs:[00000030h]		0_2_009C420E
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_009C420E mov esi, dword ptr fs:[00000030h]		3_2_009C420E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_009C427A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_009C427A

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007D3170 __set_se_translator,SetUnhandledExceptionFilter,	0_2_007D3170
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_007E0100 __set_se_translator,SetUnhandledExceptionFilter,	0_2_007E0100
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009C4D5E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009C4D5E
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_009C9823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009C9823
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007D3170 __set_se_translator,SetUnhandledExceptionFilter,	3_2_007D3170
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_007E0100 __set_se_translator,SetUnhandledExceptionFilter,	3_2_007E0100
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_009C9823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_009C9823
Source: C:\Users\user\Desktop\1.exe	Code function: 3_2_009C4D5E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_009C4D5E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00879740 CreateFileW,CloseHandle,WriteFile,CloseHandle,ShellExecuteExW,

0_2_00879740

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\1.exe

Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="6440" CHAINERUIPROCESSID="6440Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399430 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "c:\users\user\desktop\1.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="6440" chaineruiprocessid="6440chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\1.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1741399430 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\1.exe" ai_install="1"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "c:\users\user\desktop\1.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="6440" chaineruiprocessid="6440chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\1.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1741399430 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\1.exe" ai_install="1"			Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_008F6700 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

0_2_008F6700

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_009BC130 cpuid

0_2_009BC130

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,		0_2_009247C0
Source: C:\Users\user\Desktop\1.exe	Code function: GetLocaleInfoW,		3_2_009DF27F

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\dialog.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\dialog.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\banner.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6440\banner.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_0093BA20 CreateNamedPipeW,CreateFileW,

0_2_0093BA20

Source: C:\Users\user\Desktop\1.exe

0_2_008EEA70

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_0093A3D0 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,

0_2_0093A3D0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00797950 GetVersion,

0_2_00797950

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\1.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Search Order Hijacking	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 Timestomp	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	31 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Masquerading	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
1.exe