Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Installer64x.exe1.exe

Overview

General Information

Sample name:Installer64x.exe1.exe
Analysis ID:1637276
MD5:e070bcc6b4f0e004b91f73cbe27d73ee
SHA1:cfc88488870730d1a9ab7076ef62aed1ef991ae1
SHA256:24fb33ac2e21129c190da102e9d5d8ac9079ccb429711cc3dcbbdda44ca073ab
Tags:exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Installer64x.exe1.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\Installer64x.exe1.exe" MD5: E070BCC6B4F0E004B91F73CBE27D73EE)
    • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Installer64x.exe1.exe (PID: 3588 cmdline: "C:\Users\user\Desktop\Installer64x.exe1.exe" MD5: E070BCC6B4F0E004B91F73CBE27D73EE)
    • WerFault.exe (PID: 5740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 688 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2407790699.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000002.00000003.1224431929.00000000014CF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000003.1258119927.00000000014D1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.1251363945.00000000014CF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Installer64x.exe1.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              2.2.Installer64x.exe1.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T13:33:39.948757+010020283713Unknown Traffic192.168.2.1149700188.114.96.3443TCP
                2025-03-13T13:33:42.409546+010020283713Unknown Traffic192.168.2.1149702188.114.96.3443TCP
                2025-03-13T13:33:44.569774+010020283713Unknown Traffic192.168.2.1149707188.114.96.3443TCP
                2025-03-13T13:33:46.987305+010020283713Unknown Traffic192.168.2.1149711188.114.96.3443TCP
                2025-03-13T13:33:50.263688+010020283713Unknown Traffic192.168.2.1149713188.114.96.3443TCP
                2025-03-13T13:33:52.984466+010020283713Unknown Traffic192.168.2.1149715188.114.96.3443TCP
                2025-03-13T13:33:56.866982+010020283713Unknown Traffic192.168.2.1149717188.114.96.3443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Installer64x.exe1.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://citydisco.bet:443/gdJIS/Avira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}
                Multi AV Scanner detection for submitted file
                Source: Installer64x.exe1.exeVirustotal: Detection: 68%Perma Link
                Source: Installer64x.exe1.exeReversingLabs: Detection: 71%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: citydisco.bet/gdJIS
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: featureccus.shop/bdMAn
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: mrodularmall.top/aNzS
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: jowinjoinery.icu/bdWUa
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: legenassedk.top/bdpWO
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: htardwarehu.icu/Sbdsa
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: cjlaspcorne.icu/DbIps
                Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmpString decryptor: bugildbett.top/bAuz
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041CCB6 CryptUnprotectData,2_2_0041CCB6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041D7D2 CryptUnprotectData,CryptUnprotectData,2_2_0041D7D2
                Source: Installer64x.exe1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49717 version: TLS 1.2
                Source: Installer64x.exe1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A9FCDE FindFirstFileExW,0_2_00A9FCDE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A9FD8F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A9FCDE FindFirstFileExW,2_2_00A9FCDE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00A9FD8F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edx+50h]2_2_0040F14B
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [esi+eax*8], CA198B66h2_2_004479B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then push edi2_2_0041330A
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2Ch]2_2_0044D320
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ebp, byte ptr [esp+esi+02h]2_2_00429C40
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h2_2_0044BC40
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+10h]2_2_0040DC5A
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h2_2_00443D60
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DF8h]2_2_00421E50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], A566C0CEh2_2_00421E50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-7FFFFFFFh]2_2_0042FE10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-773910CCh]2_2_0042FE10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h2_2_0041D7D2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov word ptr [ecx], dx2_2_0044CFE0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]2_2_00443F90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]2_2_00443F90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-3C8EC9B8h]2_2_00411F95
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_00429050
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-6D3F2B30h]2_2_0044B060
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+000011E8h]2_2_0042D070
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004328D7
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h]2_2_004110E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]2_2_0041B880
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0041B940
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-6D3F2B30h]2_2_0044B150
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h2_2_0044C1C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov edx, eax2_2_004491D4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh2_2_004019E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov esi, edx2_2_004261A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3B9108C6h]2_2_0042D201
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_0040A210
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_0040A210
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov word ptr [eax], dx2_2_00427A20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]2_2_0040C2D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0040C2D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00433AD0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000BCh]2_2_0040FAE0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh]2_2_004482F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh]2_2_004482F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h2_2_004482F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_004412A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00423BF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+0587871Ah]2_2_0040F380
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-001A1106h]2_2_00430390
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh]2_2_00445420
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2Ch]2_2_0044D4A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+44h]2_2_00423D41
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_00423D41
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-46h]2_2_00421530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [edi+eax+01h]2_2_004105E7
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h2_2_00447D90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov dword ptr [ebp-10h], esi2_2_00431E70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+20h]2_2_0041E618
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+01h]2_2_0040BEC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx eax, byte ptr [edx]2_2_0042EEC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+69266341h]2_2_004336F6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then mov word ptr [ecx], si2_2_0041F6A9
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1A7D4DECh]2_2_00444F50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+1A7D4DECh]2_2_00447FC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]2_2_004207F8

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: citydisco.bet/gdJIS
                Source: Malware configuration extractorURLs: featureccus.shop/bdMAn
                Source: Malware configuration extractorURLs: mrodularmall.top/aNzS
                Source: Malware configuration extractorURLs: jowinjoinery.icu/bdWUa
                Source: Malware configuration extractorURLs: legenassedk.top/bdpWO
                Source: Malware configuration extractorURLs: htardwarehu.icu/Sbdsa
                Source: Malware configuration extractorURLs: cjlaspcorne.icu/DbIps
                Source: Malware configuration extractorURLs: bugildbett.top/bAuz
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:33:58 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
                Source: global trafficHTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 185.215.113.51 185.215.113.51
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49702 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49700 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49715 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49707 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49717 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49713 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49711 -> 188.114.96.3:443
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 69Host: citydisco.bet
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I6JHi6LpN7d8943u2NDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14544Host: citydisco.bet
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1L5HK2oHz5kIooUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: citydisco.bet
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2Ku1iLM9pKr8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20410Host: citydisco.bet
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hZkSie5dBNfL0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2567Host: citydisco.bet
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SDFctPB0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584228Host: citydisco.bet
                Source: global trafficHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 107Host: citydisco.bet
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.51
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
                Source: global trafficDNS traffic detected: DNS query: citydisco.bet
                Source: unknownHTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 69Host: citydisco.bet
                Source: Installer64x.exe1.exe, 00000002.00000003.1955503478.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/O
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/a
                Source: Installer64x.exe1.exe, 00000002.00000002.2408694996.00000000010FB000.00000004.00000010.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001469000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/conhost.exe
                Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/conhost.exe6
                Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/conhost.exeF
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/conhost.exeR
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/conhost.exeY
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51/x
                Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.51:80/conhost.exe
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1200459789.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280915629.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258429406.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955643126.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258307307.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258119927.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1251363945.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1281240791.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410395073.0000000001500000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955916349.00000000014FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/
                Source: Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/.
                Source: Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/2
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/E
                Source: Installer64x.exe1.exe, 00000002.00000003.1281240791.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.000000000148C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/gdJIS
                Source: Installer64x.exe1.exe, 00000002.00000003.1251096524.000000000151B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/gdJIS66/hI
                Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/gdJISD
                Source: Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet/ka
                Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet:443/gdJIS
                Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258361257.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet:443/gdJIS/
                Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258361257.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.0000000001471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet:443/gdJISi
                Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258361257.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://citydisco.bet:443/gdJISsw2cld.default-release/key4.dbPK
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49702 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49717 version: TLS 1.2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043F3A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,2_2_0043F3A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_03A01000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,2_2_03A01000
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043F3A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,2_2_0043F3A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043F530 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,2_2_0043F530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A64CB00_2_00A64CB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A664600_2_00A66460
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2553B0_2_00A2553B
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A41F500_2_00A41F50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A498A00_2_00A498A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A678A00_2_00A678A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A660900_2_00A66090
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A350E00_2_00A350E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A400E00_2_00A400E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3A0F00_2_00A3A0F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A790F00_2_00A790F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7E0F00_2_00A7E0F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8B0F00_2_00A8B0F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A428C00_2_00A428C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4E0200_2_00A4E020
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2E0300_2_00A2E030
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8A0300_2_00A8A030
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A210000_2_00A21000
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A828000_2_00A82800
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3D8100_2_00A3D810
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5A8100_2_00A5A810
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A760100_2_00A76010
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3F8600_2_00A3F860
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5C8700_2_00A5C870
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5D0700_2_00A5D070
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7D0700_2_00A7D070
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A338400_2_00A33840
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A258560_2_00A25856
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7C0500_2_00A7C050
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A301A00_2_00A301A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A389A00_2_00A389A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7D9800_2_00A7D980
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A289900_2_00A28990
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3F1900_2_00A3F190
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5E9C00_2_00A5E9C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A241D00_2_00A241D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A841D00_2_00A841D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A769200_2_00A76920
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A581300_2_00A58130
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8D90A0_2_00A8D90A
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3E9000_2_00A3E900
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2C9060_2_00A2C906
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A589000_2_00A58900
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A501100_2_00A50110
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A741100_2_00A74110
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2B9600_2_00A2B960
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A571700_2_00A57170
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A369400_2_00A36940
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A391500_2_00A39150
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A37AA00_2_00A37AA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A58AA00_2_00A58AA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A382B00_2_00A382B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A812B00_2_00A812B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A87AB00_2_00A87AB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A43A900_2_00A43A90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A452900_2_00A45290
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A272E00_2_00A272E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A29AF60_2_00A29AF6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A922CA0_2_00A922CA
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A83A200_2_00A83A20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4CA300_2_00A4CA30
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4DA300_2_00A4DA30
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A982300_2_00A98230
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A432000_2_00A43200
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A71A000_2_00A71A00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A822100_2_00A82210
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A68A700_2_00A68A70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A602400_2_00A60240
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7BA400_2_00A7BA40
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2D2500_2_00A2D250
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A53A500_2_00A53A50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A31BA00_2_00A31BA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3E3A00_2_00A3E3A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A553A00_2_00A553A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A77BB00_2_00A77BB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7D3B00_2_00A7D3B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3DB800_2_00A3DB80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A30B900_2_00A30B90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A893E00_2_00A893E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4A3F00_2_00A4A3F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4ABF00_2_00A4ABF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5ABF00_2_00A5ABF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A693D00_2_00A693D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A473200_2_00A47320
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A613200_2_00A61320
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4D3300_2_00A4D330
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A833300_2_00A83330
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2A3000_2_00A2A300
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A27B000_2_00A27B00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2CB0F0_2_00A2CB0F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A283100_2_00A28310
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3B3100_2_00A3B310
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A493600_2_00A49360
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A6EB400_2_00A6EB40
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A37B500_2_00A37B50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A6A3500_2_00A6A350
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A703500_2_00A70350
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7C3500_2_00A7C350
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4E4900_2_00A4E490
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A784C00_2_00A784C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8A4C00_2_00A8A4C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A884200_2_00A88420
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A344300_2_00A34430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A304300_2_00A30430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A734300_2_00A73430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A42C000_2_00A42C00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A81C000_2_00A81C00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3D4100_2_00A3D410
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A34C100_2_00A34C10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A564100_2_00A56410
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A3EC700_2_00A3EC70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A53C700_2_00A53C70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A324500_2_00A32450
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A454500_2_00A45450
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5C5A00_2_00A5C5A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A42D800_2_00A42D80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5DD800_2_00A5DD80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00AA55920_2_00AA5592
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A30DE00_2_00A30DE0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4B5F00_2_00A4B5F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A25DF60_2_00A25DF6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A67DF00_2_00A67DF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A455C00_2_00A455C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A28DD00_2_00A28DD0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A57DD00_2_00A57DD0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5F5D00_2_00A5F5D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A895D00_2_00A895D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5DDD90_2_00A5DDD9
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5FD200_2_00A5FD20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A29D300_2_00A29D30
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A365300_2_00A36530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A435300_2_00A43530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7F5300_2_00A7F530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A49D000_2_00A49D00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7FD000_2_00A7FD00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A335100_2_00A33510
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5B5600_2_00A5B560
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A83D600_2_00A83D60
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A795760_2_00A79576
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A63EA00_2_00A63EA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A45EB00_2_00A45EB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A62E800_2_00A62E80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7AE800_2_00A7AE80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2E6900_2_00A2E690
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A756900_2_00A75690
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5D6E00_2_00A5D6E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A586E00_2_00A586E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A6AEE00_2_00A6AEE0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2B6F00_2_00A2B6F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A466F00_2_00A466F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A376C00_2_00A376C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A5AEC00_2_00A5AEC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4C6D00_2_00A4C6D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A306200_2_00A30620
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A4FE200_2_00A4FE20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A776300_2_00A77630
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A816300_2_00A81630
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2C6100_2_00A2C610
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A40E100_2_00A40E10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A87E100_2_00A87E10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2DE600_2_00A2DE60
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A616600_2_00A61660
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7A6600_2_00A7A660
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A846400_2_00A84640
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A696500_2_00A69650
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A66F900_2_00A66F90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7FF900_2_00A7FF90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2D7F00_2_00A2D7F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A707F00_2_00A707F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A46FC00_2_00A46FC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A72FC00_2_00A72FC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A33F200_2_00A33F20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2A7000_2_00A2A700
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A757000_2_00A75700
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00AA37180_2_00AA3718
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2BF100_2_00A2BF10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A42F100_2_00A42F10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A7EF100_2_00A7EF10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A297180_2_00A29718
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A397400_2_00A39740
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044C8702_2_0044C870
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041D0782_2_0041D078
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040B8F02_2_0040B8F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004479B02_2_004479B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00412A4D2_2_00412A4D
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004373652_2_00437365
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040D4C02_2_0040D4C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041CCB62_2_0041CCB6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044BD502_2_0044BD50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041655F2_2_0041655F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00421E502_2_00421E50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00417E102_2_00417E10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042FE102_2_0042FE10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042C6202_2_0042C620
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004286A02_2_004286A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040E7002_2_0040E700
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042B71C2_2_0042B71C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041D7D22_2_0041D7D2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00443F902_2_00443F90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00411F952_2_00411F95
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040EFAC2_2_0040EFAC
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004010402_2_00401040
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041F04F2_2_0041F04F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004290502_2_00429050
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044B0602_2_0044B060
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043D0642_2_0043D064
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042D0702_2_0042D070
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043F0102_2_0043F010
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004020D02_2_004020D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043D8E22_2_0043D8E2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041B9402_2_0041B940
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041794C2_2_0041794C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004201502_2_00420150
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044B1502_2_0044B150
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040D9702_2_0040D970
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042190C2_2_0042190C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044C1C02_2_0044C1C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004491D42_2_004491D4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044B9E02_2_0044B9E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004399F62_2_004399F6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004419802_2_00441980
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043718B2_2_0043718B
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004311892_2_00431189
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004171A42_2_004171A4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042D2012_2_0042D201
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040A2102_2_0040A210
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00424A102_2_00424A10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00427A202_2_00427A20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043EA202_2_0043EA20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00408A302_2_00408A30
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004422322_2_00442232
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042E7B42_2_0042E7B4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004482F02_2_004482F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044B2F02_2_0044B2F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044AAFB2_2_0044AAFB
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00445A982_2_00445A98
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00430AAB2_2_00430AAB
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004263402_2_00426340
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00402B002_2_00402B00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042BB042_2_0042BB04
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042F31B2_2_0042F31B
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043C3202_2_0043C320
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042FB332_2_0042FB33
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043233F2_2_0043233F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004133C42_2_004133C4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004433E02_2_004433E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044B3802_2_0044B380
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040BC102_2_0040BC10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044B4102_2_0044B410
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00444C102_2_00444C10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004094302_2_00409430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0044C4C02_2_0044C4C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041255F2_2_0041255F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040DD742_2_0040DD74
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004035002_2_00403500
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00407D202_2_00407D20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004255202_2_00425520
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004215302_2_00421530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00432DC02_2_00432DC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040C5E02_2_0040C5E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043A58C2_2_0043A58C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00424D902_2_00424D90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0040CDB02_2_0040CDB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004436402_2_00443640
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004456402_2_00445640
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00430E4F2_2_00430E4F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041366E2_2_0041366E
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00431E702_2_00431E70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043AE042_2_0043AE04
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041E6182_2_0041E618
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00437E232_2_00437E23
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042EEC02_2_0042EEC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00426EC12_2_00426EC1
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041C6C42_2_0041C6C4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00403EA02_2_00403EA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00408EA02_2_00408EA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004366A02_2_004366A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041F6A92_2_0041F6A9
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00437EB02_2_00437EB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043774D2_2_0043774D
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004297502_2_00429750
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00444F502_2_00444F50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004027602_2_00402760
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004387702_2_00438770
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00437F172_2_00437F17
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0043671D2_2_0043671D
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042F72E2_2_0042F72E
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00413FC02_2_00413FC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004257C02_2_004257C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004207F82_2_004207F8
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_004047822_2_00404782
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00406F862_2_00406F86
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0041DFB12_2_0041DFB1
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0042E7B42_2_0042E7B4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A498A02_2_00A498A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A678A02_2_00A678A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A798B02_2_00A798B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2C8902_2_00A2C890
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A660902_2_00A66090
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A350E02_2_00A350E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A400E02_2_00A400E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3A0F02_2_00A3A0F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A790F02_2_00A790F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A8B0F02_2_00A8B0F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A428C02_2_00A428C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A4E0202_2_00A4E020
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2E0302_2_00A2E030
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A210002_2_00A21000
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A828002_2_00A82800
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3D8102_2_00A3D810
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5A8102_2_00A5A810
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A760102_2_00A76010
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3F8602_2_00A3F860
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5C8702_2_00A5C870
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5D0702_2_00A5D070
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A338402_2_00A33840
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A301A02_2_00A301A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A389A02_2_00A389A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A289902_2_00A28990
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3F1902_2_00A3F190
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2D1E02_2_00A2D1E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5E9C02_2_00A5E9C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A241D02_2_00A241D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A841D02_2_00A841D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A769202_2_00A76920
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A581302_2_00A58130
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A8D90A2_2_00A8D90A
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3E9002_2_00A3E900
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A589002_2_00A58900
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A501102_2_00A50110
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A741102_2_00A74110
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2B9602_2_00A2B960
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A571702_2_00A57170
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A369402_2_00A36940
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A391502_2_00A39150
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A37AA02_2_00A37AA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A58AA02_2_00A58AA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A382B02_2_00A382B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A812B02_2_00A812B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A87AB02_2_00A87AB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A43A902_2_00A43A90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A452902_2_00A45290
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A522F02_2_00A522F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A922CA2_2_00A922CA
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A83A202_2_00A83A20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A982302_2_00A98230
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A432002_2_00A43200
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A71A002_2_00A71A00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A822102_2_00A82210
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A68A702_2_00A68A70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A272402_2_00A27240
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A53A502_2_00A53A50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A31BA02_2_00A31BA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3E3A02_2_00A3E3A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A553A02_2_00A553A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3DB802_2_00A3DB80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A30B902_2_00A30B90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A893E02_2_00A893E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A4ABF02_2_00A4ABF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5ABF02_2_00A5ABF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A693D02_2_00A693D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A473202_2_00A47320
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A613202_2_00A61320
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2A3002_2_00A2A300
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A27B002_2_00A27B00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A6130F2_2_00A6130F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A283102_2_00A28310
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3B3102_2_00A3B310
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A493602_2_00A49360
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A6EB402_2_00A6EB40
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A37B502_2_00A37B50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A6A3502_2_00A6A350
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A703502_2_00A70350
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A64CB02_2_00A64CB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A7BCC02_2_00A7BCC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A784C02_2_00A784C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A8A4C02_2_00A8A4C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A254D02_2_00A254D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A344302_2_00A34430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A304302_2_00A30430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A734302_2_00A73430
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A42C002_2_00A42C00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A81C002_2_00A81C00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A7840F2_2_00A7840F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A34C102_2_00A34C10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3D4102_2_00A3D410
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A534102_2_00A53410
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A664602_2_00A66460
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A3EC702_2_00A3EC70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A53C702_2_00A53C70
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A324502_2_00A32450
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A454502_2_00A45450
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5C5A02_2_00A5C5A0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A42D802_2_00A42D80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5DD802_2_00A5DD80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00AA55922_2_00AA5592
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A30DE02_2_00A30DE0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A4B5F02_2_00A4B5F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A67DF02_2_00A67DF0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A455C02_2_00A455C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A28DD02_2_00A28DD0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5F5D02_2_00A5F5D0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A57DD02_2_00A57DD0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5DDD92_2_00A5DDD9
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5FD202_2_00A5FD20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A29D302_2_00A29D30
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A365302_2_00A36530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A435302_2_00A43530
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A49D002_2_00A49D00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A7FD002_2_00A7FD00
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A795002_2_00A79500
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A335102_2_00A33510
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5B5602_2_00A5B560
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A83D602_2_00A83D60
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2CD502_2_00A2CD50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A63EA02_2_00A63EA0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A216B02_2_00A216B0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A45EB02_2_00A45EB0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A62E802_2_00A62E80
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A296902_2_00A29690
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2E6902_2_00A2E690
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A756902_2_00A75690
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5D6E02_2_00A5D6E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A586E02_2_00A586E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A6AEE02_2_00A6AEE0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2B6F02_2_00A2B6F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A466F02_2_00A466F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A376C02_2_00A376C0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A5AEC02_2_00A5AEC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A306202_2_00A30620
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A4FE202_2_00A4FE20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2C6102_2_00A2C610
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A40E102_2_00A40E10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A87E102_2_00A87E10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2DE602_2_00A2DE60
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A89E602_2_00A89E60
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A846402_2_00A84640
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A696502_2_00A69650
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A66F902_2_00A66F90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A7FF902_2_00A7FF90
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A227E02_2_00A227E0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A707F02_2_00A707F0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A46FC02_2_00A46FC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A72FC02_2_00A72FC0
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A33F202_2_00A33F20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2A7002_2_00A2A700
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A2BF102_2_00A2BF10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00AA37182_2_00AA3718
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A42F102_2_00A42F10
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A397402_2_00A39740
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A41F502_2_00A41F50
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: String function: 0041B930 appears 104 times
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: String function: 00A8DE10 appears 96 times
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: String function: 00A9607C appears 44 times
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: String function: 0040B230 appears 40 times
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: String function: 00A9AE24 appears 34 times
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 688
                Source: Installer64x.exe1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Installer64x.exe1.exeStatic PE information: Section: .bss ZLIB complexity 1.0003241237482117
                Source: Installer64x.exe1.exeStatic PE information: Section: .bss ZLIB complexity 1.0003241237482117
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/6@1/2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00443F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,2_2_00443F90
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7020
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7ddce0fc-db99-41fb-ad81-821b67a38a4aJump to behavior
                Source: Installer64x.exe1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Installer64x.exe1.exe, 00000002.00000003.1200896157.0000000003BC3000.00000004.00000800.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1201663175.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1179137259.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003B96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Installer64x.exe1.exeVirustotal: Detection: 68%
                Source: Installer64x.exe1.exeReversingLabs: Detection: 71%
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile read: C:\Users\user\Desktop\Installer64x.exe1.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe"
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe"
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 688
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: Installer64x.exe1.exeStatic file information: File size 1364480 > 1048576
                Source: Installer64x.exe1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8DFCA push ecx; ret 0_2_00A8DFDD
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_0045446E push cs; ret 2_2_004544B8
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00454666 push 9DE8EE2Fh; iretd 2_2_0045468D
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A604F7 push ebx; iretd 2_2_00A604F9
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A604DD push ebx; iretd 2_2_00A604E3
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A8DFCA push ecx; ret 2_2_00A8DFDD
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A4A775 push es; iretd 2_2_00A4A776
                Source: Installer64x.exe1.exeStatic PE information: section name: .text entropy: 7.09207256696417
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeWindow / User API: threadDelayed 6305Jump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exe TID: 3504Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exe TID: 7816Thread sleep count: 6305 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A9FCDE FindFirstFileExW,0_2_00A9FCDE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00A9FD8F
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A9FCDE FindFirstFileExW,2_2_00A9FCDE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00A9FD8F
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                Source: Amcache.hve.6.drBinary or memory string: VMware
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696503903o
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001463000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280871259.000000000148E000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.000000000148C000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696503903s
                Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696503903j
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696503903f
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                Source: Installer64x.exe1.exe, 00000002.00000003.1201272845.0000000003C16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696503903p
                Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696503903x
                Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696503903
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696503903
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696503903
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696503903
                Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696503903t
                Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Installer64x.exe1.exe, 00000002.00000003.1201272845.0000000003C16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A2553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,0_2_00A2553B
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A8DC9E
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00AB61B4 mov edi, dword ptr fs:[00000030h]0_2_00AB61B4
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A9B71C GetProcessHeap,0_2_00A9B71C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A8D8E2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A8DC9E
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8DC92 SetUnhandledExceptionFilter,0_2_00A8DC92
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A95DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A95DCE
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A8D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00A8D8E2
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A8DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A8DC9E
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 2_2_00A95DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A95DCE

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00AB61B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_00AB61B4
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeMemory written: C:\Users\user\Desktop\Installer64x.exe1.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeProcess created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,0_2_00A9F8B3
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,0_2_00A9B007
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00A9F048
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,0_2_00A9F299
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00A9F334
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,0_2_00A9AB0C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,0_2_00A9F587
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,0_2_00A9F5E6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,0_2_00A9F6BB
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00A9F7AD
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,0_2_00A9F706
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,2_2_00A9F8B3
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,2_2_00A9B007
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00A9F048
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,2_2_00A9F299
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00A9F334
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,2_2_00A9AB0C
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,2_2_00A9F587
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,2_2_00A9F5E6
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: EnumSystemLocalesW,2_2_00A9F6BB
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00A9F7AD
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: GetLocaleInfoW,2_2_00A9F706
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeCode function: 0_2_00A8E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00A8E6D7
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280915629.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1281240791.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280871259.000000000148E000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: Installer64x.exe1.exe PID: 3588, type: MEMORYSTR
                Source: Yara matchFile source: 2.2.Installer64x.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Installer64x.exe1.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2407790699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: Installer64x.exe1.exe, 00000002.00000003.1200459789.00000000014D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets"ez":"Nabox"},{"en":"hcflpincpppdclinealmandijcmnkbgn","ez":"KHC"},{"en":"ookjlbkiijinhpmnjffcofjonbfbga
                Source: Installer64x.exe1.exe, 00000002.00000003.1200459789.00000000014D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\walletsta","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\
                Source: Installer64x.exe1.exe, 00000002.00000003.1253178155.000000000151B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertytr6kh=
                Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.j
                Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
                Source: Installer64x.exe1.exe, 00000002.00000002.2410434125.000000000151D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3BN
                Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
                Source: Installer64x.exe1.exe, 00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\DUKNXICOZTJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\DUKNXICOZTJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\DUKNXICOZTJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\Installer64x.exe1.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: Yara matchFile source: 00000002.00000003.1224431929.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1258119927.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1251363945.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Installer64x.exe1.exe PID: 3588, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: Installer64x.exe1.exe PID: 3588, type: MEMORYSTR
                Source: Yara matchFile source: 2.2.Installer64x.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Installer64x.exe1.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2407790699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		211
                Process Injection                		22
                Virtualization/Sandbox Evasion                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		211
                Process Injection                		LSASS Memory251
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager22
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares31
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
                Obfuscated Files or Information                		NTDS1
                Process Discovery                		Distributed Component Object Model3
                Clipboard Data                		124
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Software Packing                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials11
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.